Analysis
-
max time kernel
17s -
max time network
19s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
09-10-2024 07:28
Static task
static1
Behavioral task
behavioral1
Sample
ESTADO DE CUENTA.xll
Resource
win10-20240404-en
General
-
Target
ESTADO DE CUENTA.xll
-
Size
819KB
-
MD5
5475ac0337614b9651483ca83628c38f
-
SHA1
d03d0806bb24207780b441a090e3ff9e9d263929
-
SHA256
8eaf377f8fc59bb93ada3e1f94571ebbbc3d3732475c86239ee72e4c1f2f31c7
-
SHA512
d4d7d417fbadb98ac94e728c994b4ae7abc505632a1eb79d8f8193c71daa7bbbf2aa709713ec94ffa9b645dcf02b06907cd3fe1538840dfc22411c229bbcdb8c
-
SSDEEP
12288:xG1N4HkcgMsiOd58bzbBSre6Q0uqZzD1reWabd/dbNZEEx/DLn0vkYHipwyA:xoOOMX1K+QHT+d9NZdxYHip
Malware Config
Extracted
Extracted
xenorat
91.92.248.167
Wolid_rat_nd8889g
-
delay
60000
-
install_path
appdata
-
port
1279
-
startup_name
qns
Signatures
-
Detect XenoRat Payload 1 IoCs
resource yara_rule behavioral1/memory/4588-297-0x0000000000400000-0x0000000000412000-memory.dmp family_xenorat -
Executes dropped EXE 8 IoCs
pid Process 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 4588 6d62745a-971a-40c6-abd3-e80654f28730.exe 5108 6d62745a-971a-40c6-abd3-e80654f28730.exe 4520 6d62745a-971a-40c6-abd3-e80654f28730.exe 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 4408 6d62745a-971a-40c6-abd3-e80654f28730.exe 3476 6d62745a-971a-40c6-abd3-e80654f28730.exe 4776 6d62745a-971a-40c6-abd3-e80654f28730.exe -
Loads dropped DLL 4 IoCs
pid Process 4540 EXCEL.EXE 4540 EXCEL.EXE 4540 EXCEL.EXE 4540 EXCEL.EXE -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 3892 set thread context of 4588 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 76 PID 3892 set thread context of 5108 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 77 PID 3892 set thread context of 4520 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 78 PID 3964 set thread context of 4408 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 82 PID 3964 set thread context of 3476 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 83 PID 3964 set thread context of 4776 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1444 5108 WerFault.exe 77 3488 4408 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d62745a-971a-40c6-abd3-e80654f28730.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d62745a-971a-40c6-abd3-e80654f28730.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d62745a-971a-40c6-abd3-e80654f28730.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d62745a-971a-40c6-abd3-e80654f28730.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d62745a-971a-40c6-abd3-e80654f28730.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d62745a-971a-40c6-abd3-e80654f28730.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4540 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4540 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4540 EXCEL.EXE Token: SeDebugPrivilege 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe Token: SeDebugPrivilege 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4540 EXCEL.EXE 4540 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4540 EXCEL.EXE 4540 EXCEL.EXE 4540 EXCEL.EXE 4540 EXCEL.EXE 4540 EXCEL.EXE 4540 EXCEL.EXE 4540 EXCEL.EXE 4540 EXCEL.EXE 4540 EXCEL.EXE 4540 EXCEL.EXE -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 4540 wrote to memory of 3892 4540 EXCEL.EXE 75 PID 4540 wrote to memory of 3892 4540 EXCEL.EXE 75 PID 4540 wrote to memory of 3892 4540 EXCEL.EXE 75 PID 3892 wrote to memory of 4588 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 76 PID 3892 wrote to memory of 4588 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 76 PID 3892 wrote to memory of 4588 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 76 PID 3892 wrote to memory of 4588 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 76 PID 3892 wrote to memory of 4588 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 76 PID 3892 wrote to memory of 4588 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 76 PID 3892 wrote to memory of 4588 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 76 PID 3892 wrote to memory of 4588 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 76 PID 3892 wrote to memory of 5108 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 77 PID 3892 wrote to memory of 5108 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 77 PID 3892 wrote to memory of 5108 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 77 PID 3892 wrote to memory of 5108 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 77 PID 3892 wrote to memory of 5108 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 77 PID 3892 wrote to memory of 5108 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 77 PID 3892 wrote to memory of 5108 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 77 PID 3892 wrote to memory of 5108 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 77 PID 3892 wrote to memory of 4520 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 78 PID 3892 wrote to memory of 4520 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 78 PID 3892 wrote to memory of 4520 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 78 PID 3892 wrote to memory of 4520 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 78 PID 3892 wrote to memory of 4520 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 78 PID 3892 wrote to memory of 4520 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 78 PID 3892 wrote to memory of 4520 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 78 PID 3892 wrote to memory of 4520 3892 6d62745a-971a-40c6-abd3-e80654f28730.exe 78 PID 4588 wrote to memory of 3964 4588 6d62745a-971a-40c6-abd3-e80654f28730.exe 81 PID 4588 wrote to memory of 3964 4588 6d62745a-971a-40c6-abd3-e80654f28730.exe 81 PID 4588 wrote to memory of 3964 4588 6d62745a-971a-40c6-abd3-e80654f28730.exe 81 PID 3964 wrote to memory of 4408 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 82 PID 3964 wrote to memory of 4408 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 82 PID 3964 wrote to memory of 4408 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 82 PID 3964 wrote to memory of 4408 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 82 PID 3964 wrote to memory of 4408 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 82 PID 3964 wrote to memory of 4408 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 82 PID 3964 wrote to memory of 4408 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 82 PID 3964 wrote to memory of 4408 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 82 PID 3964 wrote to memory of 3476 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 83 PID 3964 wrote to memory of 3476 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 83 PID 3964 wrote to memory of 3476 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 83 PID 3964 wrote to memory of 3476 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 83 PID 3964 wrote to memory of 3476 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 83 PID 3964 wrote to memory of 3476 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 83 PID 3964 wrote to memory of 3476 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 83 PID 3964 wrote to memory of 3476 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 83 PID 3964 wrote to memory of 4776 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 84 PID 3964 wrote to memory of 4776 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 84 PID 3964 wrote to memory of 4776 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 84 PID 3964 wrote to memory of 4776 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 84 PID 3964 wrote to memory of 4776 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 84 PID 3964 wrote to memory of 4776 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 84 PID 3964 wrote to memory of 4776 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 84 PID 3964 wrote to memory of 4776 3964 6d62745a-971a-40c6-abd3-e80654f28730.exe 84
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ESTADO DE CUENTA.xll"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Users\Admin\AppData\Local\Temp\6d62745a-971a-40c6-abd3-e80654f28730.exe"C:\Users\Admin\AppData\Local\Temp\6d62745a-971a-40c6-abd3-e80654f28730.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Users\Admin\AppData\Local\Temp\6d62745a-971a-40c6-abd3-e80654f28730.exeC:\Users\Admin\AppData\Local\Temp\6d62745a-971a-40c6-abd3-e80654f28730.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Users\Admin\AppData\Roaming\XenoManager\6d62745a-971a-40c6-abd3-e80654f28730.exe"C:\Users\Admin\AppData\Roaming\XenoManager\6d62745a-971a-40c6-abd3-e80654f28730.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Users\Admin\AppData\Roaming\XenoManager\6d62745a-971a-40c6-abd3-e80654f28730.exeC:\Users\Admin\AppData\Roaming\XenoManager\6d62745a-971a-40c6-abd3-e80654f28730.exe5⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 246⤵
