Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2024 21:32

General

  • Target

    ac8c49cef98c9ba6667891694a81169222cb53feed5c22fbeac0afbf7c31208c.xls

  • Size

    192KB

  • MD5

    84d6b509972268981bab9932386c549c

  • SHA1

    dfa0dba8ae581f80e94dd5d69625e1b8b50ebfa9

  • SHA256

    ac8c49cef98c9ba6667891694a81169222cb53feed5c22fbeac0afbf7c31208c

  • SHA512

    d2a3c06bc33f6c0ac2f26c68b33a486d5ceb01e1e1f58cf8f72d63632e78e4f692bb0f10dc9680d36a14c212f6915d9ecc5927b601e1ddc7ea13babf10617c6d

  • SSDEEP

    6144:BxEtjPOtioVjDGUU1qfDlavx+W2QnAu+Ly9ckwDwPq5XlsqhwxNNipu:s+VkGUqLsqyi

Malware Config

Extracted

Family

xenorat

C2

dns.stipamana.com

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    12000

  • install_path

    appdata

  • port

    4567

  • startup_name

    mrec

Signatures

  • Detect XenoRat Payload 1 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • XenorRat

    XenorRat is a remote access trojan written in C#.

  • Xenorat family
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Office macro that triggers on suspicious action 1 IoCs

    Office document macro which triggers in special circumstances - often malicious.

  • Suspicious Office macro 1 IoCs

    Office document equipped with macros.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 19 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ac8c49cef98c9ba6667891694a81169222cb53feed5c22fbeac0afbf7c31208c.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\TDCNX.vbs"
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      PID:4888
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3556
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5076
        • C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe
          "C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1212
          • C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe
            C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4316
          • C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe
            C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2188
          • C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe
            C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4604
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2240
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\Admin\AppData\Local\Temp\tmp120C.tmp" /F
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:64
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

    Filesize

    717B

    MD5

    822467b728b7a66b081c91795373789a

    SHA1

    d8f2f02e1eef62485a9feffd59ce837511749865

    SHA256

    af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

    SHA512

    bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5EC004B7FD8CB72D80A747F531B799BC

    Filesize

    504B

    MD5

    468c10fe6e033605fdc3eb77dac1a0b9

    SHA1

    f2afc12dc5c537c067334987f42d0e23457d50ae

    SHA256

    6f1ccbff6df00d9812182caa9e98b2ceea1f056527efff69f28f38b1fac8b817

    SHA512

    7e08a6d72c7d809edd92fe4560008f69fd98d2f0d802bea341acb6ef6fb7beb073e953b838a735761ea0d081749982bb16426e322923596feed78d08ad79e77d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

    Filesize

    471B

    MD5

    e81d1a452656da5266f453cb1a0fbcd4

    SHA1

    142b115501d7af306d8f887be66bc89e92e81521

    SHA256

    0a36be52eebc55142cc433203364f79cbe29bef5a6d0ce4bbf04fa41656de368

    SHA512

    4f782226101f3d628a7853c1ed828b16acd3fded03b3dc3329a68f3cf6f1c2c8a9748ff4abd5970c74244a7656eeafd2f3041743a8961ad0fced2843f2cbc987

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

    Filesize

    192B

    MD5

    b6766639e4c30bc298ebcdf84c4b070d

    SHA1

    934de75b20febb6d8728351cbbe3bad472a3786b

    SHA256

    ea610445e54392a85111fc94a6d74dfa07e15184e5619d64cbd3ed4e01412427

    SHA512

    ef90f2e041b411a0352e21ae16fb3c382130dcfc48c5aea0823203ce0f7dc28d16567d5db75109ac0288d07768c15beb495d9f26ceeeb1c758b7bde23123181e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5EC004B7FD8CB72D80A747F531B799BC

    Filesize

    546B

    MD5

    b9bd58919318043f9bc40c98282b24d7

    SHA1

    da3c8d2f1dae37207a5101c9c3c649b7fa4ec51b

    SHA256

    d868b1fd9f559c4b90c2c6fb3e7306bc59774383b5ebd77855bb541e1853b75a

    SHA512

    92998b17b170d10709220e4b5503522f7372a652552867c95b15b40c54761402a21edf70798fb991b099e08715126dd4aa656de5ee2247f693e9eddc01d8c633

