Analysis
-
max time kernel
98s -
max time network
210s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
30/11/2024, 03:09
Static task
static1
Behavioral task
behavioral1
Sample
test.exe
Resource
win10v2004-20241007-en
General
-
Target
test.exe
-
Size
163KB
-
MD5
4531671a39dfdd4a9711e64400f7f0fa
-
SHA1
55357cd9c957105f9b5af04f1a8e65101229ae4a
-
SHA256
76c45fabe4e4438e1d9d434e9cd104219fc7e855b90bafaf52b70c069a495b65
-
SHA512
d35d54d6986dfbe22fcac76792853cacdc1c4b0eecba5cd7703c3b1f50005d42b8e36ccc6a8c5a4928d2c49413896e11779f4e23357b7229b0863511f5ab3f52
-
SSDEEP
3072:O6kZB/A8p+F3sh+3NB/fXdBcRDmGCKX+Ip4rI4gei6+SRaBwV0BfI6Ks2:hkZB/A8p+F2+3b/fXdKcLKXhG84geVoP
Malware Config
Extracted
xenorat
10.160.192.195
-
delay
5000
-
install_path
appdata
-
port
13579
-
startup_name
Windows CL
Signatures
-
Detect XenoRat Payload 2 IoCs
resource yara_rule behavioral2/files/0x00240000000450f6-4.dat family_xenorat behavioral2/memory/3436-8-0x00000000005D0000-0x00000000005E2000-memory.dmp family_xenorat -
Xenorat family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.exe test.exe -
Executes dropped EXE 1 IoCs
pid Process 3436 tempfile -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tempfile -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Local Settings tempfile Key created \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Local Settings OpenWith.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5008 OpenWith.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4184 wrote to memory of 3436 4184 test.exe 82 PID 4184 wrote to memory of 3436 4184 test.exe 82 PID 4184 wrote to memory of 3436 4184 test.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Users\Admin\AppData\Local\Temp\tempfile"C:\Users\Admin\AppData\Local\Temp\tempfile"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3436
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD52be6e608f41c752b6d4d00ee65d3a4dd
SHA119d4f38a8c86f29b1fdd43dfbd98c3ad3192ceff
SHA256481de496a0d953c431a161f7929cabb72817c48d287951e85b76fb1e50529a60
SHA512b725d3f02658b2033f75e7dc364118c865ce6a48b07acba80e4be54083f09dad6d42d68fd186010b21ce92c3118f9150787d40900b5443f990c6caf6a1d9bd8d