Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25-01-2025 17:07
Behavioral task
behavioral1
Sample
Steam.exe
Resource
win7-20240729-en
windows7-x64
13 signatures
150 seconds
General
-
Target
Steam.exe
-
Size
5.9MB
-
MD5
83df4320406c8a4d6a77f47f694d3489
-
SHA1
01e3d49eeec578e954724608f8000463c939ed1a
-
SHA256
a1c193a12ee68ca56f0286ef3b9a221198603e13b0bb207a0554e79de927a951
-
SHA512
d34a01373453ad0e69203ad5f288141cbe514986704eaf388d3d61f50aa75056dc5c16f1cbe0ca0de553d462bed3dc558e9141164e7476a4d83791f886016b61
-
SSDEEP
98304:piEwNGSuhSSjEUE14A3CQTC2tNf+gfdUPYk4OpurnepaphA0FqxzXYTNOJSXRTzE:pINHcjQ+Y3NGgfdUcrn4arOzI5RvgH
Malware Config
Extracted
Family
xenorat
C2
20.82.147.157
Mutex
PNB=8yfvfgb09gbu
Attributes
-
delay
5000
-
install_path
nothingset
-
port
4454
-
startup_name
OneDriveUpdater
Signatures
-
Detect XenoRat Payload 2 IoCs
resource yara_rule behavioral1/files/0x0004000000004ed7-19.dat family_xenorat behavioral1/memory/3020-22-0x00000000008B0000-0x00000000008C2000-memory.dmp family_xenorat -
Xenorat family
-
Executes dropped EXE 1 IoCs
pid Process 3020 cmdkey.exe -
resource yara_rule behavioral1/memory/2764-11-0x000000013F9A0000-0x0000000140410000-memory.dmp vmprotect behavioral1/memory/2764-14-0x000000013F9A0000-0x0000000140410000-memory.dmp vmprotect behavioral1/memory/2764-39-0x000000013F9A0000-0x0000000140410000-memory.dmp vmprotect behavioral1/memory/2764-50-0x000000013F9A0000-0x0000000140410000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe 2764 Steam.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Downloaded Program Files\cmdkey.exe Steam.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmdkey.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1928 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 49 IoCs
pid Process 2764 Steam.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe 3020 cmdkey.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3020 cmdkey.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2764 wrote to memory of 2220 2764 Steam.exe 32 PID 2764 wrote to memory of 2220 2764 Steam.exe 32 PID 2764 wrote to memory of 2220 2764 Steam.exe 32 PID 2764 wrote to memory of 2740 2764 Steam.exe 33 PID 2764 wrote to memory of 2740 2764 Steam.exe 33 PID 2764 wrote to memory of 2740 2764 Steam.exe 33 PID 2740 wrote to memory of 2640 2740 cmd.exe 34 PID 2740 wrote to memory of 2640 2740 cmd.exe 34 PID 2740 wrote to memory of 2640 2740 cmd.exe 34 PID 2764 wrote to memory of 2792 2764 Steam.exe 35 PID 2764 wrote to memory of 2792 2764 Steam.exe 35 PID 2764 wrote to memory of 2792 2764 Steam.exe 35 PID 2764 wrote to memory of 3020 2764 Steam.exe 36 PID 2764 wrote to memory of 3020 2764 Steam.exe 36 PID 2764 wrote to memory of 3020 2764 Steam.exe 36 PID 2764 wrote to memory of 3020 2764 Steam.exe 36 PID 2764 wrote to memory of 3020 2764 Steam.exe 36 PID 2764 wrote to memory of 3020 2764 Steam.exe 36 PID 2764 wrote to memory of 3020 2764 Steam.exe 36 PID 2764 wrote to memory of 768 2764 Steam.exe 39 PID 2764 wrote to memory of 768 2764 Steam.exe 39 PID 2764 wrote to memory of 768 2764 Steam.exe 39 PID 2764 wrote to memory of 1936 2764 Steam.exe 40 PID 2764 wrote to memory of 1936 2764 Steam.exe 40 PID 2764 wrote to memory of 1936 2764 Steam.exe 40 PID 3020 wrote to memory of 1928 3020 cmdkey.exe 41 PID 3020 wrote to memory of 1928 3020 cmdkey.exe 41 PID 3020 wrote to memory of 1928 3020 cmdkey.exe 41 PID 3020 wrote to memory of 1928 3020 cmdkey.exe 41 PID 3020 wrote to memory of 2228 3020 cmdkey.exe 44 PID 3020 wrote to memory of 2228 3020 cmdkey.exe 44 PID 3020 wrote to memory of 2228 3020 cmdkey.exe 44 PID 3020 wrote to memory of 2228 3020 cmdkey.exe 44 PID 3020 wrote to memory of 1544 3020 cmdkey.exe 46 PID 3020 wrote to memory of 1544 3020 cmdkey.exe 46 PID 3020 wrote to memory of 1544 3020 cmdkey.exe 46 PID 3020 wrote to memory of 1544 3020 cmdkey.exe 46 PID 3020 wrote to memory of 2392 3020 cmdkey.exe 48 PID 3020 wrote to memory of 2392 3020 cmdkey.exe 48 PID 3020 wrote to memory of 2392 3020 cmdkey.exe 48 PID 3020 wrote to memory of 2392 3020 cmdkey.exe 48 PID 2392 wrote to memory of 1016 2392 cmd.exe 50 PID 2392 wrote to memory of 1016 2392 cmd.exe 50 PID 2392 wrote to memory of 1016 2392 cmd.exe 50 PID 2392 wrote to memory of 1016 2392 cmd.exe 50 PID 2764 wrote to memory of 1532 2764 Steam.exe 51 PID 2764 wrote to memory of 1532 2764 Steam.exe 51 PID 2764 wrote to memory of 1532 2764 Steam.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\Steam.exe"C:\Users\Admin\AppData\Local\Temp\Steam.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mode con cols=85 lines=302⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\system32\mode.commode con cols=85 lines=303⤵PID:2640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2792
-
-
C:\Windows\Downloaded Program Files\cmdkey.exe"C:\Windows\Downloaded Program Files\cmdkey.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "OneDriveUpdater" /XML "C:\Users\Admin\AppData\Local\Temp\tmp21A4.tmp" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1928
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /query /v /fo csv3⤵
- System Location Discovery: System Language Discovery
PID:2228
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /delete /tn "\OneDriveUpdater" /f3⤵
- System Location Discovery: System Language Discovery
PID:1544
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Downloaded Program Files\cmdkey.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵
- System Location Discovery: System Language Discovery
PID:1016
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1936
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2764 -s 13282⤵PID:1532
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56a06378ae3a95005d5bbe9f905fbd540
SHA1ef75d73e362a5c274f4be47901df1d5da3ab2534
SHA256b88df0a62fb6589bce9779a9e41490cfc5dafa053a6e84cc897664dbb26b662e
SHA51218314de231d8a9a22e4f9ce437a569c17dc0973bd290dd4810379f4f1cb157b5f495377c57c239b291ab7cad41a8cb43227bf2fbee44a2b6a8641830984d0380
-
Filesize
46KB
MD5cbd03f965337189b807dcd0033dc617e
SHA18dd0f7c638e752dcfe6a93cf61545a15d3e862b6
SHA256643182b3cb9fe33cbe39f0ae877b376b8ce192e957caddde2c33cc8ca2c5b11e
SHA5123846403e364be3e251a284f86c5de8512604c64f0d926182952f4525a949a77af4729cc62bfaa0433a8ea56b84fc61e333fec4168b6eb298582bf238df9bc9ad