Overview

overview

10

Static

static

10

python_309_setup.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    78s
  • max time network
    51s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250217-en
  • resource tags

    arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20-02-2025 23:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    python_309_setup.exe

  • Size

    45KB

  • MD5

    2dcdd4f5f1aa75d0ccc76ddb36cf8e2a

  • SHA1

    b4b95a1e4cee0384d20f90fefd196a4175d61faf

  • SHA256

    ae89053448060576ac8a19a5ec05365bdf470f3276a63eb0fd01f82313279d1f

  • SHA512

    9e000cf6188ac8aa996e77033fb0edb60349feae57aaee05d7112a3192964e230fc0d37dcfc91507e36348ce18ffb0e881c9ff5f8e12538b1a2aac57531a79a1

  • SSDEEP

    768:m/dhO/poiiUcjlJInd3H9Xqk5nWEZ5SbTDaiuI7CPW5W2YAL:m1w+jjgn5H9XqcnW85SbTnuIe2YAL

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    temp

  • port

    4444

  • startup_name

    nothingset

Signatures

  • Detect XenoRat Payload 2 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\python_309_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\python_309_setup.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4684
    • C:\Users\Admin\AppData\Local\Temp\XenoManager\python_309_setup.exe
      "C:\Users\Admin\AppData\Local\Temp\XenoManager\python_309_setup.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4628
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2124
  • C:\Windows\system32\BackgroundTransferHost.exe
    "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
    1⤵
    • Modifies registry class
    PID:3608
  • C:\Windows\System32\BitLockerWizardElev.exe
    "C:\Windows\System32\BitLockerWizardElev.exe" F:\ T
    1⤵
    • Enumerates connected drives
    PID:2348

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\python_309_setup.exe.log
    Filesize

    226B

    MD5

    1294de804ea5400409324a82fdc7ec59

    SHA1

    9a39506bc6cadf99c1f2129265b610c69d1518f7

    SHA256

    494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

    SHA512

    033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\e67bd1c4-af49-43a8-91cf-66219eeb508a.down_data
    Filesize

    555KB

    MD5

    5683c0028832cae4ef93ca39c8ac5029

    SHA1

    248755e4e1db552e0b6f8651b04ca6d1b31a86fb

    SHA256

    855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

    SHA512

    aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
    Filesize

    23KB

    MD5

    5726af350fb53362b67f203382fd2eaa

    SHA1

    11f6367d87b92d6c13deed8bc641422d0bcea990

    SHA256

    5423fff1b9a87ffaf764d572000f10ff80994fc8662eeef2e2c55d90f03de93b

    SHA512

    db9afd3bb5a52e8412fd1c6481dcc707269a04655b2528ce2c05282e7f34768e133a393302263ee99c6432ee622f0953360f33b010d5cdb4149422154d36ece7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\XenoManager\python_309_setup.exe
    Filesize

    45KB

    MD5

    2dcdd4f5f1aa75d0ccc76ddb36cf8e2a

    SHA1

    b4b95a1e4cee0384d20f90fefd196a4175d61faf

    SHA256

    ae89053448060576ac8a19a5ec05365bdf470f3276a63eb0fd01f82313279d1f

    SHA512

    9e000cf6188ac8aa996e77033fb0edb60349feae57aaee05d7112a3192964e230fc0d37dcfc91507e36348ce18ffb0e881c9ff5f8e12538b1a2aac57531a79a1

    Download Submit

  • memory/4628-15-0x0000000074EC0000-0x0000000075671000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4628-23-0x0000000074EC0000-0x0000000075671000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4628-24-0x0000000074EC0000-0x0000000075671000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4684-0-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4684-1-0x0000000000B10000-0x0000000000B22000-memory.dmp

    Filesize

    72KB

    Download