Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
16-12-2024 14:36
General
-
Target
cres.exe
-
Size
45KB
-
MD5
1e7700efbf15f37dd3f86f05c622ae32
-
SHA1
651957f68d597141fc5325e62189330e05434e74
-
SHA256
15c2892194da8b7dd9ca72cdec0b3fb3eff422361f603ae2ae17e4be21154928
-
SHA512
72f1a14b3e20fdf8e9c362cf621b2d1ad04dca4dcaffa0dfd9b3c6e502ed8cd6834194ddeebda74e0d6d38db3ea2102e7ec0bcb6f858df281325e9842e19b11b
-
SSDEEP
768:pdhO/poiiUcjlJInMC2H9Xqk5nWEZ5SbTDaauI7CPW5H:nw+jjgnt2H9XqcnW85SbT3uIf
Malware Config
Extracted
xenorat
90.202.105.39
Xeno_rat_nd8912d
-
delay
5000
-
install_path
temp
-
port
4444
-
startup_name
manager
Signatures
-
Detect XenoRat Payload 2 IoCs
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Xenorat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cres.exe"C:\Users\Admin\AppData\Local\Temp\cres.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XenoManager\cres.exe"C:\Users\Admin\AppData\Local\Temp\XenoManager\cres.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "manager" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC5FF.tmp" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
45KB
MD51e7700efbf15f37dd3f86f05c622ae32
SHA1651957f68d597141fc5325e62189330e05434e74
SHA25615c2892194da8b7dd9ca72cdec0b3fb3eff422361f603ae2ae17e4be21154928
SHA51272f1a14b3e20fdf8e9c362cf621b2d1ad04dca4dcaffa0dfd9b3c6e502ed8cd6834194ddeebda74e0d6d38db3ea2102e7ec0bcb6f858df281325e9842e19b11b
-
Filesize
1KB
MD5ed2ac3231d5a7037e886bbe03105f63a
SHA179c49e9ec0ffa044c6e83be9ca6a9f47c7626e78
SHA256a8237f3aefc09e08608161abaa554ce88d4d706d6cbe1814b7ceff7508cd34a4
SHA512a324b3e7475632dcf5f7bca167fa2d062a856a4e54751a94f89627e8c47787d968dc3133376a644786037c3d436da17e8e751353d176482fd1443eeaa4bce0cb
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
72KB