Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    1798s
  • max time network
    1153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/11/2024, 22:30

General

  • Target

    Atlantisrat.exe

  • Size

    250KB

  • MD5

    6d6b39d2de6789a8c1ebb5b22401bc7b

  • SHA1

    6cec48b082e8839871edd8cebf7df6529a989d66

  • SHA256

    2f2764f4cf7f147d0e05ebc817329e4ee20f9abf41bf2d18a0422b6e74525382

  • SHA512

    a71802ed767b38ad785e5435fcd601f4a650ba6ba863ae1171ee16f3aa7bca4bdf6bcf2dece91557893eb777b76995de2a25f02327839f8d3ee363257c089fbb

  • SSDEEP

    1536:Pw+jjgnyH9XqcnW85SbTvWIFAZ+r/cttjNFH1MB53FvSvoKi8G:Pw+jqs91UbTvE+ri0NgvFi8G

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

Atlantis

Attributes
  • delay

    1000

  • install_path

    appdata

  • port

    4444

  • startup_name

    nothingset

Signatures

  • Detect XenoRat Payload 2 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

  • Xenorat family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Atlantisrat.exe
    "C:\Users\Admin\AppData\Local\Temp\Atlantisrat.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5008
    • C:\Users\Admin\AppData\Roaming\XenoManager\Atlantisrat.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\Atlantisrat.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:464

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Atlantisrat.exe.log

    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

  • C:\Users\Admin\AppData\Roaming\XenoManager\Atlantisrat.exe

    Filesize

    250KB

    MD5

    6d6b39d2de6789a8c1ebb5b22401bc7b

    SHA1

    6cec48b082e8839871edd8cebf7df6529a989d66

    SHA256

    2f2764f4cf7f147d0e05ebc817329e4ee20f9abf41bf2d18a0422b6e74525382

    SHA512

    a71802ed767b38ad785e5435fcd601f4a650ba6ba863ae1171ee16f3aa7bca4bdf6bcf2dece91557893eb777b76995de2a25f02327839f8d3ee363257c089fbb

  • memory/464-15-0x0000000074620000-0x0000000074DD0000-memory.dmp

    Filesize

    7.7MB

  • memory/464-16-0x0000000074620000-0x0000000074DD0000-memory.dmp

    Filesize

    7.7MB

  • memory/5008-0-0x000000007462E000-0x000000007462F000-memory.dmp

    Filesize

    4KB

  • memory/5008-1-0x0000000000040000-0x0000000000084000-memory.dmp

    Filesize

    272KB