Windows Analysis Report
N7qmK9sbZa.exe

Overview

General Information

Sample name: N7qmK9sbZa.exe
renamed because original name is a hash value
Original sample name: 8D16C9B3848F78FC49CB51DFE233BF5A.exe
Analysis ID: 1538181
MD5: 8d16c9b3848f78fc49cb51dfe233bf5a
SHA1: 9256f7b300ceea8a10385a43e94dea1636aebda6
SHA256: a613c952168c9a5fb4bd937d036857f1759a0dde6019f147d41df1ccf3aeedf7
Tags: exeXenoRATuser-abuse_ch
Infos:

Detection

XenoRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected XenoRAT
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Potentially Suspicious Malware Callback Communication
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Found malware configuration
Source: N7qmK9sbZa.exe Malware Configuration Extractor: XenoRAT {"C2 url": "34.229.235.165", "Mutex Name": "ANT LAB ", "Install Folder": "temp"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe ReversingLabs: Detection: 76%
Multi AV Scanner detection for submitted file
Source: N7qmK9sbZa.exe ReversingLabs: Detection: 76%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: N7qmK9sbZa.exe Joe Sandbox ML: detected
Source: N7qmK9sbZa.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2050111 - Severity 1 - ET MALWARE [ANY.RUN] Xeno-RAT TCP Keep-Alive : 192.168.2.5:49705 -> 34.229.235.165:4444
Source: Network traffic Suricata IDS: 2050110 - Severity 1 - ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In : 34.229.235.165:4444 -> 192.168.2.5:49704
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 34.229.235.165
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49704 -> 34.229.235.165:4444
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-AESUS AMAZON-AESUS
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: unknown TCP traffic detected without corresponding DNS query: 34.229.235.165
Source: N7qmK9sbZa.exe, 00000001.00000002.3259681500.0000000002385000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Detected potential crypto function
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Code function: 0_2_018D0B12 0_2_018D0B12
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Code function: 1_2_009D0B12 1_2_009D0B12
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Code function: 1_2_009D2CC8 1_2_009D2CC8
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Code function: 1_2_009D95F8 1_2_009D95F8
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Code function: 1_2_009D9EC8 1_2_009D9EC8
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Code function: 1_2_009D92B0 1_2_009D92B0
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Code function: 5_2_00C80B19 5_2_00C80B19
Sample file is different than original file name gathered from version info
Source: N7qmK9sbZa.exe, 00000000.00000000.2011731534.0000000000F1E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesystem322 vs N7qmK9sbZa.exe
Source: N7qmK9sbZa.exe, 00000000.00000002.2015113636.00000000014DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs N7qmK9sbZa.exe
Source: N7qmK9sbZa.exe, 00000001.00000002.3258938879.000000000062E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs N7qmK9sbZa.exe
Source: N7qmK9sbZa.exe Binary or memory string: OriginalFilenamesystem322 vs N7qmK9sbZa.exe
Source: N7qmK9sbZa.exe.0.dr Binary or memory string: OriginalFilenamesystem322 vs N7qmK9sbZa.exe
Source: N7qmK9sbZa.exe, Encryption.cs Cryptographic APIs: 'CreateDecryptor'
Source: N7qmK9sbZa.exe.0.dr, Encryption.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/4@0/1
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\N7qmK9sbZa.exe.log Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3128:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Mutant created: \Sessions\1\BaseNamedObjects\ANT LAB -admin
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe File created: C:\Users\user\AppData\Local\Temp\SystemManager Jump to behavior
Source: N7qmK9sbZa.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: N7qmK9sbZa.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: N7qmK9sbZa.exe ReversingLabs: Detection: 76%
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe File read: C:\Users\user\Desktop\N7qmK9sbZa.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\N7qmK9sbZa.exe "C:\Users\user\Desktop\N7qmK9sbZa.exe"
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Process created: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe "C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe"
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "SystemUpdateManager" /XML "C:\Users\user\AppData\Local\Temp\tmpDF0A.tmp" /F
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Process created: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe "C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "SystemUpdateManager" /XML "C:\Users\user\AppData\Local\Temp\tmpDF0A.tmp" /F Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: N7qmK9sbZa.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: N7qmK9sbZa.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: N7qmK9sbZa.exe, DllHandler.cs .Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: N7qmK9sbZa.exe, DllHandler.cs .Net Code: DllNodeHandler
Source: N7qmK9sbZa.exe.0.dr, DllHandler.cs .Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: N7qmK9sbZa.exe.0.dr, DllHandler.cs .Net Code: DllNodeHandler
Binary contains a suspicious time stamp
Source: N7qmK9sbZa.exe Static PE information: 0xF32D0312 [Tue Apr 14 01:29:54 2099 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Code function: 5_2_00C804F8 push ebx; ret 5_2_00C80502
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Code function: 5_2_00C805EF push edi; ret 5_2_00C8061A
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Code function: 5_2_00C80904 push ebx; ret 5_2_00C80906
