Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2024 19:31
Behavioral task
behavioral1
Sample
System32.exe
Resource
win7-20240903-en
General
-
Target
System32.exe
-
Size
45KB
-
MD5
896081ff179580794b2e56d763e60e5a
-
SHA1
97dca39b6a660e9e1285b401456576fdd0998710
-
SHA256
acf6b4e5100ebd3921ea434dfb8e6fe93c3933390ec960a18670120d6732125b
-
SHA512
48809ea72174b61a8b6ee24c61a42257e60ac10980098c3fbad45cab00eb96065662bd57425f6dbd2f561f30ab88395f4cb568a7fdc62645824ed1de403a145e
-
SSDEEP
768:MdhO/poiiUcjlJIndfH9Xqk5nWEZ5SbTDatuI7CPW5S:Gw+jjgnVH9XqcnW85SbTwuIK
Malware Config
Extracted
xenorat
127.0.0.1
System32
-
delay
5000
-
install_path
temp
-
port
4444
-
startup_name
System32
Signatures
-
Detect XenoRat Payload 2 IoCs
resource yara_rule behavioral2/memory/436-1-0x0000000000A50000-0x0000000000A62000-memory.dmp family_xenorat behavioral2/files/0x000c000000023b84-6.dat family_xenorat -
Xenorat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation System32.exe -
Executes dropped EXE 1 IoCs
pid Process 4968 System32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language System32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language System32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3600 schtasks.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 436 wrote to memory of 4968 436 System32.exe 82 PID 436 wrote to memory of 4968 436 System32.exe 82 PID 436 wrote to memory of 4968 436 System32.exe 82 PID 4968 wrote to memory of 3600 4968 System32.exe 83 PID 4968 wrote to memory of 3600 4968 System32.exe 83 PID 4968 wrote to memory of 3600 4968 System32.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\System32.exe"C:\Users\Admin\AppData\Local\Temp\System32.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Users\Admin\AppData\Local\Temp\XenoManager\System32.exe"C:\Users\Admin\AppData\Local\Temp\XenoManager\System32.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "System32" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7474.tmp" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3600
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
45KB
MD5896081ff179580794b2e56d763e60e5a
SHA197dca39b6a660e9e1285b401456576fdd0998710
SHA256acf6b4e5100ebd3921ea434dfb8e6fe93c3933390ec960a18670120d6732125b
SHA51248809ea72174b61a8b6ee24c61a42257e60ac10980098c3fbad45cab00eb96065662bd57425f6dbd2f561f30ab88395f4cb568a7fdc62645824ed1de403a145e
-
Filesize
1KB
MD5b34fc460ef3471937aafe3b06e4f954c
SHA1ed9abcc6b0430edbbdf4cf2c43243ba1a17e7aa2
SHA256edacee32c3c4ba1c86b77b520a8f6d52e7aa004ff714c70bc2437877cde68c2b
SHA512e3a1d215fb9808e69d10eb7852bedbbf1390bc2b0296a8187ea5d8cb6d393321f8bfae86e0407849b728ca2626b44314ad9c6c62cbcb58b63e33a57372018afd