Analysis
-
max time kernel
7s -
max time network
11s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-11-2024 12:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Xanax.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
Xanax.exe
Resource
win11-20241007-en
windows11-21h2-x64
5 signatures
150 seconds
General
-
Target
Xanax.exe
-
Size
33.2MB
-
MD5
9f7d92ebb896f41a861c0da6a1dcfa35
-
SHA1
b7d53e7ca684eb77fe5e1c542ed7bc86b4469c03
-
SHA256
301140e85d0887413ff368e5c9531194b9358b14cabe5b4b458dac2f012c026f
-
SHA512
5f3d882fc585739ca03b7acdbbbace91076e483bd5775d28872a766fb2ed2ef7223a33f3487c3c8f93b305dba6a8aa2dd1d8d3be56e22e1782b10169f2b96b0f
-
SSDEEP
786432:DpaO1UVRW/Qg97ujytT/GjkvDsQUj00EKDGCIyn8p7fs:DEO1nxyy5/gzQUNSFfs
Score
5/10
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe -
Kills process with taskkill 4 IoCs
pid Process 1588 taskkill.exe 5056 taskkill.exe 2964 taskkill.exe 2540 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe 3288 Xanax.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 5056 taskkill.exe Token: SeDebugPrivilege 2964 taskkill.exe Token: SeDebugPrivilege 2540 taskkill.exe Token: SeDebugPrivilege 1588 taskkill.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 3288 wrote to memory of 3396 3288 Xanax.exe 78 PID 3288 wrote to memory of 3396 3288 Xanax.exe 78 PID 3396 wrote to memory of 4220 3396 cmd.exe 79 PID 3396 wrote to memory of 4220 3396 cmd.exe 79 PID 3288 wrote to memory of 3400 3288 Xanax.exe 80 PID 3288 wrote to memory of 3400 3288 Xanax.exe 80 PID 3288 wrote to memory of 4460 3288 Xanax.exe 81 PID 3288 wrote to memory of 4460 3288 Xanax.exe 81 PID 4460 wrote to memory of 5056 4460 cmd.exe 82 PID 4460 wrote to memory of 5056 4460 cmd.exe 82 PID 3288 wrote to memory of 3024 3288 Xanax.exe 84 PID 3288 wrote to memory of 3024 3288 Xanax.exe 84 PID 3024 wrote to memory of 2964 3024 cmd.exe 85 PID 3024 wrote to memory of 2964 3024 cmd.exe 85 PID 3288 wrote to memory of 2212 3288 Xanax.exe 86 PID 3288 wrote to memory of 2212 3288 Xanax.exe 86 PID 2212 wrote to memory of 2540 2212 cmd.exe 87 PID 2212 wrote to memory of 2540 2212 cmd.exe 87 PID 3288 wrote to memory of 2364 3288 Xanax.exe 88 PID 3288 wrote to memory of 2364 3288 Xanax.exe 88 PID 2364 wrote to memory of 1588 2364 cmd.exe 89 PID 2364 wrote to memory of 1588 2364 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\Xanax.exe"C:\Users\Admin\AppData\Local\Temp\Xanax.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mode 58,282⤵
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\system32\mode.commode 58,283⤵PID:4220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title Xanax - Hardware Virtualization2⤵PID:3400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\system32\taskkill.exetaskkill /f /im KsDumperClient.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\system32\taskkill.exetaskkill /f /im KsDumper.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-