Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-11-2024 03:19
Static task
static1
Behavioral task
behavioral1
Sample
test.exe
Resource
win7-20240903-en
General
-
Target
test.exe
-
Size
163KB
-
MD5
4531671a39dfdd4a9711e64400f7f0fa
-
SHA1
55357cd9c957105f9b5af04f1a8e65101229ae4a
-
SHA256
76c45fabe4e4438e1d9d434e9cd104219fc7e855b90bafaf52b70c069a495b65
-
SHA512
d35d54d6986dfbe22fcac76792853cacdc1c4b0eecba5cd7703c3b1f50005d42b8e36ccc6a8c5a4928d2c49413896e11779f4e23357b7229b0863511f5ab3f52
-
SSDEEP
3072:O6kZB/A8p+F3sh+3NB/fXdBcRDmGCKX+Ip4rI4gei6+SRaBwV0BfI6Ks2:hkZB/A8p+F2+3b/fXdKcLKXhG84geVoP
Malware Config
Extracted
xenorat
10.160.192.195
-
delay
5000
-
install_path
appdata
-
port
13579
-
startup_name
Windows CL
Signatures
-
Detect XenoRat Payload 2 IoCs
resource yara_rule behavioral1/files/0x000800000001650a-6.dat family_xenorat behavioral1/memory/2028-10-0x0000000000800000-0x0000000000812000-memory.dmp family_xenorat -
Xenorat family
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.exe test.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.exe test.exe -
Executes dropped EXE 1 IoCs
pid Process 2028 tempfile -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tempfile Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2740 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2740 AcroRd32.exe 2740 AcroRd32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2028 2160 test.exe 32 PID 2160 wrote to memory of 2028 2160 test.exe 32 PID 2160 wrote to memory of 2028 2160 test.exe 32 PID 2160 wrote to memory of 2028 2160 test.exe 32 PID 2028 wrote to memory of 2748 2028 tempfile 33 PID 2028 wrote to memory of 2748 2028 tempfile 33 PID 2028 wrote to memory of 2748 2028 tempfile 33 PID 2028 wrote to memory of 2748 2028 tempfile 33 PID 2028 wrote to memory of 2748 2028 tempfile 33 PID 2028 wrote to memory of 2748 2028 tempfile 33 PID 2028 wrote to memory of 2748 2028 tempfile 33 PID 2748 wrote to memory of 2740 2748 rundll32.exe 34 PID 2748 wrote to memory of 2740 2748 rundll32.exe 34 PID 2748 wrote to memory of 2740 2748 rundll32.exe 34 PID 2748 wrote to memory of 2740 2748 rundll32.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\tempfile"C:\Users\Admin\AppData\Local\Temp\tempfile"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\XenoManager\tempfile3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\XenoManager\tempfile"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2740
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD52be6e608f41c752b6d4d00ee65d3a4dd
SHA119d4f38a8c86f29b1fdd43dfbd98c3ad3192ceff
SHA256481de496a0d953c431a161f7929cabb72817c48d287951e85b76fb1e50529a60
SHA512b725d3f02658b2033f75e7dc364118c865ce6a48b07acba80e4be54083f09dad6d42d68fd186010b21ce92c3118f9150787d40900b5443f990c6caf6a1d9bd8d
-
Filesize
3KB
MD58ce50473d0aaafb81d220ce2d6d0529a
SHA149adefb48da3f80fe92b4f1783720b8ae8453614
SHA25621cdff0a47cfe7f7e9f0f23e90af0654cbd11c995933a69fff296f623ae30799
SHA51276423eb6974a5f8a32bc448c4043b1689228276520ad05fc829b9a77c9fa1967abf3afbda6f30738dc7744d8f8a62621888134b5e69e538f33411f064d4e08bd