Overview

overview

10

Static

static

8

26973056c1...7e.doc

windows7-x64

10

26973056c1...7e.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2024 09:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26973056c194b68b10d1c2b9a632a27e.doc

  • Size

    47KB

  • MD5

    26973056c194b68b10d1c2b9a632a27e

  • SHA1

    0b61132df948c4d48e81b631bdad91be1080f530

  • SHA256

    4a58b228b23cdc286d103115b2fb312eedf6741aeada17b242620b6737db1035

  • SHA512

    72a2120c4e62e91aec8cf5ec14ca42d5088944b4652dd5c69be15640bb3c260a8eb74984659f98d2161671bc4b4da0397542d4e0d24e30518374ff686ed66c2e

  • SSDEEP

    384:5fFAhRp/6j1dhUsQGlWmxDJzkpiSY5UyCUuCJbnsQfzyK9tujq/z60jAx7:5KhHi3KnCWmHzk7o3JzVip

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

87.120.120.27

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    11000

  • install_path

    appdata

  • port

    2222

  • startup_name

    mrec

Signatures

  • Detect XenoRat Payload 1 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\26973056c194b68b10d1c2b9a632a27e.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1408
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4012
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5048
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC7A5.tmp" /F
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:4188
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4020
        • C:\Users\Admin\AppData\Roaming\UpdateManager\MDEODF.exe
          "C:\Users\Admin\AppData\Roaming\UpdateManager\MDEODF.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4884
          • C:\Users\Admin\AppData\Roaming\UpdateManager\MDEODF.exe
            C:\Users\Admin\AppData\Roaming\UpdateManager\MDEODF.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2680
          • C:\Users\Admin\AppData\Roaming\UpdateManager\MDEODF.exe
            C:\Users\Admin\AppData\Roaming\UpdateManager\MDEODF.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2080
          • C:\Users\Admin\AppData\Roaming\UpdateManager\MDEODF.exe
            C:\Users\Admin\AppData\Roaming\UpdateManager\MDEODF.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:460

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MDEODF.exe.log
    Filesize

    706B

    MD5

    d95c58e609838928f0f49837cab7dfd2

    SHA1

    55e7139a1e3899195b92ed8771d1ca2c7d53c916

    SHA256

    0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

    SHA512

    405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCDD299.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpC7A5.tmp
    Filesize

    1KB

    MD5

    2252d13c1250e721a097456d0dcdb094

    SHA1

    dc9eb91dcf5ca59c2d8e6e820fd11a2372c68a1f

    SHA256

    b3bdf8781809c2231b91a866b457b26f102f340acc1bfb07b4c52239e992283f

    SHA512

    9b9eab3c92d69075649f73435700618f1b14467de85380b03fe292f619675a50abbc98e614151f02a3246d29989794ae7c885237a8d4b57064c04f023179850a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    d4441dd2df0bdf0885d5eda83ceb0de7

    SHA1

    9544d359af9b7d217ddb28101589ccc73dd3ef4c

    SHA256

    2e6fffbdebddd94def5836de3586b9cddf3f460b15d8530709194cd874578573

    SHA512

    81db7334872f9fd3e1f1e86a94c720e4d24f25440577fd3374275c0ecb75de0462fb38c20fee234f891594ee5afb5f873119373b17d47fa1fb2dd5356368a02b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
    Filesize

    166KB

    MD5

    f44302503ea4eedfa831c25711df51b7

    SHA1

    127d6ec83904de48d90c293e53c905fc4206bfb8

    SHA256

    21b7b8656a008ad3e5df1725cddf55e650812c1f3d59609f14c0d3089a886de6

    SHA512

    71e9512244d864b53abf436b496a53e6771135cc7d5fc0e4df7d04ac23074b6ed1e7438a28bc232a70f57de97367f0e3a21925bed738c5e47bdf3487ab2f4e03

    Download Submit

  • memory/1408-123-0x0000000005590000-0x0000000005596000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1408-122-0x000000000ABD0000-0x000000000AC62000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1408-121-0x000000000B0E0000-0x000000000B684000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1408-120-0x000000000AA90000-0x000000000AB2C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1408-119-0x00000000054D0000-0x0000000005502000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1408-118-0x0000000002FA0000-0x0000000002FA6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1408-117-0x0000000000B80000-0x0000000000BAE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1876-10-0x00007FF91FB50000-0x00007FF91FD45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1876-2-0x00007FF8DFBD0000-0x00007FF8DFBE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1876-14-0x00007FF8DD420000-0x00007FF8DD430000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1876-15-0x00007FF8DD420000-0x00007FF8DD430000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1876-79-0x00007FF91FB50000-0x00007FF91FD45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1876-12-0x00007FF91FB50000-0x00007FF91FD45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1876-13-0x00007FF91FB50000-0x00007FF91FD45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1876-7-0x00007FF8DFBD0000-0x00007FF8DFBE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1876-9-0x00007FF91FB50000-0x00007FF91FD45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1876-11-0x00007FF91FB50000-0x00007FF91FD45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1876-8-0x00007FF91FB50000-0x00007FF91FD45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1876-5-0x00007FF91FB50000-0x00007FF91FD45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1876-6-0x00007FF91FB50000-0x00007FF91FD45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1876-1-0x00007FF8DFBD0000-0x00007FF8DFBE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1876-4-0x00007FF8DFBD0000-0x00007FF8DFBE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1876-149-0x00007FF91FB50000-0x00007FF91FD45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1876-3-0x00007FF91FBED000-0x00007FF91FBEE000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1876-158-0x00007FF91FB50000-0x00007FF91FD45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1876-0-0x00007FF8DFBD0000-0x00007FF8DFBE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4012-124-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download