Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
20-12-2024 23:01
General
-
Target
test11.exe
-
Size
60KB
-
MD5
b17514c767f1f62dbcb166a0c6ec326c
-
SHA1
482eb69bb070a338368a9bb130a610b3af61cc16
-
SHA256
014d0e20da8e4c3b6b83dc594bd0cb57e5419c3eab5b075d85ce648d825fcff8
-
SHA512
f6d3cd10037d4e1a79cd4ef0aec41beb3a66d04cd1ed9131ac61adbafc959f98a2279ec8c2c22fcd0a59274600ecd4645915db418faad635bd6ead8578a15243
-
SSDEEP
768:1dhO/poiiUcjlJIn42gH9Xqk5nWEZ5SbTDaWuI7CPW5xqE:Lw+jjgn4LH9XqcnW85SbTDuI4E
Malware Config
Extracted
xenorat
127.0.0.1
set_up_nd8912d
-
delay
5000
-
install_path
temp
-
port
4444
-
startup_name
SecurityHealthSystray
Signatures
-
Detect XenoRat Payload 2 IoCs
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Xenorat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\test11.exe"C:\Users\Admin\AppData\Local\Temp\test11.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XenoManager\test11.exe"C:\Users\Admin\AppData\Local\Temp\XenoManager\test11.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "SecurityHealthSystray" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBCC8.tmp" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5b17514c767f1f62dbcb166a0c6ec326c
SHA1482eb69bb070a338368a9bb130a610b3af61cc16
SHA256014d0e20da8e4c3b6b83dc594bd0cb57e5419c3eab5b075d85ce648d825fcff8
SHA512f6d3cd10037d4e1a79cd4ef0aec41beb3a66d04cd1ed9131ac61adbafc959f98a2279ec8c2c22fcd0a59274600ecd4645915db418faad635bd6ead8578a15243
-
Filesize
1KB
MD500b2ac135eb2a2a01756c263048ad49d
SHA16f532cb1deb42bd07edebe7016951990fb84df5e
SHA2567b79b809b0523db9465f64520c7ba243b734ad2d542983ca5588afc7511edc6b
SHA5128242f4950e7ff50f99a7f13249625b8aa92b38d2ceb652e998d20e72b07346a1dc377bb0e30e005aac60a7adb2e94d19ffea9d4579425d5b3463ff3d7b489fb8
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB