Overview

overview

10

Static

static

8

0f25b2dba8...7e.xls

windows7-x64

10

0f25b2dba8...7e.xls

windows10-2004-x64

1

Analysis

  • max time kernel
    39s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    02-07-2024 21:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f25b2dba81f1a344f613a7aedecd247980324529fa1d7f2a1d2937f1fa0627e.xls

  • Size

    235KB

  • MD5

    ed7a378f46c2128849abc102e8b03df9

  • SHA1

    b2f934a5a8689b758904152c46b914e33557e963

  • SHA256

    0f25b2dba81f1a344f613a7aedecd247980324529fa1d7f2a1d2937f1fa0627e

  • SHA512

    d764bfa2b38d7d2fb1e41693e56aea0052512cb30082994e58bba38e588b7325553a5e4a1bf4809bfa0f80d1632398eb18d83434fde3dd4951ed0f798cff4b6b

  • SSDEEP

    6144:JxEtjPOtioVjDGUU1qfDlavx+W2QnA2X5EW2ZKuF1Yt/8XyXhOdd6K05WM5nwQS5:0XR2ZKeWkXyXhgdL0E2SER9A2c

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Wolid_rat_nd8859g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1280

  • startup_name

    cms

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Downloads MZ/PE file
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\0f25b2dba81f1a344f613a7aedecd247980324529fa1d7f2a1d2937f1fa0627e.xls
    1⤵
    • Loads dropped DLL
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2944
    • C:\Users\Admin\AppData\Roaming\frt.exe
      "C:\Users\Admin\AppData\Roaming\frt.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2932
      • C:\Users\Admin\AppData\Roaming\frt.exe
        C:\Users\Admin\AppData\Roaming\frt.exe
        3⤵
        • Executes dropped EXE
        PID:2404
      • C:\Users\Admin\AppData\Roaming\frt.exe
        C:\Users\Admin\AppData\Roaming\frt.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2796
        • C:\Users\Admin\AppData\Roaming\XenoManager\frt.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\frt.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1656
          • C:\Users\Admin\AppData\Roaming\XenoManager\frt.exe
            C:\Users\Admin\AppData\Roaming\XenoManager\frt.exe
            5⤵
            • Executes dropped EXE
            PID:2140
          • C:\Users\Admin\AppData\Roaming\XenoManager\frt.exe
            C:\Users\Admin\AppData\Roaming\XenoManager\frt.exe
            5⤵
            • Executes dropped EXE
            PID:1720
          • C:\Users\Admin\AppData\Roaming\XenoManager\frt.exe
            C:\Users\Admin\AppData\Roaming\XenoManager\frt.exe
            5⤵
            • Executes dropped EXE
            PID:428
      • C:\Users\Admin\AppData\Roaming\frt.exe
        C:\Users\Admin\AppData\Roaming\frt.exe
        3⤵
        • Executes dropped EXE
        PID:3012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\frt.exe
    Filesize

    233KB

    MD5

    f92f9efc4bac413bd25cbe666369b0a8

    SHA1

    65d8151bef6ee4e4f621664a1f179173c4097fd8

    SHA256

    f149ded66aaca1cd8de3e9455c5d93d38cc2ed18cf4c5d5e761f3bde39ce90d4

    SHA512

    755f615e2a17cd73e160f3b536ef59cf045d1c0f6e6b56f815c185f2b1833ab5fa07c532e8e7256f0e4639d42880a9bb5435e0acf69eb3bf80b8ffcdd2e06994

    Download Submit

  • memory/1656-125-0x0000000000BE0000-0x0000000000C20000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2932-102-0x000000006C57E000-0x000000006C57F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-103-0x0000000000E70000-0x0000000000EB0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2932-104-0x0000000000590000-0x0000000000596000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2932-105-0x0000000000490000-0x00000000004CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2932-106-0x00000000004D0000-0x00000000004D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2944-38-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-136-0x0000000072AED000-0x0000000072AF8000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2944-6-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-5-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-4-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-3-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-7-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-25-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-8-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-9-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-10-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-11-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-36-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-12-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-13-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-14-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-15-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-18-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-17-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-19-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-24-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-29-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-46-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-45-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-44-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-43-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-41-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-42-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-57-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-61-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-39-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-63-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-66-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-2-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-37-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-35-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-33-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-16-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-53-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-31-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-30-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-28-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-27-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-65-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-76-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-75-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-74-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-64-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-62-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-60-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-59-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-58-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-56-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-55-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-32-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-54-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-52-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-51-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-50-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-49-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-48-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-47-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-1-0x0000000072AED000-0x0000000072AF8000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2944-26-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-23-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-22-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-21-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-20-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-139-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2944-34-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-137-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2944-138-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3012-117-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download