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

    Filesize

    412B

    MD5

    e61d0fec7015e89f44e2c2a97d2dc6e3

    SHA1

    878c61de3615fe7dfbc197748b370ffce3884b08

    SHA256

    162533a8a2ba07cc15a9ff494026bdbdc16140fcacb94c5924d3270cb84130a0

    SHA512

    066641c78f4bca2e76da8bdf7fd66a15c3cdd737cde53e80d39706857c4fae34c1eafc7defe3a891efb01c40a1761a283ddd891b58ed01151cb893920268d221

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GFKMTE.exe.log

    Filesize

    706B

    MD5

    d95c58e609838928f0f49837cab7dfd2

    SHA1

    55e7139a1e3899195b92ed8771d1ca2c7d53c916

    SHA256

    0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

    SHA512

    405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7DEFBBF5-8B86-4F8D-A21B-D23761AAA8A8

    Filesize

    176KB

    MD5

    de718629954828d9574f1de67a401967

    SHA1

    95c57c8170019d3c783ca520ed05c841d547b387

    SHA256

    7b4d3daafa94542c322dc4bae58c969afab2b981a4a021443ae661192b2d1939

    SHA512

    3614ee67815d23bd73aaa9a1b05e31231ca57df9b4b735616ff6841aca15d6afa4cdf3c91ededc47c4ac08af8db8d9a68e624d7cf56fe24256d1f0f883157fd6

  • C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

    Filesize

    11KB

    MD5

    3526d950fba6b524d98087325efb89e8

    SHA1

    0f8c1bf835f690045170c17964d56904cad05221

    SHA256

    cb23f31bacc74d347de7c9460019647fd28c860018b2b3b39a0beff2896e8221

    SHA512

    2450482e7dd504571b95edfd156fa4e6a5aa78ed0a4178c55426d6bb41b51582ebe1bfe0bc2687cb80572a13d02c7a3fc79df088de5f8f626c0ffdda14606565

  • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

    Filesize

    2KB

    MD5

    0b9489551d1e800cc775d479ce2e4799

    SHA1

    457012ab223e0d296d7e39b5698b8f06714d9bef

    SHA256

    ce21a3603101af2033fc176bbdd042f4a50b41154d7bd4b4a701b17b8f951e5e

    SHA512

    36ff0702cae76c0f1fb95af70573c32a7b239fddccfca9e0abf72ac2d611a1b8cd8beaee2c47ae1d091e1482881b085fe45c970e47232aca0fb4e6f0f7dc8f95

  • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

    Filesize

    2KB

    MD5

    27cb8b6fafe97b8b4b8fb51f382f4541

    SHA1

    6149012cb504fbe498e9c3a9441b5e84f7e4f8e6

    SHA256

    d16976b4e83dcc38278dd0d6ac4ef341c83f3eb024623e022fbf378d84caae8f

    SHA512

    f564094fd1973e8a2c8463366a496a0d7945639567625d54a5812a8a1c8082805a1e374ea7f367cb72273c4bc5f159014a7a6c92112e7a6fd57b9a2182331b1c

  • C:\Users\Admin\AppData\Local\Temp\TCD1870.tmp\sist02.xsl

    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

  • C:\Users\Admin\AppData\Local\Temp\tmp120C.tmp

    Filesize

    1KB

    MD5

    dabe93a03c5560ab1670cf79b8d28566

    SHA1

    69738fe43d4550ece028ff2795a54bbad0985414

    SHA256

    743e8b28a38e98ea27ef07f17b7529976979c7b01eab92586a6cb686c0d1f68d

    SHA512

    15b3b49c46901e00a73def834225df28fd843af1e9ae594c7d061406209f6ce57277673c9c1ae3ed541f989fa499fd3e88929e00ebded6d23301f8d3680a6c57

  • C:\Users\Admin\AppData\Local\Temp\¸¸.doc

    Filesize

    195KB

    MD5

    7ea9da3dd3db6f3fadf04ac76b54434b

    SHA1

    b30b950191046d999e71aaa54fb2648c6655ce9b

    SHA256

    947bce97211371e730a2b8b79c2ec4d154904e8faa7bed2583c5c6c420230170

    SHA512

    f94eb382dedb8c3952dbc0f3b9040201455cec641c845bedf5765a2772aa98cb20d92b3e0edadcd92fd7cdb77e7c6f37d26bdd276cceea733237e28f04240f9d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

    Filesize

    682B

    MD5

    de8d66e52d2f00b2b6f34395dd03822e

    SHA1

    15ef90142bb36032391094e2806fe80715062d7a

    SHA256

    9b4423128a44b1297446831ebc70e47e2a387eb25079a5862c42a8bb2bd2510b

    SHA512

    08dd0fdafff53184bb981277f7d18d1ae50610bc1acdfaf8365ad64ea69b87ad96e6259ecef755163aed69f927581e1a7fe40ce3f1bd2db33a6550f2af6731a0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe

