Analysis

  • max time kernel
    17s
  • max time network
    19s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09-10-2024 07:28

General

  • Target

    ESTADO DE CUENTA.xll

  • Size

    819KB

  • MD5

    5475ac0337614b9651483ca83628c38f

  • SHA1

    d03d0806bb24207780b441a090e3ff9e9d263929

  • SHA256

    8eaf377f8fc59bb93ada3e1f94571ebbbc3d3732475c86239ee72e4c1f2f31c7

  • SHA512

    d4d7d417fbadb98ac94e728c994b4ae7abc505632a1eb79d8f8193c71daa7bbbf2aa709713ec94ffa9b645dcf02b06907cd3fe1538840dfc22411c229bbcdb8c

  • SSDEEP

    12288:xG1N4HkcgMsiOd58bzbBSre6Q0uqZzD1reWabd/dbNZEEx/DLn0vkYHipwyA:xoOOMX1K+QHT+d9NZdxYHip

Malware Config

Extracted

Language
xlm4.0
Source
1
=CALL("C:\Users\Admin\AppData\Local\Temp\ESTADO DE CUENTA.xll", "xlAutoOpen", "")

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Wolid_rat_nd8889g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1279

  • startup_name

    qns

Signatures

  • Detect XenoRat Payload 1 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ESTADO DE CUENTA.xll"
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4540
    • C:\Users\Admin\AppData\Local\Temp\6d62745a-971a-40c6-abd3-e80654f28730.exe
      "C:\Users\Admin\AppData\Local\Temp\6d62745a-971a-40c6-abd3-e80654f28730.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3892
      • C:\Users\Admin\AppData\Local\Temp\6d62745a-971a-40c6-abd3-e80654f28730.exe
        C:\Users\Admin\AppData\Local\Temp\6d62745a-971a-40c6-abd3-e80654f28730.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4588
        • C:\Users\Admin\AppData\Roaming\XenoManager\6d62745a-971a-40c6-abd3-e80654f28730.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\6d62745a-971a-40c6-abd3-e80654f28730.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3964
          • C:\Users\Admin\AppData\Roaming\XenoManager\6d62745a-971a-40c6-abd3-e80654f28730.exe
            C:\Users\Admin\AppData\Roaming\XenoManager\6d62745a-971a-40c6-abd3-e80654f28730.exe
            5⤵
            • Executes dropped EXE
            PID:4408
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 24
              6⤵
              • Program crash
              PID:3488
          • C:\Users\Admin\AppData\Roaming\XenoManager\6d62745a-971a-40c6-abd3-e80654f28730.exe
            C:\Users\Admin\AppData\Roaming\XenoManager\6d62745a-971a-40c6-abd3-e80654f28730.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3476
          • C:\Users\Admin\AppData\Roaming\XenoManager\6d62745a-971a-40c6-abd3-e80654f28730.exe
            C:\Users\Admin\AppData\Roaming\XenoManager\6d62745a-971a-40c6-abd3-e80654f28730.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4776
      • C:\Users\Admin\AppData\Local\Temp\6d62745a-971a-40c6-abd3-e80654f28730.exe
        C:\Users\Admin\AppData\Local\Temp\6d62745a-971a-40c6-abd3-e80654f28730.exe
        3⤵
        • Executes dropped EXE
        PID:5108
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 88
          4⤵
          • Program crash
          PID:1444
      • C:\Users\Admin\AppData\Local\Temp\6d62745a-971a-40c6-abd3-e80654f28730.exe
        C:\Users\Admin\AppData\Local\Temp\6d62745a-971a-40c6-abd3-e80654f28730.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4520

Network

  • flag-us
    DNS
    240.76.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.76.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    roaming.officeapps.live.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    roaming.officeapps.live.com
    IN A
    Response
    roaming.officeapps.live.com
    IN CNAME
    prod.roaming1.live.com.akadns.net
    prod.roaming1.live.com.akadns.net
    IN CNAME
    eur.roaming1.live.com.akadns.net
    eur.roaming1.live.com.akadns.net
    IN CNAME
    uks-azsc-000.roaming.officeapps.live.com
    uks-azsc-000.roaming.officeapps.live.com
    IN CNAME
    osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com
    osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com
    IN A
    52.109.28.47
  • flag-gb
    POST
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    EXCEL.EXE
    Remote address:
    52.109.28.47:443
    Request
    POST /rs/RoamingSoapService.svc HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: text/xml; charset=utf-8
    User-Agent: MS-WebServices/1.0
    SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
    Content-Length: 511
    Host: roaming.officeapps.live.com
    Response
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-IIS/10.0
    X-OfficeFE: RoamingFE_IN_294
    X-OfficeVersion: 16.0.18130.30575
    X-OfficeCluster: uks-000.roaming.officeapps.live.com
    X-CorrelationId: 49a4cb3d-fb94-4440-ad1c-fc5f0305c704
    X-Powered-By: ASP.NET
    Date: Wed, 09 Oct 2024 07:28:30 GMT
    Content-Length: 654
  • flag-us
    DNS
    47.28.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    47.28.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    0.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    67.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.31.126.40.in-addr.arpa
    IN PTR
    Response
  • 52.109.28.47:443
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    tls, http
    EXCEL.EXE
    1.7kB
    7.7kB
    11
    10

