xenorat | 2c6977ae3de5f4439b178da21bd279e3181dfc394eaad65ed1b006dfb3b25d5b

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe

Executes dropped EXE 6 IoCs

pid	Process
624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
4828	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
3520	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
2132	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
1008	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe

Loads dropped DLL 2 IoCs

pid	Process
1596	EXCEL.EXE
1596	EXCEL.EXE

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 624 set thread context of 4828	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	97
PID 624 set thread context of 3520	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	98
PID 1096 set thread context of 2132	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	103
PID 1096 set thread context of 1008	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	104

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4948	2132	WerFault.exe	103

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
3532	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1596	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1596	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1596	EXCEL.EXE
Token: SeDebugPrivilege	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
Token: SeDebugPrivilege	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1596	EXCEL.EXE
1596	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1596	EXCEL.EXE
1596	EXCEL.EXE
1596	EXCEL.EXE
1596	EXCEL.EXE
1596	EXCEL.EXE
1596	EXCEL.EXE
1596	EXCEL.EXE
1596	EXCEL.EXE
1596	EXCEL.EXE
1596	EXCEL.EXE
1596	EXCEL.EXE
1596	EXCEL.EXE

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 624	1596	EXCEL.EXE	94
PID 1596 wrote to memory of 624	1596	EXCEL.EXE	94
PID 1596 wrote to memory of 624	1596	EXCEL.EXE	94
PID 624 wrote to memory of 4828	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	97
PID 624 wrote to memory of 4828	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	97
PID 624 wrote to memory of 4828	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	97
PID 624 wrote to memory of 4828	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	97
PID 624 wrote to memory of 4828	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	97
PID 624 wrote to memory of 4828	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	97
PID 624 wrote to memory of 4828	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	97
PID 624 wrote to memory of 4828	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	97
PID 624 wrote to memory of 3520	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	98
PID 624 wrote to memory of 3520	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	98
PID 624 wrote to memory of 3520	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	98
PID 624 wrote to memory of 3520	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	98
PID 624 wrote to memory of 3520	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	98
PID 624 wrote to memory of 3520	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	98
PID 624 wrote to memory of 3520	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	98
PID 624 wrote to memory of 3520	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	98
PID 4828 wrote to memory of 1096	4828	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	102
PID 4828 wrote to memory of 1096	4828	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	102
PID 4828 wrote to memory of 1096	4828	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	102
PID 1096 wrote to memory of 2132	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	103
PID 1096 wrote to memory of 2132	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	103
PID 1096 wrote to memory of 2132	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	103
PID 1096 wrote to memory of 2132	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	103
PID 1096 wrote to memory of 2132	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	103
PID 1096 wrote to memory of 2132	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	103
PID 1096 wrote to memory of 2132	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	103
PID 1096 wrote to memory of 2132	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	103
PID 1096 wrote to memory of 1008	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	104
PID 1096 wrote to memory of 1008	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	104
PID 1096 wrote to memory of 1008	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	104
PID 1096 wrote to memory of 1008	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	104
PID 1096 wrote to memory of 1008	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	104
PID 1096 wrote to memory of 1008	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	104
PID 1096 wrote to memory of 1008	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	104
PID 1096 wrote to memory of 1008	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	104
PID 3520 wrote to memory of 3532	3520	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	109
PID 3520 wrote to memory of 3532	3520	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	109
PID 3520 wrote to memory of 3532	3520	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	109

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\2c6977ae3de5f4439b178da21bd279e3181dfc394eaad65ed1b006dfb3b25d5b.xll"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Users\Admin\AppData\Local\Temp\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
  "C:\Users\Admin\AppData\Local\Temp\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Users\Admin\AppData\Local\Temp\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
    C:\Users\Admin\AppData\Local\Temp\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Users\Admin\AppData\Roaming\XenoManager\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1096
    - - C:\Users\Admin\AppData\Roaming\XenoManager\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
        
        C:\Users\Admin\AppData\Roaming\XenoManager\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
        5⤵
        Executes dropped EXE
        
        PID:2132
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 80
        6⤵
        Program crash
        
        PID:4948
    - - C:\Users\Admin\AppData\Roaming\XenoManager\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
        
        C:\Users\Admin\AppData\Roaming\XenoManager\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
        5⤵
        Executes dropped EXE
        
        PID:1008
- - C:\Users\Admin\AppData\Local\Temp\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
    C:\Users\Admin\AppData\Local\Temp\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "setting" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7143.tmp" /F
      4⤵
      Creates scheduled task(s)
      PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2132 -ip 2132
1⤵
PID:4400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3352 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery