xenorat | a1c193a12ee68ca56f0286ef3b9a221198603e13b0bb207a0554e79de927a951

Analysis

max time kernel
94s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Steam.exe
Size

5.9MB
MD5

83df4320406c8a4d6a77f47f694d3489
SHA1

01e3d49eeec578e954724608f8000463c939ed1a
SHA256

a1c193a12ee68ca56f0286ef3b9a221198603e13b0bb207a0554e79de927a951
SHA512

d34a01373453ad0e69203ad5f288141cbe514986704eaf388d3d61f50aa75056dc5c16f1cbe0ca0de553d462bed3dc558e9141164e7476a4d83791f886016b61
SSDEEP

98304:piEwNGSuhSSjEUE14A3CQTC2tNf+gfdUPYk4OpurnepaphA0FqxzXYTNOJSXRTzE:pINHcjQ+Y3NGgfdUcrn4arOzI5RvgH

Score

10^/10

xenorat discovery rat trojan vmprotect

Malware Config

Extracted

Family

xenorat

20.82.147.157

Mutex

PNB=8yfvfgb09gbu

Attributes

delay
5000
install_path
nothingset
port
4454
startup_name
OneDriveUpdater

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c9c-10.dat	family_xenorat
behavioral2/memory/2948-13-0x0000000000970000-0x0000000000982000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	cmdkey.exe

Executes dropped EXE 1 IoCs

pid	Process
2948	cmdkey.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/1464-6-0x00007FF645FD0000-0x00007FF646A40000-memory.dmp	vmprotect
behavioral2/memory/1464-22-0x00007FF645FD0000-0x00007FF646A40000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe
1464	Steam.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\cmdkey.exe	Steam.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmdkey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4076	schtasks.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
1464	Steam.exe
1464	Steam.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe
2948	cmdkey.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	cmdkey.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 2264	1464	Steam.exe	84
PID 1464 wrote to memory of 2264	1464	Steam.exe	84
PID 1464 wrote to memory of 2468	1464	Steam.exe	85
PID 1464 wrote to memory of 2468	1464	Steam.exe	85
PID 2468 wrote to memory of 4908	2468	cmd.exe	86
PID 2468 wrote to memory of 4908	2468	cmd.exe	86
PID 1464 wrote to memory of 4016	1464	Steam.exe	88
PID 1464 wrote to memory of 4016	1464	Steam.exe	88
PID 1464 wrote to memory of 2948	1464	Steam.exe	89
PID 1464 wrote to memory of 2948	1464	Steam.exe	89
PID 1464 wrote to memory of 2948	1464	Steam.exe	89
PID 1464 wrote to memory of 2780	1464	Steam.exe	92
PID 1464 wrote to memory of 2780	1464	Steam.exe	92
PID 1464 wrote to memory of 1412	1464	Steam.exe	93
PID 1464 wrote to memory of 1412	1464	Steam.exe	93
PID 2948 wrote to memory of 4076	2948	cmdkey.exe	96
PID 2948 wrote to memory of 4076	2948	cmdkey.exe	96
PID 2948 wrote to memory of 4076	2948	cmdkey.exe	96
PID 2948 wrote to memory of 4844	2948	cmdkey.exe	112
PID 2948 wrote to memory of 4844	2948	cmdkey.exe	112
PID 2948 wrote to memory of 4844	2948	cmdkey.exe	112
PID 2948 wrote to memory of 3988	2948	cmdkey.exe	114
PID 2948 wrote to memory of 3988	2948	cmdkey.exe	114
PID 2948 wrote to memory of 3988	2948	cmdkey.exe	114
PID 2948 wrote to memory of 1052	2948	cmdkey.exe	116
PID 2948 wrote to memory of 1052	2948	cmdkey.exe	116
PID 2948 wrote to memory of 1052	2948	cmdkey.exe	116
PID 1052 wrote to memory of 676	1052	cmd.exe	118
PID 1052 wrote to memory of 676	1052	cmd.exe	118
PID 1052 wrote to memory of 676	1052	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\Steam.exe
"C:\Users\Admin\AppData\Local\Temp\Steam.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mode con cols=85 lines=30
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\system32\mode.com
    mode con cols=85 lines=30
    3⤵
    PID:4908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4016
- C:\Windows\Downloaded Program Files\cmdkey.exe
  "C:\Windows\Downloaded Program Files\cmdkey.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "OneDriveUpdater" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC8BE.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4076
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /query /v /fo csv
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4844
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /delete /tn "\OneDriveUpdater" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3988
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Downloaded Program Files\cmdkey.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      System Location Discovery: System Language Discovery
      PID:676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC8BE.tmp

Filesize
1KB

MD5
6a06378ae3a95005d5bbe9f905fbd540

SHA1
ef75d73e362a5c274f4be47901df1d5da3ab2534

SHA256
b88df0a62fb6589bce9779a9e41490cfc5dafa053a6e84cc897664dbb26b662e

SHA512
18314de231d8a9a22e4f9ce437a569c17dc0973bd290dd4810379f4f1cb157b5f495377c57c239b291ab7cad41a8cb43227bf2fbee44a2b6a8641830984d0380

Download Submit
C:\Windows\Downloaded Program Files\cmdkey.exe

Filesize
46KB

MD5
cbd03f965337189b807dcd0033dc617e

SHA1
8dd0f7c638e752dcfe6a93cf61545a15d3e862b6

SHA256
643182b3cb9fe33cbe39f0ae877b376b8ce192e957caddde2c33cc8ca2c5b11e

SHA512
3846403e364be3e251a284f86c5de8512604c64f0d926182952f4525a949a77af4729cc62bfaa0433a8ea56b84fc61e333fec4168b6eb298582bf238df9bc9ad

Download Submit
memory/1464-22-0x00007FF645FD0000-0x00007FF646A40000-memory.dmp

Filesize
10.4MB

Download
memory/1464-1-0x00007FFA57B50000-0x00007FFA57B52000-memory.dmp

Filesize
8KB

Download
memory/1464-6-0x00007FF645FD0000-0x00007FF646A40000-memory.dmp

Filesize
10.4MB

Download
memory/1464-21-0x00007FF64605C000-0x00007FF646455000-memory.dmp

Filesize
4.0MB

Download
memory/1464-0-0x00007FF64605C000-0x00007FF646455000-memory.dmp

Filesize
4.0MB

Download
memory/1464-2-0x00007FFA57B60000-0x00007FFA57B62000-memory.dmp

Filesize
8KB

Download
memory/2948-12-0x0000000074D2E000-0x0000000074D2F000-memory.dmp

Filesize
4KB

Download
memory/2948-13-0x0000000000970000-0x0000000000982000-memory.dmp

Filesize
72KB

Download
memory/2948-20-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/2948-28-0x0000000005D60000-0x0000000005DC6000-memory.dmp

Filesize
408KB

Download
memory/2948-29-0x0000000074D2E000-0x0000000074D2F000-memory.dmp

Filesize
4KB

Download
memory/2948-30-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/2948-31-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download