Overview

overview

10

Static

static

8

90f57a9578...07.doc

windows7-x64

10

90f57a9578...07.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2024 14:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    90f57a9578ce153c8520aee9b42d0407.doc

  • Size

    35KB

  • MD5

    90f57a9578ce153c8520aee9b42d0407

  • SHA1

    b669b63e818628044a49c33a2c4edb9840bb030e

  • SHA256

    c9ab3c4481da95348f1d65fecb8da349ecdb1826f16d27ee3e5c5a0d49384c52

  • SHA512

    a63d6c7d453c82e2ff910b5b1faaddf9a96f312f6ab325b5cdf72d68d46006986e429281cfdb3eea7357f4cec5a4dce29e730602aa120df4afca1c8ea15b13cc

  • SSDEEP

    384:wRpiSY5U1zhghLadtb/W5t7c4AZTA6C60jYvA6cSPvuC9:E7n1QvyTA6NJvA6cSeC9

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

dns.stipamana.com

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    12000

  • install_path

    appdata

  • port

    4567

  • startup_name

    mrec

Signatures

  • Detect XenoRat Payload 1 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\90f57a9578ce153c8520aee9b42d0407.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2752
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\NBUTQYX.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\NBUTQYX.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4956
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\NBUTQYX.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\NBUTQYX.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3680
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC8DE.tmp" /F
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:5096
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\NBUTQYX.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\NBUTQYX.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3848
        • C:\Users\Admin\AppData\Roaming\UpdateManager\NBUTQYX.exe
          "C:\Users\Admin\AppData\Roaming\UpdateManager\NBUTQYX.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:852
          • C:\Users\Admin\AppData\Roaming\UpdateManager\NBUTQYX.exe
            C:\Users\Admin\AppData\Roaming\UpdateManager\NBUTQYX.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2592
          • C:\Users\Admin\AppData\Roaming\UpdateManager\NBUTQYX.exe
            C:\Users\Admin\AppData\Roaming\UpdateManager\NBUTQYX.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1460
          • C:\Users\Admin\AppData\Roaming\UpdateManager\NBUTQYX.exe
            C:\Users\Admin\AppData\Roaming\UpdateManager\NBUTQYX.exe
            5⤵
            • Executes dropped EXE
            PID:316
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 80
              6⤵
              • Program crash
              PID:4872
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\NBUTQYX.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\NBUTQYX.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2300
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 316 -ip 316
    1⤵
      PID:2844

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NBUTQYX.exe.log
      Filesize

      706B

      MD5

      d95c58e609838928f0f49837cab7dfd2

      SHA1

      55e7139a1e3899195b92ed8771d1ca2c7d53c916

      SHA256

      0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

      SHA512

      405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TCDD27D.tmp\sist02.xsl
      Filesize

      245KB

      MD5

      f883b260a8d67082ea895c14bf56dd56

      SHA1

      7954565c1f243d46ad3b1e2f1baf3281451fc14b

      SHA256

      ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

      SHA512

      d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpC8DE.tmp
      Filesize

      1KB

      MD5

      33bbfcbd5303d9264901bd293a3e2b9d

      SHA1

      ec065ec36e09d5b8e5a4d6fde005da291e5c4b74

      SHA256

      b922930c42b97dda929255c17a8bc29a1f3c650f9784ac243a7ac6a8a2189478

      SHA512

      db0272881e2560fef51f82fef2e52b6e1168ef8fbfb9ab51a52013a5c5869daac50f9b869d032b0cd2631a7d84684eeca78d6e8d6eca91da0b3bb2c969d239ed

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
      Filesize

      1KB

      MD5

      5ece0f5d71d28326da79d0ad0ffd161e

      SHA1

      1da0a426cf6b212c8c112ecd87c43daebf683581

      SHA256

      b9cbdb2975d786b09ff71a3a19beb4ced0701965dd9e957e7d3c861590871e31

      SHA512

      b894db0e1a06eeceb079a1d07385d684a12b4a7f2a6222c699a1e13517df330f29332647e297cb32423f034d9c374b9a93dba7db3721768a135ddd44ccc9c103

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\NBUTQYX.exe
      Filesize

      166KB

      MD5

      81ab2cef389699b418a0c016114f1c8b

      SHA1

      fc99c84f1c8ee460adc8948b475dd075e24ae249

      SHA256

      ba8b86390a03a48a818a8efb1252236a76bba4cc49a38eb9822e3924c02f9809

      SHA512

      9877e761d9f130963475e989f427b09be323a0ec48b5cb981f506fd34b141e0841ae92eb7d759ed3142046ab096a045eafaf0cc880e7f868685232cc4ca8e6cb

      Download Submit

    • memory/2752-35-0x00007FFD738F0000-0x00007FFD73AE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2752-5-0x00007FFD33970000-0x00007FFD33980000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2752-11-0x00007FFD738F0000-0x00007FFD73AE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2752-14-0x00007FFD738F0000-0x00007FFD73AE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2752-12-0x00007FFD738F0000-0x00007FFD73AE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2752-15-0x00007FFD31540000-0x00007FFD31550000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2752-9-0x00007FFD738F0000-0x00007FFD73AE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2752-17-0x00007FFD738F0000-0x00007FFD73AE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2752-18-0x00007FFD31540000-0x00007FFD31550000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2752-20-0x00007FFD738F0000-0x00007FFD73AE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2752-19-0x00007FFD738F0000-0x00007FFD73AE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2752-16-0x00007FFD738F0000-0x00007FFD73AE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2752-8-0x00007FFD738F0000-0x00007FFD73AE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2752-7-0x00007FFD738F0000-0x00007FFD73AE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2752-6-0x00007FFD738F0000-0x00007FFD73AE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2752-37-0x00007FFD738F0000-0x00007FFD73AE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2752-36-0x00007FFD738F0000-0x00007FFD73AE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2752-42-0x00007FFD738F0000-0x00007FFD73AE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2752-1-0x00007FFD7398D000-0x00007FFD7398E000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2752-10-0x00007FFD738F0000-0x00007FFD73AE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2752-3-0x00007FFD33970000-0x00007FFD33980000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2752-2-0x00007FFD33970000-0x00007FFD33980000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2752-4-0x00007FFD33970000-0x00007FFD33980000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2752-125-0x00007FFD738F0000-0x00007FFD73AE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2752-124-0x00007FFD738F0000-0x00007FFD73AE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2752-123-0x00007FFD738F0000-0x00007FFD73AE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2752-122-0x00007FFD738F0000-0x00007FFD73AE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2752-120-0x00007FFD7398D000-0x00007FFD7398E000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2752-121-0x00007FFD738F0000-0x00007FFD73AE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2752-0-0x00007FFD33970000-0x00007FFD33980000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2752-119-0x00007FFD738F0000-0x00007FFD73AE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2752-13-0x00007FFD738F0000-0x00007FFD73AE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3680-88-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4956-84-0x000000000A990000-0x000000000AF34000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4956-87-0x00007FFD738F0000-0x00007FFD73AE5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/4956-86-0x000000000A2A0000-0x000000000A2A6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4956-85-0x000000000A3E0000-0x000000000A472000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4956-82-0x0000000004D50000-0x0000000004D82000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4956-83-0x000000000A340000-0x000000000A3DC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4956-81-0x0000000004D40000-0x0000000004D46000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4956-80-0x00000000003F0000-0x000000000041E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4956-79-0x00007FFD738F0000-0x00007FFD73AE5000-memory.dmp

      Filesize

      2.0MB

      Download