Malware analysis Xeno Executor Setup 1.0.0.exe Malicious activity

Add for printing

File name:	Xeno Executor Setup 1.0.0.exe
Full analysis:	https://app.any.run/tasks/9ab4ef37-3dd1-420b-888d-4dbd46d2617d
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 13, 2024, 08:57:32
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-doc websocket stealer discordgrabber generic growtopia
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	3E16CBD302CB621239608AC3CAF444CF
SHA1:	9FB50388DF593182080DDDC0E710ACA82E9A9D8D
SHA256:	B95BFDD546145DC16DF5684B0F808AA993E3F0FA6AC0B9364BD95D589E34A1B7
SSDEEP:	786432:K/+9MUdHjvdTwVuMO8z5LZau9vk6133ewrddq:KG9MUFCVuOnZZp1neodq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Actions looks like stealing of personal data
  - Xeno Executor.exe (PID: 4816)
- DISCORDGRABBER has been detected (YARA)
  - Xeno Executor.exe (PID: 4816)
- GROWTOPIA has been detected (YARA)
  - Xeno Executor.exe (PID: 4816)
- Starts Visual C# compiler
  - cmd.exe (PID: 7284)
- Connects to the CnC server
  - hexon_b4e22dc2f5a7dbf8.exe (PID: 864)
SUSPICIOUS
- Malware-specific behavior (creating "System.dll" in Temp)
  - Xeno Executor Setup 1.0.0.exe (PID: 5564)
- Get information on the list of running processes
  - cmd.exe (PID: 4808)
  - Xeno Executor Setup 1.0.0.exe (PID: 5564)
  - cmd.exe (PID: 3676)
  - cmd.exe (PID: 3740)
  - cmd.exe (PID: 6344)
  - cmd.exe (PID: 6348)
  - cmd.exe (PID: 6432)
  - cmd.exe (PID: 7296)
  - cmd.exe (PID: 4556)
  - Xeno Executor.exe (PID: 4816)
- Drops 7-zip archiver for unpacking
  - Xeno Executor Setup 1.0.0.exe (PID: 5564)
- The process creates files with name similar to system file names
  - Xeno Executor Setup 1.0.0.exe (PID: 5564)
- Starts CMD.EXE for commands execution
  - Xeno Executor Setup 1.0.0.exe (PID: 5564)
  - Xeno Executor.exe (PID: 4816)
  - hexon_b4e22dc2f5a7dbf8.exe (PID: 864)
- Process drops legitimate windows executable
  - Xeno Executor Setup 1.0.0.exe (PID: 5564)
- Executable content was dropped or overwritten
  - Xeno Executor Setup 1.0.0.exe (PID: 5564)
  - Xeno Executor.exe (PID: 4816)
  - hexon_b4e22dc2f5a7dbf8.exe (PID: 864)
  - csc.exe (PID: 7308)
- Reads security settings of Internet Explorer
  - Xeno Executor Setup 1.0.0.exe (PID: 5564)
- Creates a software uninstall entry
  - Xeno Executor Setup 1.0.0.exe (PID: 5564)
- Uses WMIC.EXE to obtain Windows Installer data
  - cmd.exe (PID: 7092)
- Accesses product unique identifier via WMI (SCRIPT)
  - WMIC.exe (PID: 4312)
- Application launched itself
  - Xeno Executor.exe (PID: 4816)
