xenorat | 8eaf377f8fc59bb93ada3e1f94571ebbbc3d3732475c86239ee72e4c1f2f31c7

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe

Executes dropped EXE 8 IoCs

pid	Process
1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
4172	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
2140	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
4440	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
3308	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
3068	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
2684	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe

Loads dropped DLL 2 IoCs

pid	Process
2916	EXCEL.EXE
2916	EXCEL.EXE

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1592 set thread context of 4172	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	101
PID 1592 set thread context of 2140	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	102
PID 1592 set thread context of 4440	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	103
PID 2892 set thread context of 3308	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	106
PID 2892 set thread context of 3068	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	107
PID 2892 set thread context of 2684	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2264	2684	WerFault.exe	108

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
2056	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2916	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2916	EXCEL.EXE
2916	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	EXCEL.EXE
Token: SeDebugPrivilege	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
Token: SeDebugPrivilege	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2916	EXCEL.EXE
2916	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 1592	2916	EXCEL.EXE	96
PID 2916 wrote to memory of 1592	2916	EXCEL.EXE	96
PID 2916 wrote to memory of 1592	2916	EXCEL.EXE	96
PID 1592 wrote to memory of 4172	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	101
PID 1592 wrote to memory of 4172	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	101
PID 1592 wrote to memory of 4172	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	101
PID 1592 wrote to memory of 4172	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	101
PID 1592 wrote to memory of 4172	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	101
PID 1592 wrote to memory of 4172	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	101
PID 1592 wrote to memory of 4172	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	101
PID 1592 wrote to memory of 4172	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	101
PID 1592 wrote to memory of 2140	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	102
PID 1592 wrote to memory of 2140	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	102
PID 1592 wrote to memory of 2140	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	102
PID 1592 wrote to memory of 2140	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	102
PID 1592 wrote to memory of 2140	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	102
PID 1592 wrote to memory of 2140	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	102
PID 1592 wrote to memory of 2140	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	102
PID 1592 wrote to memory of 2140	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	102
PID 1592 wrote to memory of 4440	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	103
PID 1592 wrote to memory of 4440	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	103
PID 1592 wrote to memory of 4440	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	103
PID 1592 wrote to memory of 4440	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	103
PID 1592 wrote to memory of 4440	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	103
PID 1592 wrote to memory of 4440	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	103
PID 1592 wrote to memory of 4440	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	103
PID 1592 wrote to memory of 4440	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	103
PID 2140 wrote to memory of 2892	2140	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	105
PID 2140 wrote to memory of 2892	2140	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	105
PID 2140 wrote to memory of 2892	2140	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	105
PID 2892 wrote to memory of 3308	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	106
PID 2892 wrote to memory of 3308	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	106
PID 2892 wrote to memory of 3308	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	106
PID 2892 wrote to memory of 3308	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	106
PID 2892 wrote to memory of 3308	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	106
PID 2892 wrote to memory of 3308	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	106
PID 2892 wrote to memory of 3308	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	106
PID 2892 wrote to memory of 3308	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	106
PID 2892 wrote to memory of 3068	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	107
PID 2892 wrote to memory of 3068	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	107
PID 2892 wrote to memory of 3068	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	107
PID 2892 wrote to memory of 3068	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	107
PID 2892 wrote to memory of 3068	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	107
PID 2892 wrote to memory of 3068	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	107
PID 2892 wrote to memory of 3068	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	107
PID 2892 wrote to memory of 3068	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	107
PID 2892 wrote to memory of 2684	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	108
PID 2892 wrote to memory of 2684	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	108
PID 2892 wrote to memory of 2684	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	108
PID 2892 wrote to memory of 2684	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	108
PID 2892 wrote to memory of 2684	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	108
PID 2892 wrote to memory of 2684	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	108
PID 2892 wrote to memory of 2684	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	108
PID 2892 wrote to memory of 2684	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	108
PID 4172 wrote to memory of 2056	4172	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	115
PID 4172 wrote to memory of 2056	4172	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	115
PID 4172 wrote to memory of 2056	4172	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	115

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8eaf377f8fc59bb93ada3e1f94571ebbbc3d3732475c86239ee72e4c1f2f31c7.xll"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
  "C:\Users\Admin\AppData\Local\Temp\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Users\Admin\AppData\Local\Temp\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
    C:\Users\Admin\AppData\Local\Temp\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4172
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "qns" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6018.tmp" /F
      4⤵
      Creates scheduled task(s)
      PID:2056
- - C:\Users\Admin\AppData\Local\Temp\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
    C:\Users\Admin\AppData\Local\Temp\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Users\Admin\AppData\Roaming\XenoManager\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Users\Admin\AppData\Roaming\XenoManager\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
        
        C:\Users\Admin\AppData\Roaming\XenoManager\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
        5⤵
        Executes dropped EXE
        
        PID:3308
    - - C:\Users\Admin\AppData\Roaming\XenoManager\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
        
        C:\Users\Admin\AppData\Roaming\XenoManager\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
        5⤵
        Executes dropped EXE
        
        PID:3068
    - - C:\Users\Admin\AppData\Roaming\XenoManager\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
        
        C:\Users\Admin\AppData\Roaming\XenoManager\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
        5⤵
        Executes dropped EXE
        
        PID:2684
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 80
        6⤵
        Program crash
        
        PID:2264
- - C:\Users\Admin\AppData\Local\Temp\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
    C:\Users\Admin\AppData\Local\Temp\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
    3⤵
    - Executes dropped EXE
    PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2684 -ip 2684
1⤵
PID:2964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery