xenorat | 7d5ff178c46801beba098d2705798c99392e15dbc9ccdef3e11ed737d9dfb93d

Analysis

max time kernel
44s
max time network
48s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
15/04/2025, 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fn.exe
Size

45KB
MD5

224ccb2529301b657df7c6bcc7ac6613
SHA1

1743e1b819c6a20ec5b8db1024a4f460160419e7
SHA256

7d5ff178c46801beba098d2705798c99392e15dbc9ccdef3e11ed737d9dfb93d
SHA512

c09509172cb3a662ba8cf5b1df1a4c45dc014c59388f219ed819e08890bd522e4c367e46e91740c1cf636f419e30b66f7022a23216a108e3132905a4ca319307
SSDEEP

768:FdhO/poiiUcjlJInbzH9Xqk5nWEZ5SbTDagWI7CPW5N:bw+jjgn3H9XqcnW85SbTpWIl

Score

10^/10

xenorat discovery persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
10
install_path
temp
port
4444
startup_name
fortnite

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral1/memory/3952-1-0x0000000000740000-0x0000000000752000-memory.dmp	family_xenorat
behavioral1/files/0x001a00000002b172-6.dat	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
5676	fn.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDrive.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\ = "IFileSyncClient"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\HELPDIR	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ = "IAlbumMetadataCallback"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\ = "FileSyncShell 1.0 Type Library"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\odopen\shell\open	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\HELPDIR	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\ = "IFileInformationProvider"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\TypeLib\ = "{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\ = "ISyncInformationLookupCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\SyncEngineCOMServer.SyncEngineCOMServer.1\CLSID\ = "{AB807329-7324-431B-8B36-DBD581F56E0B}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\ = "IDeviceHeroShotCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\VersionIndependentProgID\ = "FileSyncCustomStatesProvider.FileSyncCustomStatesProvider"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\VersionIndependentProgID\ = "StorageProviderUriSource.StorageProviderUriSource"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\VersionIndependentProgID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\ = "IFileSyncClient8"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\VersionIndependentProgID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\ = "FileCoAuthLibrary 1.0 Type Library"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\ = "IContentProvider"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\ = "OOBERequestHandler Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}	OneDrive.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1716	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4672	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4672	OneDrive.exe
4672	OneDrive.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4672	OneDrive.exe
4672	OneDrive.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4672	OneDrive.exe
4672	OneDrive.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4672	OneDrive.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 5676	3952	fn.exe	78
PID 3952 wrote to memory of 5676	3952	fn.exe	78
PID 3952 wrote to memory of 5676	3952	fn.exe	78
PID 5676 wrote to memory of 1716	5676	fn.exe	79
PID 5676 wrote to memory of 1716	5676	fn.exe	79
PID 5676 wrote to memory of 1716	5676	fn.exe	79

C:\Users\Admin\AppData\Local\Temp\fn.exe
"C:\Users\Admin\AppData\Local\Temp\fn.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Users\Admin\AppData\Local\Temp\XenoManager\fn.exe
  "C:\Users\Admin\AppData\Local\Temp\XenoManager\fn.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5676
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "fortnite" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC796.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1716

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2340

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4672

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fn.exe.log

Filesize
226B

MD5
1294de804ea5400409324a82fdc7ec59

SHA1
9a39506bc6cadf99c1f2129265b610c69d1518f7

SHA256
494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

SHA512
033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\47CNJ3GN\update100[1].xml

Filesize
726B

MD5
53244e542ddf6d280a2b03e28f0646b7

SHA1
d9925f810a95880c92974549deead18d56f19c37

SHA256
36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d

SHA512
4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\72VQWE2Y\PreSignInSettingsConfig[1].json

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\XenoManager\fn.exe

Filesize
45KB

MD5
224ccb2529301b657df7c6bcc7ac6613

SHA1
1743e1b819c6a20ec5b8db1024a4f460160419e7

SHA256
7d5ff178c46801beba098d2705798c99392e15dbc9ccdef3e11ed737d9dfb93d

SHA512
c09509172cb3a662ba8cf5b1df1a4c45dc014c59388f219ed819e08890bd522e4c367e46e91740c1cf636f419e30b66f7022a23216a108e3132905a4ca319307

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC796.tmp

Filesize
1KB

MD5
43f3fce8a4898ffc362d0ad83c108978

SHA1
e76099d46f3fc12376dd3ca421ef89de4c94b6ec

SHA256
b5ae21bab93936c4e32e82028139b93b0dceb39a5bd66b7b2e538ed45b8c7870

SHA512
9e08ea4a0d6e3ea20b10521fda6f262d0e4837114bfa09a07c0ca449f762bfaf30e991a292a38805b0b700f59ada964f5d64b4f1e596a49d322d45c50a0db585

Download Submit
memory/3952-0-0x000000007466E000-0x000000007466F000-memory.dmp

Filesize
4KB

Download
memory/3952-1-0x0000000000740000-0x0000000000752000-memory.dmp

Filesize
72KB

Download
memory/5676-15-0x0000000074660000-0x0000000074E11000-memory.dmp

Filesize
7.7MB

Download
memory/5676-16-0x0000000074660000-0x0000000074E11000-memory.dmp

Filesize
7.7MB

Download
memory/5676-19-0x0000000074660000-0x0000000074E11000-memory.dmp

Filesize
7.7MB

Download