Overview

overview

10

Static

static

3

7c43077f84...7f.xll

windows7-x64

7

7c43077f84...7f.xll

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2024 16:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c43077f843fcf5ad00e36587087929c73702171bfb36e4c5007ea54df09e37f.xll

  • Size

    820KB

  • MD5

    0645646e6a417573d0047b6084e4632a

  • SHA1

    d43adf73470cb151a61482d2e5d87f3fa1420717

  • SHA256

    7c43077f843fcf5ad00e36587087929c73702171bfb36e4c5007ea54df09e37f

  • SHA512

    36daebde0a113fae75301f4b3bc09860b6c17788e3f132cd25cf66b1d6b726bf6df4ba80add24009bc1d5fb566359d3e4be6d54456fbbe733059e106f5878f87

  • SSDEEP

    12288:BG1N4HkcgMsiOd58bzbBSrePQ0uqZzD1reWabd/T7ppePgEKB9S4566Gwa:BoOOMX1/+QHT+d77ppqWB9S4Q6y

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Language
xlm4.0
Source

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Wolid_rat_nd8889g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1279

  • startup_name

    qns

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7c43077f843fcf5ad00e36587087929c73702171bfb36e4c5007ea54df09e37f.xll"
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Users\Admin\AppData\Local\Temp\f0efa263-19e0-4cb2-ae3e-508e0a63243c.exe
      "C:\Users\Admin\AppData\Local\Temp\f0efa263-19e0-4cb2-ae3e-508e0a63243c.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4088
      • C:\Users\Admin\AppData\Local\Temp\f0efa263-19e0-4cb2-ae3e-508e0a63243c.exe
        C:\Users\Admin\AppData\Local\Temp\f0efa263-19e0-4cb2-ae3e-508e0a63243c.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4568
        • C:\Users\Admin\AppData\Roaming\XenoManager\f0efa263-19e0-4cb2-ae3e-508e0a63243c.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\f0efa263-19e0-4cb2-ae3e-508e0a63243c.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1632
          • C:\Users\Admin\AppData\Roaming\XenoManager\f0efa263-19e0-4cb2-ae3e-508e0a63243c.exe
            C:\Users\Admin\AppData\Roaming\XenoManager\f0efa263-19e0-4cb2-ae3e-508e0a63243c.exe
            5⤵
            • Executes dropped EXE
            PID:3060
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 80
              6⤵
              • Program crash
              PID:3548
          • C:\Users\Admin\AppData\Roaming\XenoManager\f0efa263-19e0-4cb2-ae3e-508e0a63243c.exe
            C:\Users\Admin\AppData\Roaming\XenoManager\f0efa263-19e0-4cb2-ae3e-508e0a63243c.exe
            5⤵
            • Executes dropped EXE
            PID:3132
          • C:\Users\Admin\AppData\Roaming\XenoManager\f0efa263-19e0-4cb2-ae3e-508e0a63243c.exe
            C:\Users\Admin\AppData\Roaming\XenoManager\f0efa263-19e0-4cb2-ae3e-508e0a63243c.exe
            5⤵
            • Executes dropped EXE
            PID:2840
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 80
              6⤵
              • Program crash
              PID:2460
      • C:\Users\Admin\AppData\Local\Temp\f0efa263-19e0-4cb2-ae3e-508e0a63243c.exe
        C:\Users\Admin\AppData\Local\Temp\f0efa263-19e0-4cb2-ae3e-508e0a63243c.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3288
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /Create /TN "qns" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3812.tmp" /F
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:3532
      • C:\Users\Admin\AppData\Local\Temp\f0efa263-19e0-4cb2-ae3e-508e0a63243c.exe
        C:\Users\Admin\AppData\Local\Temp\f0efa263-19e0-4cb2-ae3e-508e0a63243c.exe
        3⤵
        • Executes dropped EXE
        PID:2600
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3060 -ip 3060
    1⤵
      PID:2844
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2840 -ip 2840
      1⤵
        PID:1612

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      3
      T1012

      System Information Discovery

      4
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f0efa263-19e0-4cb2-ae3e-508e0a63243c.exe.log
        Filesize

        522B

        MD5

        8334a471a4b492ece225b471b8ad2fc8

        SHA1

        1cb24640f32d23e8f7800bd0511b7b9c3011d992

        SHA256

        5612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169

        SHA512

        56ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\7c43077f843fcf5ad00e36587087929c73702171bfb36e4c5007ea54df09e37f.xll
        Filesize