- Program crash
PID:3488
-
-
-
C:\Users\Admin\AppData\Roaming\XenoManager\6d62745a-971a-40c6-abd3-e80654f28730.exeC:\Users\Admin\AppData\Roaming\XenoManager\6d62745a-971a-40c6-abd3-e80654f28730.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3476
-
-
C:\Users\Admin\AppData\Roaming\XenoManager\6d62745a-971a-40c6-abd3-e80654f28730.exeC:\Users\Admin\AppData\Roaming\XenoManager\6d62745a-971a-40c6-abd3-e80654f28730.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4776
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\6d62745a-971a-40c6-abd3-e80654f28730.exeC:\Users\Admin\AppData\Local\Temp\6d62745a-971a-40c6-abd3-e80654f28730.exe3⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 884⤵
- Program crash
PID:1444
-
-
-
C:\Users\Admin\AppData\Local\Temp\6d62745a-971a-40c6-abd3-e80654f28730.exeC:\Users\Admin\AppData\Local\Temp\6d62745a-971a-40c6-abd3-e80654f28730.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4520
-
-
Network
-
Remote address:8.8.8.8:53Request240.76.109.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestroaming.officeapps.live.comIN AResponseroaming.officeapps.live.comIN CNAMEprod.roaming1.live.com.akadns.netprod.roaming1.live.com.akadns.netIN CNAMEeur.roaming1.live.com.akadns.neteur.roaming1.live.com.akadns.netIN CNAMEuks-azsc-000.roaming.officeapps.live.comuks-azsc-000.roaming.officeapps.live.comIN CNAMEosiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.comosiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.comIN A52.109.28.47
-
Remote address:52.109.28.47:443RequestPOST /rs/RoamingSoapService.svc HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/xml; charset=utf-8
User-Agent: MS-WebServices/1.0
SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
Content-Length: 511
Host: roaming.officeapps.live.com
ResponseHTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/10.0
X-OfficeFE: RoamingFE_IN_294
X-OfficeVersion: 16.0.18130.30575
X-OfficeCluster: uks-000.roaming.officeapps.live.com
X-CorrelationId: 49a4cb3d-fb94-4440-ad1c-fc5f0305c704
X-Powered-By: ASP.NET
Date: Wed, 09 Oct 2024 07:28:30 GMT
Content-Length: 654
-
Remote address:8.8.8.8:53Request47.28.109.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.210.23.2.in-addr.arpaIN PTRResponse88.210.23.2.in-addr.arpaIN PTRa2-23-210-88deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request0.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request67.31.126.40.in-addr.arpaIN PTRResponse
-
1.7kB 7.7kB 11 10
HTTP Request
POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svcHTTP Response
200
-
72 B 146 B 1 1
DNS Request
240.76.109.52.in-addr.arpa
-
73 B 244 B 1 1
DNS Request
roaming.officeapps.live.com
DNS Response
52.109.28.47
-
71 B 145 B 1 1
DNS Request
47.28.109.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
88.210.23.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
0.159.190.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
67.31.126.40.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6d62745a-971a-40c6-abd3-e80654f28730.exe.log
Filesize522B
MD518b4b20964ba71871f587253160ae3b1
SHA1b0670adc90ecec31186448446ed43fc188be4559
SHA256cb7844efb0b5fa59684743fa546012600ffe6fcc3aeb6c243796c1b1d8978987
SHA5123fd458c517e43734477b209d38cd79f44f0b46de2c81386f83db99bd2f1fe27bff6594422c747d6b7eb32d24738d7257c94716c28a26205200958265d0cb5826
-
Filesize
233KB
MD5025593cacb392aadf7266febcb9f700a
SHA1602a4fcbbdaf682dc6311dc72468a00eb148ca86
SHA2566b09a61d15fd9835db561b9f7571c714333a071cce0facd8ac3dc39289ef8998
SHA5128e5c571c4905b418446cea26d8ef978706d1deb209227c602b8dbc5e9b9d23379bf42169887ee81dd287b9c07e43df733ffa7a72e4e279f9dfcec490710ed947
-
Filesize
819KB
MD55475ac0337614b9651483ca83628c38f
SHA1d03d0806bb24207780b441a090e3ff9e9d263929
SHA2568eaf377f8fc59bb93ada3e1f94571ebbbc3d3732475c86239ee72e4c1f2f31c7
SHA512d4d7d417fbadb98ac94e728c994b4ae7abc505632a1eb79d8f8193c71daa7bbbf2aa709713ec94ffa9b645dcf02b06907cd3fe1538840dfc22411c229bbcdb8c