Overview

overview

5

Static

static

3

Xanax.exe

windows10-ltsc 2021-x64

5

Xanax.exe

windows11-21h2-x64

5

Analysis

  • max time kernel
    20s
  • max time network
    24s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    21-11-2024 12:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Xanax.exe

  • Size

    33.2MB

  • MD5

    9f7d92ebb896f41a861c0da6a1dcfa35

  • SHA1

    b7d53e7ca684eb77fe5e1c542ed7bc86b4469c03

  • SHA256

    301140e85d0887413ff368e5c9531194b9358b14cabe5b4b458dac2f012c026f

  • SHA512

    5f3d882fc585739ca03b7acdbbbace91076e483bd5775d28872a766fb2ed2ef7223a33f3487c3c8f93b305dba6a8aa2dd1d8d3be56e22e1782b10169f2b96b0f

  • SSDEEP

    786432:DpaO1UVRW/Qg97ujytT/GjkvDsQUj00EKDGCIyn8p7fs:DEO1nxyy5/gzQUNSFfs

Score
5/10

Malware Config

Signatures

  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Xanax.exe
    "C:\Users\Admin\AppData\Local\Temp\Xanax.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c mode 58,28
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4496
      • C:\Windows\system32\mode.com
        mode 58,28
        3⤵
          PID:3868
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c title Xanax - Hardware Virtualization
        2⤵
          PID:4852
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:536
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im KsDumperClient.exe
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4324

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2424-0-0x0000000140000000-0x0000000141000000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2424-2-0x0000000140000000-0x0000000141000000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2424-1-0x0000000140000000-0x0000000141000000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2424-3-0x0000000140000000-0x0000000141000000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2424-5-0x00000000024B0000-0x00000000024B8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2424-4-0x0000000140000000-0x0000000141000000-memory.dmp

        Filesize

        16.0MB

        Download