  - msedge.exe (PID: 7360)
  - chrome.exe (PID: 2360)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 6276)
  - cmd.exe (PID: 6416)
  - cmd.exe (PID: 7440)
- The process executes VB scripts
  - cmd.exe (PID: 8180)
- Runs shell command (SCRIPT)
  - cscript.exe (PID: 7936)
- Connects to unusual port
  - hexon_b4e22dc2f5a7dbf8.exe (PID: 864)
- Contacting a server suspected of hosting an CnC
  - hexon_b4e22dc2f5a7dbf8.exe (PID: 864)
- The executable file from the user directory is run by the CMD process
  - screenCapture_1.3.2.exe (PID: 7804)
- Executing commands from a ".bat" file
  - hexon_b4e22dc2f5a7dbf8.exe (PID: 864)
INFO
- Checks supported languages
  - Xeno Executor Setup 1.0.0.exe (PID: 5564)
  - Xeno Executor.exe (PID: 4816)
  - Xeno Executor.exe (PID: 6584)
  - Xeno Executor.exe (PID: 2864)
- Creates files or folders in the user directory
  - Xeno Executor Setup 1.0.0.exe (PID: 5564)
  - Xeno Executor.exe (PID: 4816)
- Reads the computer name
  - Xeno Executor Setup 1.0.0.exe (PID: 5564)
  - Xeno Executor.exe (PID: 4816)
  - Xeno Executor.exe (PID: 2864)
  - Xeno Executor.exe (PID: 6584)
- Manual execution by a user
  - Xeno Executor.exe (PID: 4816)
  - notepad.exe (PID: 3524)
  - notepad.exe (PID: 7312)
  - OpenWith.exe (PID: 2132)
  - notepad.exe (PID: 2416)
  - notepad.exe (PID: 8084)
  - OpenWith.exe (PID: 7424)
  - OpenWith.exe (PID: 2776)
  - OpenWith.exe (PID: 6200)
  - OpenWith.exe (PID: 8124)
  - OpenWith.exe (PID: 6508)
  - OpenWith.exe (PID: 1180)
  - OpenWith.exe (PID: 7472)
  - OpenWith.exe (PID: 7524)
- Create files in a temporary directory
  - Xeno Executor Setup 1.0.0.exe (PID: 5564)
  - Xeno Executor.exe (PID: 4816)
- Reads Environment values
  - Xeno Executor.exe (PID: 4816)
- Reads product name
  - Xeno Executor.exe (PID: 4816)
- Reads security settings of Internet Explorer
  - WMIC.exe (PID: 4312)
- Checks proxy server information
  - Xeno Executor.exe (PID: 4816)
- Process checks computer location settings
  - Xeno Executor.exe (PID: 4816)
- Reads the machine GUID from the registry
  - Xeno Executor.exe (PID: 4816)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2018:12:15 22:26:14+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	26624
InitializedDataSize:	473088
UninitializedDataSize:	16384
EntryPoint:	0x338f
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Unreal Game Inc.
FileDescription:	GraviyParadox
FileVersion:	1.0.0
LegalCopyright:	Copyright © 2024 Unreal Game Inc.
ProductName:	Xeno Executor
ProductVersion:	1.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

220

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

528

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2304 --field-trial-handle=1956,i,4850502976277315183,1241193923187852363,262144 --variations-seed-version /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

864

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

864

"C:\Users\admin\AppData\Local\Temp\hexon_b4e22dc2f5a7dbf8.exe" HXN-MONTHLY-BA59F1FEAAAA discord

C:\Users\admin\AppData\Local\Temp\hexon_b4e22dc2f5a7dbf8.exe

cscript.exe

User:

admin

Company:

Node.js

Integrity Level:

MEDIUM

Description:

Node.js JavaScript Runtime

Version:

18.5.0

Modules

Images
c:\users\admin\appdata\local\temp\hexon_b4e22dc2f5a7dbf8.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\psapi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ucrtbase.dll

944

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=1840 --field-trial-handle=1956,i,4850502976277315183,1241193923187852363,262144 --variations-seed-version /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

948

tasklist

C:\Windows\System32\tasklist.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Lists the current running tasks

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

948

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1048

taskkill /IM javaw.exe /F

C:\Windows\System32\taskkill.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Terminates Processes

Exit code:

128

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

1180

"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\install-sh

C:\Windows\System32\OpenWith.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Pick an app

Exit code:

2147943623

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1204

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1500

tasklist

C:\Windows\System32\tasklist.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Lists the current running tasks

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

Add for printing

Total events

15 386

Read events

15 360

Write events

Delete events

Modification events


(PID) Process:	(5564) Xeno Executor Setup 1.0.0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\c9a54b87-cac9-56e1-8f4e-d6dc8640d022
Operation:	write	Name:	InstallLocation
Value: C:\Users\admin\AppData\Local\Programs\unrealgame
(PID) Process:	(5564) Xeno Executor Setup 1.0.0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\c9a54b87-cac9-56e1-8f4e-d6dc8640d022
Operation:	write	Name:	KeepShortcuts
Value: true
(PID) Process:	(5564) Xeno Executor Setup 1.0.0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\c9a54b87-cac9-56e1-8f4e-d6dc8640d022
Operation:	write	Name:	ShortcutName
Value: Xeno Executor
(PID) Process:	(5564) Xeno Executor Setup 1.0.0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\c9a54b87-cac9-56e1-8f4e-d6dc8640d022
Operation:	write	Name:	DisplayName
Value: Xeno Executor 1.0.0
(PID) Process:	(5564) Xeno Executor Setup 1.0.0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\c9a54b87-cac9-56e1-8f4e-d6dc8640d022
Operation:	write	Name:	UninstallString
Value: "C:\Users\admin\AppData\Local\Programs\unrealgame\Uninstall Xeno Executor.exe" /currentuser
(PID) Process:	(5564) Xeno Executor Setup 1.0.0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\c9a54b87-cac9-56e1-8f4e-d6dc8640d022
Operation:	write	Name:	QuietUninstallString
Value: "C:\Users\admin\AppData\Local\Programs\unrealgame\Uninstall Xeno Executor.exe" /currentuser /S
(PID) Process:	(5564) Xeno Executor Setup 1.0.0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\c9a54b87-cac9-56e1-8f4e-d6dc8640d022
Operation:	write	Name:	DisplayVersion
Value: 1.0.0
(PID) Process:	(5564) Xeno Executor Setup 1.0.0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\c9a54b87-cac9-56e1-8f4e-d6dc8640d022
Operation:	write	Name:	DisplayIcon
Value: C:\Users\admin\AppData\Local\Programs\unrealgame\Xeno Executor.exe,0
(PID) Process:	(5564) Xeno Executor Setup 1.0.0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\c9a54b87-cac9-56e1-8f4e-d6dc8640d022
Operation:	write	Name:	Publisher
Value: Unreal Game Inc.
(PID) Process:	(5564) Xeno Executor Setup 1.0.0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\c9a54b87-cac9-56e1-8f4e-d6dc8640d022
Operation:	write	Name:	NoModify
Value: 1

