Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1798s -
max time network
1153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/11/2024, 22:30
Behavioral task
behavioral1
Sample
Atlantisrat.exe
Resource
win7-20240903-en
General
-
Target
Atlantisrat.exe
-
Size
250KB
-
MD5
6d6b39d2de6789a8c1ebb5b22401bc7b
-
SHA1
6cec48b082e8839871edd8cebf7df6529a989d66
-
SHA256
2f2764f4cf7f147d0e05ebc817329e4ee20f9abf41bf2d18a0422b6e74525382
-
SHA512
a71802ed767b38ad785e5435fcd601f4a650ba6ba863ae1171ee16f3aa7bca4bdf6bcf2dece91557893eb777b76995de2a25f02327839f8d3ee363257c089fbb
-
SSDEEP
1536:Pw+jjgnyH9XqcnW85SbTvWIFAZ+r/cttjNFH1MB53FvSvoKi8G:Pw+jqs91UbTvE+ri0NgvFi8G
Malware Config
Extracted
xenorat
127.0.0.1
Atlantis
-
delay
1000
-
install_path
appdata
-
port
4444
-
startup_name
nothingset
Signatures
-
Detect XenoRat Payload 2 IoCs
resource yara_rule behavioral2/memory/5008-1-0x0000000000040000-0x0000000000084000-memory.dmp family_xenorat behavioral2/files/0x0007000000023cbd-6.dat family_xenorat -
Xenorat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Atlantisrat.exe -
Executes dropped EXE 1 IoCs
pid Process 464 Atlantisrat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Atlantisrat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Atlantisrat.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5008 wrote to memory of 464 5008 Atlantisrat.exe 84 PID 5008 wrote to memory of 464 5008 Atlantisrat.exe 84 PID 5008 wrote to memory of 464 5008 Atlantisrat.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\Atlantisrat.exe"C:\Users\Admin\AppData\Local\Temp\Atlantisrat.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Roaming\XenoManager\Atlantisrat.exe"C:\Users\Admin\AppData\Roaming\XenoManager\Atlantisrat.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:464
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
250KB
MD56d6b39d2de6789a8c1ebb5b22401bc7b
SHA16cec48b082e8839871edd8cebf7df6529a989d66
SHA2562f2764f4cf7f147d0e05ebc817329e4ee20f9abf41bf2d18a0422b6e74525382
SHA512a71802ed767b38ad785e5435fcd601f4a650ba6ba863ae1171ee16f3aa7bca4bdf6bcf2dece91557893eb777b76995de2a25f02327839f8d3ee363257c089fbb