    Filesize

    166KB

    MD5

    57fcc042b0f7783567878d217ae69e25

    SHA1

    83032ec361ea8b15ef956536999b754db6a12423

    SHA256

    13bd3ee226114db8e18f2fe414a7e2c4e0937eda7d8a02b2efebaa2af8238564

    SHA512

    4fe2ce713333d9a16d65ca5ccdc3a2e687b84a58b6b1e43b43c3f508edb2cc04478a5595efc43202decf7f86b50fd43382246fbc12553117a9177fb13d987b67

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\TDCNX.vbs

    Filesize

    10KB

    MD5

    087bcef76143b81090deef4ee4679995

    SHA1

    6ebd4fd212d0583157ae03bb0eb5841c53e281fc

    SHA256

    87334eb3f39cffdfeed453f67a7c338fe378b75c49946451ca1a0e4e151bba00

    SHA512

    b2f93705760d4d1cf5fe0ac354100916d16b6c4fd62117254238a600aabe6257fc791f1ce498bd2d0cfdd47e19f304dc5a68a06b7958658f34859afaa582ed4d

  • memory/1460-12-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

    Filesize

    2.0MB

  • memory/1460-124-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

    Filesize

    2.0MB

  • memory/1460-38-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

    Filesize

    2.0MB

  • memory/1460-37-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

    Filesize

    2.0MB

  • memory/1460-31-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

    Filesize

    2.0MB

  • memory/1460-8-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

    Filesize

    2.0MB

  • memory/1460-15-0x00007FFF04DB0000-0x00007FFF04DC0000-memory.dmp

    Filesize

    64KB

  • memory/1460-65-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

    Filesize

    2.0MB

  • memory/1460-9-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

    Filesize

    2.0MB

  • memory/1460-0-0x00007FFF076B0000-0x00007FFF076C0000-memory.dmp

    Filesize

    64KB

  • memory/1460-101-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

    Filesize

    2.0MB

  • memory/1460-100-0x00007FFF476CD000-0x00007FFF476CE000-memory.dmp

    Filesize

    4KB

  • memory/1460-14-0x00007FFF04DB0000-0x00007FFF04DC0000-memory.dmp

    Filesize

    64KB

  • memory/1460-13-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

    Filesize

    2.0MB

  • memory/1460-11-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

    Filesize

    2.0MB

  • memory/1460-10-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

    Filesize

    2.0MB

  • memory/1460-4-0x00007FFF076B0000-0x00007FFF076C0000-memory.dmp

    Filesize

    64KB

  • memory/1460-32-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

    Filesize

    2.0MB

  • memory/1460-1-0x00007FFF476CD000-0x00007FFF476CE000-memory.dmp

    Filesize

    4KB

  • memory/1460-3-0x00007FFF076B0000-0x00007FFF076C0000-memory.dmp

    Filesize

    64KB

  • memory/1460-2-0x00007FFF076B0000-0x00007FFF076C0000-memory.dmp

    Filesize

    64KB

  • memory/1460-6-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

    Filesize

    2.0MB

  • memory/1460-5-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

    Filesize

    2.0MB

  • memory/1460-160-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

    Filesize

    2.0MB

  • memory/1460-159-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

    Filesize

    2.0MB

  • memory/1460-7-0x00007FFF076B0000-0x00007FFF076C0000-memory.dmp

    Filesize

    64KB

  • memory/1728-133-0x0000000004E00000-0x0000000004E06000-memory.dmp

    Filesize

    24KB

  • memory/1728-132-0x000000000A380000-0x000000000A412000-memory.dmp

    Filesize

    584KB

  • memory/1728-131-0x000000000A890000-0x000000000AE34000-memory.dmp

    Filesize

    5.6MB

  • memory/1728-130-0x000000000A240000-0x000000000A2DC000-memory.dmp

    Filesize

    624KB

  • memory/1728-129-0x0000000004C80000-0x0000000004CB2000-memory.dmp

    Filesize

    200KB

  • memory/1728-128-0x0000000002740000-0x0000000002746000-memory.dmp

    Filesize

    24KB

  • memory/1728-127-0x0000000000320000-0x0000000000350000-memory.dmp

    Filesize

    192KB

  • memory/5076-134-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB