Analysis
-
max time kernel
41s -
max time network
64s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-12-2024 08:12
Errors
General
-
Target
Estado_de_cuenta.xls
-
Size
196KB
-
MD5
e700160268262e4b240c83c431f11299
-
SHA1
fdea2e1e5f0904c186a53bd325550707f7aa2699
-
SHA256
548a95874bd76148ec652a03f114709880801c322700821f24349d1950bd94cb
-
SHA512
2460d16d033021dad30dfa88e547118c05f151070233eb4e39a1e9a8e320fc76b23001f315eb5c3ea18c3f5721c22bfcd9fcae8cca4670ed5ddce5f6da56a0ad
-
SSDEEP
6144:wxEtjPOtioVjDGUU1qfDlavx+W2QnAj+Ly9ckwDwPq5XlsqYwxNNiprC:E+VkGUqLsqhi4
Malware Config
Extracted
xenorat
dns.stipamana.com
Xeno_rat_nd8912d
-
delay
12000
-
install_path
appdata
-
port
4567
-
startup_name
mrec
Signatures
-
Detect XenoRat Payload 2 IoCs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Xenorat family
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
-
Suspicious Office macro 1 IoCs
Office document equipped with macros.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 23 IoCs
-
Suspicious use of WriteProcessMemory 59 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Estado_de_cuenta.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\FYXUDCNXK.vbs"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "mrec" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4BE.tmp" /F4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe"C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exeC:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exeC:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exeC:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 806⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 804⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4464 -ip 44641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2308 -ip 23081⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
504B
MD57a1f814e2a871f3d16dcd5a88a4865f3
SHA1bbb720fedc188a92c19b1303cf42551c4636b948
SHA256da477890ff49815dce6931f9aeda5aeff9b36f548a891d820084e7256a077ee6
SHA51287c5b06faa5f09504a78f057690a548aee5378058f0e4aa704132037e6092a67e57dba9f4a5a635b492378a280d55135ca6f5060ccd35596cde90f16ae12cea5
-
Filesize
192B
MD5f7758653dad3eabd759e0139b90813cf
SHA14245be8ddb82471bf5289bc8bf3ce228f9c4a58c
SHA256c7e04f87c494fdae3f4ae3b9be90c2160d78f529f31504a0395b1936acba8062
SHA512fafa8af26b85a549cbc345061e69e2252acded7ffd9789478659e468f799d9a99d3a6ec9504333d4bc29be6e7a11c17bbde506999f78f7f9ff905f39a90166e2
-
Filesize
550B
MD58072c6246ece74acd39687e46075f853
SHA1bb3b8a8a5ca740b9fb76d0cd293edb5979a9b99c
SHA2560103287ea202c45e24a92b105e3e266e1f3af6486d863011be852a1f38c95d2c
SHA512ae5d1ae6b6cc78c78782ecb1293f30647ab14aeebf0f88622e1e7e553435ceeb4eebf195872dbc62a533071935735e754e6250d3fb160022f27c8f0f2fe6b7f1
-
Filesize
706B
MD5d95c58e609838928f0f49837cab7dfd2
SHA155e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA2560407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d
-
Filesize
176KB
MD5546c0f5ead9527f09d41e0ca1bb58962
