Resubmissions

30/11/2024, 03:09

241130-dnx52syqcw 10

30/11/2024, 02:55

241130-derxnssrbq 10

Analysis

  • max time kernel
    98s
  • max time network
    210s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    30/11/2024, 03:09

General

  • Target

    test.exe

  • Size

    163KB

  • MD5

    4531671a39dfdd4a9711e64400f7f0fa

  • SHA1

    55357cd9c957105f9b5af04f1a8e65101229ae4a

  • SHA256

    76c45fabe4e4438e1d9d434e9cd104219fc7e855b90bafaf52b70c069a495b65

  • SHA512

    d35d54d6986dfbe22fcac76792853cacdc1c4b0eecba5cd7703c3b1f50005d42b8e36ccc6a8c5a4928d2c49413896e11779f4e23357b7229b0863511f5ab3f52

  • SSDEEP

    3072:O6kZB/A8p+F3sh+3NB/fXdBcRDmGCKX+Ip4rI4gei6+SRaBwV0BfI6Ks2:hkZB/A8p+F2+3b/fXdKcLKXhG84geVoP

Malware Config

Extracted

Family

xenorat

C2

10.160.192.195

Mutex

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    13579

  • startup_name

    Windows CL

Signatures

  • Detect XenoRat Payload 2 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

  • Xenorat family
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\test.exe
    "C:\Users\Admin\AppData\Local\Temp\test.exe"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:4184
    • C:\Users\Admin\AppData\Local\Temp\tempfile
      "C:\Users\Admin\AppData\Local\Temp\tempfile"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:3436
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:5008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tempfile

    Filesize

    45KB

    MD5

    2be6e608f41c752b6d4d00ee65d3a4dd

    SHA1

    19d4f38a8c86f29b1fdd43dfbd98c3ad3192ceff

    SHA256

    481de496a0d953c431a161f7929cabb72817c48d287951e85b76fb1e50529a60

    SHA512

    b725d3f02658b2033f75e7dc364118c865ce6a48b07acba80e4be54083f09dad6d42d68fd186010b21ce92c3118f9150787d40900b5443f990c6caf6a1d9bd8d

  • memory/3436-7-0x00000000746AE000-0x00000000746AF000-memory.dmp

    Filesize

    4KB

  • memory/3436-8-0x00000000005D0000-0x00000000005E2000-memory.dmp

    Filesize

    72KB

  • memory/4184-0-0x00007FFCAB873000-0x00007FFCAB875000-memory.dmp

    Filesize

    8KB

  • memory/4184-1-0x0000000000550000-0x0000000000580000-memory.dmp

    Filesize

    192KB

  • memory/4184-6-0x00007FFCAB870000-0x00007FFCAC332000-memory.dmp

    Filesize

    10.8MB

  • memory/4184-11-0x00007FFCAB870000-0x00007FFCAC332000-memory.dmp

    Filesize

    10.8MB