        820KB

        MD5

        0645646e6a417573d0047b6084e4632a

        SHA1

        d43adf73470cb151a61482d2e5d87f3fa1420717

        SHA256

        7c43077f843fcf5ad00e36587087929c73702171bfb36e4c5007ea54df09e37f

        SHA512

        36daebde0a113fae75301f4b3bc09860b6c17788e3f132cd25cf66b1d6b726bf6df4ba80add24009bc1d5fb566359d3e4be6d54456fbbe733059e106f5878f87

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\f0efa263-19e0-4cb2-ae3e-508e0a63243c.exe
        Filesize

        234KB

        MD5

        a19378142ff17ef4a4cef4add24b10aa

        SHA1

        6231b66cdbea1a29043dfee2bfc4772b241bae98

        SHA256

        789cec98f94a74b862783c6f3a41794f375b775b81f291798fde8b3653e96bb9

        SHA512

        0eefc81ff23ac4e02d85fce6c0d10d819f6856d6ac19b0df28e786242f6cc158bbee057fc2097e5b44caafd58d6e7b8ccd4063f40fedd8eb5e4be3d3d16de1c1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmp3812.tmp
        Filesize

        1KB

        MD5

        0c753b27b913b3ead1a53b8c5fbb0af3

        SHA1

        6565542e303a8aa6f44f6b2a7caea3af3998c423

        SHA256

        a9eb0433b114bbc862ea02c401fff29513f1db0d7bbc271ef16a6a7dd4d5ef37

        SHA512

        c4251d8c759d8e4c95adca37d010019f74dcc90d33927c1dcb81be270144c7af2fa027ee53c64edcb5aa1f788b105be1d61bd6af4e6b63ed70cd99bbdb47512e

        Download Submit
      • memory/2696-30-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-29-0x0000025DD20E0000-0x0000025DD20F4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/2696-5-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-6-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-7-0x00007FFDB6350000-0x00007FFDB6360000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2696-10-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-9-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-8-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-12-0x00007FFDB3DA0000-0x00007FFDB3DB0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2696-11-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-3-0x00007FFDF636D000-0x00007FFDF636E000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2696-14-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-15-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-13-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-16-0x00007FFDB3DA0000-0x00007FFDB3DB0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2696-17-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-19-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-21-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-20-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-18-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-0-0x00007FFDB6350000-0x00007FFDB6360000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2696-25-0x0000025DD2C50000-0x0000025DD2D36000-memory.dmp
        Filesize

        920KB

        Download
      • memory/2696-33-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-118-0x00007FFDB6350000-0x00007FFDB6360000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2696-1-0x00007FFDB6350000-0x00007FFDB6360000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2696-34-0x0000025DD2F20000-0x0000025DD30A4000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2696-28-0x0000025DD20E0000-0x0000025DD20F4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/2696-4-0x00007FFDB6350000-0x00007FFDB6360000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2696-36-0x0000025DD2240000-0x0000025DD227C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/2696-32-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-31-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-37-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-38-0x0000025DD2DA0000-0x0000025DD2DE4000-memory.dmp
        Filesize

        272KB

        Download
      • memory/2696-39-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-93-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-94-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-122-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-35-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-120-0x00007FFDB6350000-0x00007FFDB6360000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2696-121-0x00007FFDB6350000-0x00007FFDB6360000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2696-119-0x00007FFDB6350000-0x00007FFDB6360000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2696-97-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-98-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-99-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-100-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2696-2-0x00007FFDB6350000-0x00007FFDB6360000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3288-106-0x0000000005880000-0x00000000058E6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4088-64-0x00000000053E0000-0x000000000547C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/4088-63-0x00000000051B0000-0x00000000051EE000-memory.dmp
        Filesize

        248KB

        Download
      • memory/4088-59-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4088-58-0x00000000010C0000-0x00000000010C6000-memory.dmp
        Filesize

        24KB

        Download
      • memory/4088-53-0x00007FFDF62D0000-0x00007FFDF64C5000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4088-57-0x0000000000850000-0x0000000000890000-memory.dmp
        Filesize

        256KB

        Download
      • memory/4088-65-0x0000000002A20000-0x0000000002A26000-memory.dmp
        Filesize

        24KB

        Download
      • memory/4568-66-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download