Drops PE files
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe File created: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "SystemUpdateManager" /XML "C:\Users\user\AppData\Local\Temp\tmpDF0A.tmp" /F
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Memory allocated: 1890000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Memory allocated: 32D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Memory allocated: 30B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Memory allocated: 9D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Memory allocated: 2370000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Memory allocated: 21A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Memory allocated: C80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Memory allocated: 2610000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Memory allocated: 4610000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Window / User API: threadDelayed 4547 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Window / User API: threadDelayed 5336 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe TID: 3712 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe TID: 4424 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe TID: 4444 Thread sleep count: 4547 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe TID: 348 Thread sleep count: 5336 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe TID: 5768 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: N7qmK9sbZa.exe, 00000001.00000002.3258938879.00000000006A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Process created: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe "C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "SystemUpdateManager" /XML "C:\Users\user\AppData\Local\Temp\tmpDF0A.tmp" /F Jump to behavior
Source: N7qmK9sbZa.exe, 00000001.00000002.3259681500.0000000002385000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: explorer - Program Manager`
Source: N7qmK9sbZa.exe, 00000001.00000002.3259681500.000000000257E000.00000004.00000800.00020000.00000000.sdmp, N7qmK9sbZa.exe, 00000001.00000002.3259681500.0000000002385000.00000004.00000800.00020000.00000000.sdmp, N7qmK9sbZa.exe, 00000001.00000002.3259681500.000000000244A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: N7qmK9sbZa.exe, 00000001.00000002.3259681500.000000000257E000.00000004.00000800.00020000.00000000.sdmp, N7qmK9sbZa.exe, 00000001.00000002.3259681500.0000000002385000.00000004.00000800.00020000.00000000.sdmp, N7qmK9sbZa.exe, 00000001.00000002.3259681500.000000000244A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: explorer - Prog@\sq explorer - Program Manager
Source: N7qmK9sbZa.exe, 00000001.00000002.3259681500.000000000257E000.00000004.00000800.00020000.00000000.sdmp, N7qmK9sbZa.exe, 00000001.00000002.3259681500.0000000002385000.00000004.00000800.00020000.00000000.sdmp, N7qmK9sbZa.exe, 00000001.00000002.3259681500.000000000244A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: explorer - Program Manager
Source: N7qmK9sbZa.exe, 00000001.00000002.3259681500.000000000257E000.00000004.00000800.00020000.00000000.sdmp, N7qmK9sbZa.exe, 00000001.00000002.3259681500.0000000002385000.00000004.00000800.00020000.00000000.sdmp, N7qmK9sbZa.exe, 00000001.00000002.3259681500.000000000244A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerlBsq
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\N7qmK9sbZa.exe Queries volume information: C:\Users\user\Desktop\N7qmK9sbZa.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Queries volume information: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Queries volume information: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: N7qmK9sbZa.exe, 00000001.00000002.3258938879.00000000006A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected XenoRAT
Source: Yara match File source: N7qmK9sbZa.exe, type: SAMPLE
Source: Yara match File source: 0.0.N7qmK9sbZa.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.2011696960.0000000000F12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: N7qmK9sbZa.exe PID: 5756, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected XenoRAT
Source: Yara match File source: N7qmK9sbZa.exe, type: SAMPLE
Source: Yara match File source: 0.0.N7qmK9sbZa.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.2011696960.0000000000F12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: N7qmK9sbZa.exe PID: 5756, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1538181 Sample: N7qmK9sbZa.exe Startdate: 20/10/2024 Architecture: WINDOWS Score: 100 32 Suricata IDS alerts for network traffic 2->32 34 Found malware configuration 2->34 36 Sigma detected: Scheduled temp file as task from temp location 2->36 38 7 other signatures 2->38 8 N7qmK9sbZa.exe 5 2->8         started        11 N7qmK9sbZa.exe 2 2->11         started        process3 file4 22 C:\Users\user\AppData\...227qmK9sbZa.exe, PE32 8->22 dropped 24 C:\Users\...247qmK9sbZa.exe:Zone.Identifier, ASCII 8->24 dropped 26 C:\Users\user\AppData\...267qmK9sbZa.exe.log, CSV 8->26 dropped 13 N7qmK9sbZa.exe 5 8->13         started        process5 dnsIp6 30 34.229.235.165, 4444, 49704, 49705 AMAZON-AESUS United States 13->30 28 C:\Users\user\AppData\Local\...\tmpDF0A.tmp, ASCII 13->28 dropped 40 Multi AV Scanner detection for dropped file 13->40 42 Machine Learning detection for dropped file 13->42 44 Uses schtasks.exe or at.exe to add and modify task schedules 13->44 18 schtasks.exe 1 13->18         started        file7 signatures8 process9 process10 20 conhost.exe 18->20         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.229.235.165
 unknown United States
14618 AMAZON-AESUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
34.229.235.165 true
    		unknown