Add for printing

Executable files

Suspicious files

240

Text files

108

Unknown types

Dropped files

PID	Process	Filename		Type
5564	Xeno Executor Setup 1.0.0.exe	C:\Users\admin\AppData\Local\Temp\nsmF15F.tmp\app-64.7z		—
		MD5:—	SHA256:—
5564	Xeno Executor Setup 1.0.0.exe	C:\Users\admin\AppData\Local\Temp\nsmF15F.tmp\7z-out\icudtl.dat		—
		MD5:—	SHA256:—
5564	Xeno Executor Setup 1.0.0.exe	C:\Users\admin\AppData\Local\Temp\nsmF15F.tmp\7z-out\LICENSES.chromium.html		—
		MD5:—	SHA256:—
5564	Xeno Executor Setup 1.0.0.exe	C:\Users\admin\AppData\Local\Temp\nsmF15F.tmp\StdUtils.dll		executable
		MD5:C6A6E03F77C313B267498515488C5740	SHA256:B72E9013A6204E9F01076DC38DABBF30870D44DFC66962ADBF73619D4331601E
5564	Xeno Executor Setup 1.0.0.exe	C:\Users\admin\AppData\Local\Temp\nsmF15F.tmp\7z-out\locales\af.pak		pgc
		MD5:7E51349EDC7E6AED122BFA00970FAB80	SHA256:F528E698B164283872F76DF2233A47D7D41E1ABA980CE39F6B078E577FD14C97
5564	Xeno Executor Setup 1.0.0.exe	C:\Users\admin\AppData\Local\Temp\nsmF15F.tmp\7z-out\locales\cs.pak		pgc
		MD5:A934431D469D19A274243F88BB5AC6FB	SHA256:51C36A5ACDAD5930D8D4F1285315E66B2578F27534D37CD40F0625EE99852C51
5564	Xeno Executor Setup 1.0.0.exe	C:\Users\admin\AppData\Local\Temp\nsmF15F.tmp\7z-out\locales\ca.pak		pgc
		MD5:01ACD6F7A4EA85D8E63099CE1262FBAD	SHA256:B48D1BAD676F2E718CBE548302127E0B3567913A2835522D6DD90279A6D2A56A
5564	Xeno Executor Setup 1.0.0.exe	C:\Users\admin\AppData\Local\Temp\nsmF15F.tmp\7z-out\locales\de.pak		pgc
		MD5:ED329B35D10E81F55D611FE8748876F8	SHA256:6FACD562ADD58C4684EF4A40DE9B63581FEA71C5B83049ED8A2C2A2C929C45CE
5564	Xeno Executor Setup 1.0.0.exe	C:\Users\admin\AppData\Local\Temp\nsmF15F.tmp\7z-out\locales\da.pak		pgc
		MD5:BB5252DC6F0F3C01CE3638138BF946C8	SHA256:C93F39D0AB9A2FAB26977AA729261633225879BA6DC5EA8D0CA89814B2DF9FA9
5564	Xeno Executor Setup 1.0.0.exe	C:\Users\admin\AppData\Local\Temp\nsmF15F.tmp\7z-out\locales\en-US.pak		mmw
		MD5:5E3813E616A101E4A169B05F40879A62	SHA256:4D207C5C202C19C4DACA3FDDB2AE4F747F943A8FAF86A947EEF580E2F2AEE687

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4004	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	US	binary	471 b	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	US	binary	312 b	whitelisted
6944	svchost.exe	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	1.01 Kb	whitelisted
6944	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	NL	binary	973 b	whitelisted
6420	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	NL	binary	418 b	whitelisted
864	hexon_b4e22dc2f5a7dbf8.exe	GET	101	20.151.152.98:1337	http://20.151.152.98:1337/socket.io/?EIO=4&transport=websocket&sid=aB1vtKoAt9vjrv2CAAcA	CA	—	—	unknown
6420	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	NL	binary	408 b	whitelisted
5616	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	US	binary	471 b	whitelisted
864	hexon_b4e22dc2f5a7dbf8.exe	GET	200	20.151.152.98:1337	http://20.151.152.98:1337/socket.io/?EIO=4&transport=polling&t=ngc7i55p	CA	text	118 b	unknown
864	hexon_b4e22dc2f5a7dbf8.exe	GET	200	20.151.152.98:1337	http://20.151.152.98:1337/socket.io/?EIO=4&transport=polling&t=ngce0u3c&sid=aB1vtKoAt9vjrv2CAAcA	CA	text	32 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	2.23.209.178:443	www.bing.com	Akamai International B.V.	GB	whitelisted
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4004	svchost.exe	40.126.32.134:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4004	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
—	—	2.23.209.130:443	th.bing.com	Akamai International B.V.	GB	whitelisted
—	—	184.28.89.167:443	go.microsoft.com	AKAMAI-AS	US	whitelisted
6944	svchost.exe	2.16.164.9:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted

DNS requests

Domain	IP	Reputation
www.bing.com	2.23.209.178 2.23.209.167 2.23.209.154 2.23.209.160 2.23.209.166 2.23.209.179 2.23.209.156 2.23.209.158 2.23.209.176 2.23.209.186 2.23.209.183 2.23.209.181 2.23.209.182 2.23.209.187 2.23.209.177 2.23.209.185	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
google.com	216.58.212.174	whitelisted
login.live.com	40.126.32.134 20.190.160.20 40.126.32.68 40.126.32.140 40.126.32.138 20.190.160.14 40.126.32.136 20.190.160.17	whitelisted
th.bing.com	2.23.209.130 2.23.209.185 2.23.209.193 2.23.209.183 2.23.209.192 2.23.209.186 2.23.209.182 2.23.209.133 2.23.209.188 2.23.209.178 2.23.209.177 2.23.209.166 2.23.209.167 2.23.209.181 2.23.209.179	whitelisted
go.microsoft.com	184.28.89.167	whitelisted
settings-win.data.microsoft.com	20.73.194.208 4.231.128.59 51.104.136.2	whitelisted
crl.microsoft.com	2.16.164.9 2.16.164.49	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted

Threats

PID	Process	Class	Message
864	hexon_b4e22dc2f5a7dbf8.exe	Unknown Traffic	ET USER_AGENTS Node XMLHTTP User-Agent
864	hexon_b4e22dc2f5a7dbf8.exe	Unknown Traffic	ET USER_AGENTS Node XMLHTTP User-Agent
864	hexon_b4e22dc2f5a7dbf8.exe	Unknown Traffic	ET USER_AGENTS Node XMLHTTP User-Agent
864	hexon_b4e22dc2f5a7dbf8.exe	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request
864	hexon_b4e22dc2f5a7dbf8.exe	Not Suspicious Traffic	INFO [ANY.RUN] Socket.IO requests event-based bidirectional communication via HTTP
864	hexon_b4e22dc2f5a7dbf8.exe	Not Suspicious Traffic	INFO [ANY.RUN] Socket.IO requests event-based bidirectional communication via HTTP
864	hexon_b4e22dc2f5a7dbf8.exe	Unknown Traffic	ET USER_AGENTS Node XMLHTTP User-Agent
864	hexon_b4e22dc2f5a7dbf8.exe	Not Suspicious Traffic	INFO [ANY.RUN] Socket.IO requests event-based bidirectional communication via HTTP

3 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

Xeno Executor Setup 1.0.0.exe

3E16CBD302CB621239608AC3CAF444CF

9FB50388DF593182080DDDC0E710ACA82E9A9D8D

B95BFDD546145DC16DF5684B0F808AA993E3F0FA6AC0B9364BD95D589E34A1B7

786432:K/+9MUdHjvdTwVuMO8z5LZau9vk6133ewrddq:KG9MUFCVuOnZZp1neodq

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

DISCORDGRABBER has been detected (YARA)

GROWTOPIA has been detected (YARA)

Starts Visual C# compiler

Connects to the CnC server

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

Get information on the list of running processes

Drops 7-zip archiver for unpacking

The process creates files with name similar to system file names

Starts CMD.EXE for commands execution

Process drops legitimate windows executable

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Creates a software uninstall entry

Uses WMIC.EXE to obtain Windows Installer data

Accesses product unique identifier via WMI (SCRIPT)

Application launched itself

Uses TASKKILL.EXE to kill process

The process executes VB scripts

Runs shell command (SCRIPT)

Connects to unusual port

Contacting a server suspected of hosting an CnC

The executable file from the user directory is run by the CMD process

Executing commands from a ".bat" file

INFO

Checks supported languages

Creates files or folders in the user directory

Reads the computer name

Manual execution by a user

Create files in a temporary directory

Reads Environment values

Reads product name

Reads security settings of Internet Explorer

Checks proxy server information

Process checks computer location settings

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity