Analysis
-
max time kernel
39s -
max time network
44s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-12-2024 08:12
Errors
General
-
Target
4WBVB_Estadodecuenta.xls
-
Size
192KB
-
MD5
31795aff2f438defa01c82368886353c
-
SHA1
3f4c6dfa01693fea70f3113c11aeb5812b0c6cdb
-
SHA256
75a5568c91850b8332bf8ac3d6a0acbe24a2bbb9a7941994709ba3cbaa255c5a
-
SHA512
9ceebe6f8c7ee47b23c9e9350b7afdb21064edc45009ad8d1400566959d669b5aa2fd426d19c3302d701e05d5a09e9ed4088c1869168f4237b2b7417e21a49df
-
SSDEEP
6144:BxEtjPOtioVjDGUU1qfDlavx+W2QnAu+Ly9ckwDwPq5XlsqhwxNNipu:s+VkGUqLsqyi
Malware Config
Extracted
xenorat
dns.stipamana.com
Xeno_rat_nd8912d
-
delay
12000
-
install_path
appdata
-
port
4567
-
startup_name
mrec
Signatures
-
Detect XenoRat Payload 2 IoCs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Xenorat family
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
-
Suspicious Office macro 1 IoCs
Office document equipped with macros.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 23 IoCs
-
Suspicious use of WriteProcessMemory 59 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4WBVB_Estadodecuenta.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\TDCNX.vbs"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 804⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe"C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exeC:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exeC:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 806⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exeC:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "mrec" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE59D.tmp" /F4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1088 -ip 10881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4316 -ip 43161⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
504B
MD57a1f814e2a871f3d16dcd5a88a4865f3
SHA1bbb720fedc188a92c19b1303cf42551c4636b948
SHA256da477890ff49815dce6931f9aeda5aeff9b36f548a891d820084e7256a077ee6
SHA51287c5b06faa5f09504a78f057690a548aee5378058f0e4aa704132037e6092a67e57dba9f4a5a635b492378a280d55135ca6f5060ccd35596cde90f16ae12cea5
-
Filesize
192B
MD5fa12bc11db076d851de6f8b7a01c54ac
SHA12d71431d85bfc47c3b6451f2cf4fc560ade45da1
SHA2561a4c5a87390230663dd58a2e6027d0f7b8071dfda8ab3e2df72c3b51878fa045
SHA5128453a7848b9ee2ea057c6a59f1db6fb6a53c89372b54dd1f2e906e34830ad01d02751bb86927fab84276ea09426af8ae714c434d41f032e0ead5ba2621fe9f53
-
Filesize
550B
MD5c0aa824bd77932559dae7e0b346156a3
SHA19f29ea6ded0ff9dc1c418e928e561bc419c60877
SHA256b46ce6dd8eec48a01eb8bc15189d565866828e81f433b62d85d2a3100b87ad0f
SHA51264dfc7c28a8ec2f186d4d7268889ea9568cd28d9c6dac5b12647b40ad65014e95cb14354c2c1cde280748ad74c257d1ea8ec1be2589e425f7cfe9b298480cc93
-
Filesize
706B
MD5d95c58e609838928f0f49837cab7dfd2
SHA155e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA2560407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d
-
Filesize
176KB
MD549723108a1986b72eb475aac0f6c7615
SHA1cc92000d6a5b54088fa4462bb0200d594dc6041d
SHA25606a0cd92912f12a6d654164ef9080bf089eb2c6e134ad42c1bf043e3608ca1b0
SHA512c39e199678f45fd735e3566f75048519b7d7fd8b7f34cd8126fc213f6110978352827c6500ae567a121719cd590f40e4a6ce6e92f102546a9e240858b601ff30
-
Filesize
11KB
MD51a1199225225af70e61d4c0bea75ffe0
SHA1af51a7bca848b59fd5a1514160f90588fee0ff92
SHA25680f03f98bd03c865a98b1df8ec81f8d3e28fb80daaa691d709face4633e789db
SHA5121e304eed097145b77406f7ac930bdfe7517ba6bf3786d16e289f6412a0185d91f54995bb02061e4aade71128fdd5990e164e4e4240451b0f9a614bfa91e3ddfd
-
Filesize
2KB
MD59f10d9e71c11dc4d7ba8d0c19667d83c
SHA1554325795f8c9b9677709a6b8fc24403fc7a2493
SHA2567ddcd04fc8c9a8fcd1f9bc5940d775f9290aeac63a29f49d7d4fba6044550e60
SHA512abd201d1577b4dc162ef416b89f3d23d0523a6775b7699e79a10c375b44be0fbc188a120f92f2382217c0d243c991ed52afbbda30ef3d74784fcc746c746a5bc
-
Filesize
2KB
MD5b7c483a92c81f8ce16bb4343cca954ed
SHA1b8e421d0299933b498a56f7f6f5fa481d511fc10
SHA256f73be84f606beb33f3695a0d1725532360fe8ea330a041fc360c0efc045b835a
SHA512c29713a63bf58d31a5c65a9af0c27e76044e4ac71b19698d13337f20dc5e15d0fa63166347cae528fb695653a1f00cae05947101fa6ffdadc5772a441ae5ca49
-
Filesize
193KB
MD5ce24313f8b01015afc7d6f5e668bd703
SHA1d86c8ee00b3f4db999a94557e7ae62ee2cd87c0e
SHA256b7d50f4fb2342f63f86df5da89e7be2d3490adaccb37a5a6df2c1927c46aec60
SHA512b5e1f7a31e22afdf20b6b206e3815613714758f091481e15f73ca371f2bccb6833fd4b50c4f53869a315948c0a2e94ad7cb1753a764b0d0d234b5f511bf7b710
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
1KB
MD55c8fe4f5f1e1e45ed639b7c4c8c8ab0a
SHA1f46c6596614c34e0dc0dd04b31b0d9863ed80d2e
SHA2562bdd53d79e6397484b617c2c307d3b88e0e93e29546ef0dd7389614c1e7d3c20
SHA512c1b2c9a3f452e3f7b09f9d3c76a37f86de76884e1a388f51ef41cc4a9a78a74504a03ea000fbe6204861e251a7bb2a0ddf4d6e0ac51ef184dd9d8c61e60ef9fe
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
Filesize
1KB
MD5c198cae6d76fa9d3ec01713bdc16bada
SHA11b2a8b7e3ed28f5a0c8658850409cc7d6f3111be
SHA256e5ba3fbdcebb094791581f6459ed0bc1ff2833dfd1d49d51cbbfb0e86a3e8877
SHA512e5d67fedec7a20fa552306b33ce7cb4420511226011964fc6d14190ca9c1412189380ab00df3593af7d8330224fac7b49f4939f5850e553353152a72570b8e40
-
Filesize
174KB
MD5da302f1f3b3f3a7df3dde94d870a2e22
SHA14c8e57bce883b2c2357065e95e4f4e1119d7b08d
SHA256e84e765247bd6d7d756789ba7c07d61a12c2e265136e0ca65acdc919d4ca98bc
SHA5120c4e38cb7387e647e2238cfd086c0122c12d9a9b9f827a56515722d4534a1ac3cc5a9c3e538095a696e84c52df1b7a75dd08a03a0e286cc79bdf398b2a93fdec
-
Filesize
10KB
MD5c818cba07e014f95bcf8b133eaba0ee6
SHA183852a470bf54205d59cf40675034f2129a10771
SHA2566b30fade6f3a26071148b661172fb9d8976c5d1d890a407bd06b5a4ae801b9b3
SHA512c718d0d1d43d7b36f6b3988d5e7de327d14f9d94ae43b62d7a5169c7580b57fbb83e49c2cb209e0328f748668a554878a083a763639b640806f4addd9430e78b
-
Filesize
72KB
-
Filesize
584KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
208KB
-
Filesize
24KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
40KB