Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

test.exe

windows10-2004-x64

10

test.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    113s
  • max time network
    116s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241023-en
  • resource tags

    arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    27/01/2025, 00:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test.exe

  • Size

    45KB

  • MD5

    21645270a894666d3b1907b66ddd147f

  • SHA1

    bfd5061be263edd2de98d17fb989a408fa7117b9

  • SHA256

    567d3d5648344b34020556c6dc5415cb96f4c385c314279c0a26c0ebac58851e

  • SHA512

    84ad094f677e06caf4f6a5b552afd9e0420f428e2ce86904340786bdfe979f8f345d72574a0012cc7224caa57fcb355b723ce14e63bd8d808e592cdd9346ec6e

  • SSDEEP

    768:tdhO/poiiUcjlJInuzH9Xqk5nWEZ5SbTDa0WI7CPW5/:jw+jjgnsH9XqcnW85SbTNWIX

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

24.ip.gl.ply.gg

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    3000

  • install_path

    appdata

  • port

    64438

  • startup_name

    cmd

Signatures

  • Detect XenoRat Payload 3 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\test.exe
    "C:\Users\Admin\AppData\Local\Temp\test.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Users\Admin\AppData\Roaming\XenoManager\test.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\test.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1248
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "cmd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB0B2.tmp" /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3376

Network

  • flag-us
    DNS
    24.ip.gl.ply.gg
    test.exe
    Remote address:
    8.8.8.8:53
    Request
    24.ip.gl.ply.gg
    IN A
    Response
    24.ip.gl.ply.gg
    IN A
    147.185.221.24
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    test.exe
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    24.221.185.147.in-addr.arpa
    test.exe
    Remote address:
    8.8.8.8:53
    Request
    24.221.185.147.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    nexusrules.officeapps.live.com
    test.exe
    Remote address:
    8.8.8.8:53
    Request
    nexusrules.officeapps.live.com
    IN A
    Response
    nexusrules.officeapps.live.com
    IN CNAME
    prod.nexusrules.live.com.akadns.net
    prod.nexusrules.live.com.akadns.net
    IN A
    52.111.229.43
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    test.exe
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 147.185.221.24:64438
    24.ip.gl.ply.gg
    test.exe
    931 B
     836 B
     14
    14
  • 147.185.221.24:64438
    24.ip.gl.ply.gg
    test.exe
    3.7kB
     5.1kB
     59
    99
  • 147.185.221.24:64438
    24.ip.gl.ply.gg
    test.exe
    3.4kB
     3.0kB
     41
    57
  • 147.185.221.24:64438
    24.ip.gl.ply.gg
    test.exe
    1.1kB
     10.7kB
     19
    20
  • 147.185.221.24:64438
    24.ip.gl.ply.gg
    test.exe
    848 B
     752 B
     11
    11
  • 147.185.221.24:64438
    24.ip.gl.ply.gg
    test.exe
    98 B
     52 B
     2
    1
  • 8.8.8.8:53
    24.ip.gl.ply.gg
    dns
    test.exe
    348 B
     596 B
     5
    5

    DNS Request

    24.ip.gl.ply.gg

    DNS Response

    147.185.221.24

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    24.221.185.147.in-addr.arpa

    DNS Request

    nexusrules.officeapps.live.com

    DNS Response

    52.111.229.43

    DNS Request

    43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\test.exe.log
    Filesize

    226B

    MD5

    1294de804ea5400409324a82fdc7ec59

    SHA1

    9a39506bc6cadf99c1f2129265b610c69d1518f7

    SHA256

    494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

    SHA512

    033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpB0B2.tmp
    Filesize

    1KB

    MD5

    d14add5bc544dc56500dab4dcc70f120

    SHA1

    626a696608ee981a0e8d6bde221c0dcb961c2644

    SHA256

    e549e2fef562f01fc2d18ba0b34521bb6f87ba4ca0dcfc82002c9dfcffa07ad0

    SHA512

    3a19b6d12218a2e66dab2175098a392a8ec489711852a05542e3a156876fb1b0a0806ee5839741a196117d111ef5ea2a0562c7999eab3861f5f81ba9c03098db

    Download Submit

  • C:\Users\Admin\AppData\Roaming\XenoManager\test.exe
    Filesize

    45KB

    MD5

    21645270a894666d3b1907b66ddd147f

    SHA1

    bfd5061be263edd2de98d17fb989a408fa7117b9

    SHA256

    567d3d5648344b34020556c6dc5415cb96f4c385c314279c0a26c0ebac58851e

    SHA512

    84ad094f677e06caf4f6a5b552afd9e0420f428e2ce86904340786bdfe979f8f345d72574a0012cc7224caa57fcb355b723ce14e63bd8d808e592cdd9346ec6e

    Download Submit

  • memory/1248-15-0x0000000074B80000-0x0000000075331000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1248-18-0x0000000074B80000-0x0000000075331000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1248-19-0x0000000005380000-0x00000000053E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1248-20-0x00000000008C0000-0x00000000008CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1248-21-0x0000000005530000-0x00000000055C2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1248-22-0x0000000005B80000-0x0000000006126000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1644-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1644-1-0x0000000000290000-0x00000000002A2000-memory.dmp

    Filesize

    72KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.