Overview

overview

10

Static

static

10

setup.exe

windows11-21h2-x64

Analysis

  • max time kernel
    256s
  • max time network
    258s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01/04/2025, 11:46

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    45KB

  • MD5

    b377774f8413ba12b5a219c8cdfaa6cc

  • SHA1

    d8a032bfdc48ce26f6251ea03e5d231fdc705037

  • SHA256

    7957c29721571c011f471853a3a8033f4af0c14c724492e87ccfeefa06aebfa2

  • SHA512

    b3f7f1c762217811883383d5ad659f0e41f74ce0055b64e3b5c2c38cf507dac2572e1f0e9deb1511dd8b1b2376e1b4bf8700c5622ad5824a93c9f50cc579b153

  • SSDEEP

    768:MMdhO/poiiUcjlJInXFH9Xqk5nWEZ5SbTDavWI7CPW53b:5w+jjgnVH9XqcnW85SbTGWIfb

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

78.56.45.239

Mutex

REPO_57638

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    1488

  • startup_name

    REPO

Signatures

  • Detect XenoRat Payload 10 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\Users\Admin\AppData\Roaming\XenoManager\setup.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\setup.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3364
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "REPO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA836.tmp" /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:928
      • C:\Users\Admin\AppData\Roaming\XenoManager\setup.exe
        "C:\Users\Admin\AppData\Roaming\XenoManager\setup.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3596
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /Create /TN "REPO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6675.tmp" /F
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2612
      • C:\Windows\SysWOW64\shutdown.exe
        "C:\Windows\System32\shutdown.exe" /r /t 0
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2292
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004DC
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1504
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
    1⤵
      PID:2352
    • C:\Windows\system32\BackgroundTransferHost.exe
      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
      1⤵
      • Modifies registry class
      PID:1696
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa3a3e855 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:2964

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\setup.exe.log
      Filesize

      226B

      MD5

      1294de804ea5400409324a82fdc7ec59

      SHA1

      9a39506bc6cadf99c1f2129265b610c69d1518f7

      SHA256

      494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

      SHA512

      033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\02b47d45-41f1-44fe-8af7-e276ad7f954a.down_data
      Filesize

      555KB

      MD5

      5683c0028832cae4ef93ca39c8ac5029

      SHA1

      248755e4e1db552e0b6f8651b04ca6d1b31a86fb

      SHA256

      855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

      SHA512

      aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpA836.tmp
      Filesize

      1KB

      MD5

      2c5b98de34e8228ece345d2dd14c3943

      SHA1

      fe7cbb38178e1639130e65123028041e9f28608d

      SHA256

      366aab4e56302e176927602e25169babbe9e5680431472db640c35919f9169cd

      SHA512

      e9b5d626c704c548f6f644c065e41d67027a5fc6b5d13cd995d0bac94fcca6aa4b9ae9a2c32d2ef3421b85cfb57c8993239f15b4f13dd894b7beffe748c8c27d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\XenoManager\setup.exe
      Filesize

      45KB

      MD5

      b377774f8413ba12b5a219c8cdfaa6cc

      SHA1

      d8a032bfdc48ce26f6251ea03e5d231fdc705037

      SHA256

      7957c29721571c011f471853a3a8033f4af0c14c724492e87ccfeefa06aebfa2

      SHA512

      b3f7f1c762217811883383d5ad659f0e41f74ce0055b64e3b5c2c38cf507dac2572e1f0e9deb1511dd8b1b2376e1b4bf8700c5622ad5824a93c9f50cc579b153

      Download Submit

    • memory/3364-22-0x0000000006250000-0x00000000067F6000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3364-25-0x0000000007640000-0x000000000764C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3364-18-0x0000000073BD0000-0x0000000074381000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3364-19-0x00000000058E0000-0x0000000005946000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3364-20-0x0000000073BD0000-0x0000000074381000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3364-21-0x0000000005C90000-0x0000000005C9A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3364-41-0x0000000073BD0000-0x0000000074381000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3364-23-0x0000000005DB0000-0x0000000005E42000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3364-24-0x0000000005D90000-0x0000000005D9A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3364-15-0x0000000073BD0000-0x0000000074381000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3364-40-0x00000000026A0000-0x00000000026A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3364-39-0x0000000004CE0000-0x0000000004CEA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3364-31-0x0000000004CC0000-0x0000000004CCA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3364-32-0x0000000004CD0000-0x0000000004CDA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3596-30-0x0000000005790000-0x00000000057A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3596-29-0x0000000005690000-0x0000000005712000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4216-1-0x0000000000A40000-0x0000000000A52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4216-0-0x0000000073BDE000-0x0000000073BDF000-memory.dmp

      Filesize

      4KB

      Download