Overview

overview

10

Static

static

10

mewingsigmaboy.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    40s
  • max time network
    37s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-01-2025 23:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mewingsigmaboy.exe

  • Size

    74KB

  • MD5

    3844571d2d25e1112db4d525422f8ad2

  • SHA1

    3ee0f8874270f73c417a2a56e506a49b850cef8e

  • SHA256

    c4c21224b91351cbd943ca77e14c1c458815104ab9ffa5d252615d75e736f725

  • SHA512

    fd0ac668e7f85b5bba70bc01db2ae4c63b85519ad8059aaec4142be92ea4642d242fc6fea4fc78bc4cf36b1b67ec4e4564c8effaab6987042acb738187179705

  • SSDEEP

    1536:Tw+jjgn2yH9XqcnW85SbTBqWIy8+Qlr6SYCmQqy15X:Tw+jq2s91UbTBqH+Q4wqy15X

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

147.185.221.25

Mutex

Eulen

Attributes
  • delay

    1

  • install_path

    temp

  • port

    18889

  • startup_name

    Update

Signatures

  • Detect XenoRat Payload 2 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 44 IoCs
  • Suspicious use of SendNotifyMessage 44 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\mewingsigmaboy.exe
    "C:\Users\Admin\AppData\Local\Temp\mewingsigmaboy.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4532
    • C:\Users\Admin\AppData\Local\Temp\XenoManager\mewingsigmaboy.exe
      "C:\Users\Admin\AppData\Local\Temp\XenoManager\mewingsigmaboy.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4724
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "Update" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9B36.tmp" /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:5044
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mewingsigmaboy.exe.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\XenoManager\mewingsigmaboy.exe
    Filesize

    74KB

    MD5

    3844571d2d25e1112db4d525422f8ad2

    SHA1

    3ee0f8874270f73c417a2a56e506a49b850cef8e

    SHA256

    c4c21224b91351cbd943ca77e14c1c458815104ab9ffa5d252615d75e736f725

    SHA512

    fd0ac668e7f85b5bba70bc01db2ae4c63b85519ad8059aaec4142be92ea4642d242fc6fea4fc78bc4cf36b1b67ec4e4564c8effaab6987042acb738187179705

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp9B36.tmp
    Filesize

    1KB

    MD5

    a13124a17ca74d79cfea89926010daca

    SHA1

    833d7054f3b23fc349efaa36e94a1526c2c0fcc0

    SHA256

    434397b2bbff4a74f3d3efe32392434bdf6d260ca966b3895ea176716d8470a7

    SHA512

    1d41cce6cabd1241829f7d8d70fb81a413d0e69a1ffacbede1cf5f6726123ee6e2a9862ff5206f9a95782f0a65a2c49eb01a0e2c357b1dad555d878169cbb5cf

    Download Submit

  • memory/4532-1-0x0000000000B90000-0x0000000000BA8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4532-0-0x000000007530E000-0x000000007530F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4560-31-0x0000013D6B970000-0x0000013D6B971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4560-21-0x0000013D6B970000-0x0000013D6B971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4560-22-0x0000013D6B970000-0x0000013D6B971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4560-20-0x0000013D6B970000-0x0000013D6B971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4560-32-0x0000013D6B970000-0x0000013D6B971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4560-30-0x0000013D6B970000-0x0000013D6B971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4560-29-0x0000013D6B970000-0x0000013D6B971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4560-28-0x0000013D6B970000-0x0000013D6B971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4560-27-0x0000013D6B970000-0x0000013D6B971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4560-26-0x0000013D6B970000-0x0000013D6B971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4724-16-0x0000000075300000-0x0000000075AB0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4724-19-0x0000000075300000-0x0000000075AB0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4724-17-0x0000000075300000-0x0000000075AB0000-memory.dmp

    Filesize

    7.7MB

    Download