    HTTP Request

    POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

    HTTP Response

    200
  • 8.8.8.8:53
    240.76.109.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    240.76.109.52.in-addr.arpa

  • 8.8.8.8:53
    roaming.officeapps.live.com
    dns
    EXCEL.EXE
    73 B
    244 B
    1
    1

    DNS Request

    roaming.officeapps.live.com

    DNS Response

    52.109.28.47

  • 8.8.8.8:53
    47.28.109.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    47.28.109.52.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    0.159.190.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    0.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    67.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    67.31.126.40.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6d62745a-971a-40c6-abd3-e80654f28730.exe.log

    Filesize

    522B

    MD5

    18b4b20964ba71871f587253160ae3b1

    SHA1

    b0670adc90ecec31186448446ed43fc188be4559

    SHA256

    cb7844efb0b5fa59684743fa546012600ffe6fcc3aeb6c243796c1b1d8978987

    SHA512

    3fd458c517e43734477b209d38cd79f44f0b46de2c81386f83db99bd2f1fe27bff6594422c747d6b7eb32d24738d7257c94716c28a26205200958265d0cb5826

  • C:\Users\Admin\AppData\Local\Temp\6d62745a-971a-40c6-abd3-e80654f28730.exe

    Filesize

    233KB

    MD5

    025593cacb392aadf7266febcb9f700a

    SHA1

    602a4fcbbdaf682dc6311dc72468a00eb148ca86

    SHA256

    6b09a61d15fd9835db561b9f7571c714333a071cce0facd8ac3dc39289ef8998

    SHA512

    8e5c571c4905b418446cea26d8ef978706d1deb209227c602b8dbc5e9b9d23379bf42169887ee81dd287b9c07e43df733ffa7a72e4e279f9dfcec490710ed947

  • \Users\Admin\AppData\Local\Temp\ESTADO DE CUENTA.xll

    Filesize

    819KB

    MD5

    5475ac0337614b9651483ca83628c38f

    SHA1

    d03d0806bb24207780b441a090e3ff9e9d263929

    SHA256

    8eaf377f8fc59bb93ada3e1f94571ebbbc3d3732475c86239ee72e4c1f2f31c7

    SHA512

    d4d7d417fbadb98ac94e728c994b4ae7abc505632a1eb79d8f8193c71daa7bbbf2aa709713ec94ffa9b645dcf02b06907cd3fe1538840dfc22411c229bbcdb8c

  • memory/3892-292-0x0000000004B10000-0x0000000004B16000-memory.dmp

    Filesize

    24KB

  • memory/3892-286-0x00000000052A0000-0x000000000533C000-memory.dmp

    Filesize

    624KB

  • memory/3892-285-0x0000000004F60000-0x0000000004F9E000-memory.dmp

    Filesize

    248KB

  • memory/3892-282-0x0000000001060000-0x0000000001066000-memory.dmp

    Filesize

    24KB

  • memory/3892-281-0x0000000000770000-0x00000000007B0000-memory.dmp

    Filesize

    256KB

  • memory/4540-38-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-196-0x0000022806570000-0x0000022806584000-memory.dmp

    Filesize

    80KB

  • memory/4540-7-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-14-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-15-0x00007FFC9C370000-0x00007FFC9C380000-memory.dmp

    Filesize

    64KB

  • memory/4540-13-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-19-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-24-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-26-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-27-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-25-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-23-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-28-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-22-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-21-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-20-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-18-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-17-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-16-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-39-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-0-0x00007FFC9FC70000-0x00007FFC9FC80000-memory.dmp

    Filesize

    64KB

  • memory/4540-102-0x0000022804180000-0x0000022804266000-memory.dmp

    Filesize

    920KB

  • memory/4540-8-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-167-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-237-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-12-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-238-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-252-0x0000022806800000-0x000002280683C000-memory.dmp

    Filesize

    240KB

  • memory/4540-239-0x000002281FC00000-0x000002281FD84000-memory.dmp

    Filesize

    1.5MB

  • memory/4540-195-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-223-0x0000022806570000-0x0000022806584000-memory.dmp

    Filesize

    80KB

  • memory/4540-257-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-173-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-261-0x000002281FA40000-0x000002281FA84000-memory.dmp

    Filesize

    272KB

  • memory/4540-263-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-11-0x00007FFC9C370000-0x00007FFC9C380000-memory.dmp

    Filesize

    64KB

  • memory/4540-9-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-10-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-2-0x00007FFCDFC85000-0x00007FFCDFC86000-memory.dmp

    Filesize

    4KB

  • memory/4540-3-0x00007FFC9FC70000-0x00007FFC9FC80000-memory.dmp

    Filesize

    64KB

  • memory/4540-4-0x00007FFC9FC70000-0x00007FFC9FC80000-memory.dmp

    Filesize

    64KB

  • memory/4540-327-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-1-0x00007FFC9FC70000-0x00007FFC9FC80000-memory.dmp

    Filesize

    64KB

  • memory/4540-318-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-319-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-320-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-321-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-322-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4540-326-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

    Filesize

    1.9MB

  • memory/4588-297-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.