SHA180250c7cd5905088f73b164f491b859392c4a5eb
SHA2566ddcfd7fcdef7fc35f4b5ca516785cc04e5e42c1cfb631af334f94ff4c5651a6
SHA512affd449e5aedd792c0c886df6d15214e6809fe8a9fb359e1f0264bb25b042364febdc628f3c1b5424631bd4783494fc2b1fc7f193c2af8c3616bba7594407026
-
Filesize
10KB
MD51c2875b1c103f365775dc50d407f1afd
SHA1f47372474db7c6da0d1d29e807d72b6f77b13d74
SHA256d8530cd9054daa3551987e8272b296aba8e9db057fb8755b5cf6af995295c9fb
SHA512b95c8f099df127d0a2cf8482780e619710b82d62638373c8f807c557fd5d83615fc795c89488d1d790abfc967218cc54f2af2c38116a51369f085be8e9ee36a5
-
Filesize
2KB
MD5c089af81e4d24c2688cd7c9bdc3da51b
SHA1b29f5c2d0c8444e89779d3308f4931c6998a5472
SHA2561826912c018480ab1a6d56437b737d219b75733fad22cd6a4e269965579d4a4d
SHA51213db0d3da99cb6c26df87ffa81a218dbc1f42c3ce6fa582f0f9cc3047cc9878dbd6db3906c5c581f3683d4cf068edec127b7769839e0ec3899ff84fff73a9728
-
Filesize
2KB
MD5067afde1fa283b33f56408f23f89ae0a
SHA1e634793e7800f8108ecfe351e7325ab8e3846909
SHA256748915974032d42e4ec39e718b24a8b1567e0c8cced0018173a3714ff9cd93db
SHA512f005a5e297c4899f1064ddf43f6edbe8ba8e24ba386055f29b9461cf56acf28a3e46ec5dc24bddff11f39cefca052adfc9a55859b1a3eca79562cdb1108a860e
-
Filesize
193KB
MD5ce24313f8b01015afc7d6f5e668bd703
SHA1d86c8ee00b3f4db999a94557e7ae62ee2cd87c0e
SHA256b7d50f4fb2342f63f86df5da89e7be2d3490adaccb37a5a6df2c1927c46aec60
SHA512b5e1f7a31e22afdf20b6b206e3815613714758f091481e15f73ca371f2bccb6833fd4b50c4f53869a315948c0a2e94ad7cb1753a764b0d0d234b5f511bf7b710
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
1KB
MD55c8fe4f5f1e1e45ed639b7c4c8c8ab0a
SHA1f46c6596614c34e0dc0dd04b31b0d9863ed80d2e
SHA2562bdd53d79e6397484b617c2c307d3b88e0e93e29546ef0dd7389614c1e7d3c20
SHA512c1b2c9a3f452e3f7b09f9d3c76a37f86de76884e1a388f51ef41cc4a9a78a74504a03ea000fbe6204861e251a7bb2a0ddf4d6e0ac51ef184dd9d8c61e60ef9fe
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
Filesize
1KB
MD53e5a203d08fa3e55ae1807ff31a49834
SHA1346c34719aafe7df951d6dfc65d4827ca2b79206
SHA256f4183c78919beca09f038eee05011285ccbb4aabc38e2d1d179e38f93f979c64
SHA512a522d8ac6bc293a6dfef969236551320a9ef852bed313108865a05e343595bc87e8d6dd578e73c736d9cc7ac7d067d0dd2913945e282bfbd855c733495c1a121
-
Filesize
174KB
MD5da302f1f3b3f3a7df3dde94d870a2e22
SHA14c8e57bce883b2c2357065e95e4f4e1119d7b08d
SHA256e84e765247bd6d7d756789ba7c07d61a12c2e265136e0ca65acdc919d4ca98bc
SHA5120c4e38cb7387e647e2238cfd086c0122c12d9a9b9f827a56515722d4534a1ac3cc5a9c3e538095a696e84c52df1b7a75dd08a03a0e286cc79bdf398b2a93fdec
-
Filesize
10KB
MD5c818cba07e014f95bcf8b133eaba0ee6
SHA183852a470bf54205d59cf40675034f2129a10771
SHA2566b30fade6f3a26071148b661172fb9d8976c5d1d890a407bd06b5a4ae801b9b3
SHA512c718d0d1d43d7b36f6b3988d5e7de327d14f9d94ae43b62d7a5169c7580b57fbb83e49c2cb209e0328f748668a554878a083a763639b640806f4addd9430e78b
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
24KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
208KB
-
Filesize
24KB
-
Filesize
192KB
-
Filesize
72KB
-
Filesize
408KB
-
Filesize
40KB