Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-12-2024 08:05
General
-
Target
Estado_de_cuenta.xls
-
Size
196KB
-
MD5
e700160268262e4b240c83c431f11299
-
SHA1
fdea2e1e5f0904c186a53bd325550707f7aa2699
-
SHA256
548a95874bd76148ec652a03f114709880801c322700821f24349d1950bd94cb
-
SHA512
2460d16d033021dad30dfa88e547118c05f151070233eb4e39a1e9a8e320fc76b23001f315eb5c3ea18c3f5721c22bfcd9fcae8cca4670ed5ddce5f6da56a0ad
-
SSDEEP
6144:wxEtjPOtioVjDGUU1qfDlavx+W2QnAj+Ly9ckwDwPq5XlsqYwxNNiprC:E+VkGUqLsqhi4
Malware Config
Extracted
xenorat
dns.stipamana.com
Xeno_rat_nd8912d
-
delay
12000
-
install_path
appdata
-
port
4567
-
startup_name
mrec
Signatures
-
Detect XenoRat Payload 1 IoCs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Xenorat family
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
-
Suspicious Office macro 1 IoCs
Office document equipped with macros.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 25 IoCs
-
Suspicious use of WriteProcessMemory 59 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Estado_de_cuenta.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\FYXUDCNXK.vbs"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 804⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe"C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exeC:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "mrec" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF9F0.tmp" /F6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exeC:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 806⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exeC:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 804⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2840 -ip 28401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2372 -ip 23721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2248 -ip 22481⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
504B
MD57a1f814e2a871f3d16dcd5a88a4865f3
SHA1bbb720fedc188a92c19b1303cf42551c4636b948
SHA256da477890ff49815dce6931f9aeda5aeff9b36f548a891d820084e7256a077ee6
SHA51287c5b06faa5f09504a78f057690a548aee5378058f0e4aa704132037e6092a67e57dba9f4a5a635b492378a280d55135ca6f5060ccd35596cde90f16ae12cea5
-
Filesize
192B
MD5ce87552c0ca0aadeb9c9cd5b51b0e96c
SHA115c92dd7d4b784cebff32d27df5b00958cb73ed7
SHA25665158a6d4340c85f060d24e01440c8093e2414f5dd6e6fa99ec0f01f72b673b5
SHA5125b84b4802d4471a46490187fef2ff6f2bf15936ba8c9d639e889a042cfb7d867e28facaba060c81547be58ff8de6805f907ef173cecb4cd90cbd815d8b7c665a
-
Filesize
550B
MD581290834888a18f8d7167906e6736626
SHA15d07e735a81a5f22388323da07e660bb427e8830
SHA256c7457e3c0e893e24b7fdb8e96de323c662eebaea3860642d8f5fc4b66ef4a0fb
SHA512e25cb8e8dd2b966a5f6db967203c644da871c26fe02c6b73b321ae7bd39326c3bf230caa4e120038c8ee206510ebec48d71793ed81f96769affb3c2d9449e1bf
-
Filesize
706B
MD5d95c58e609838928f0f49837cab7dfd2
SHA155e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA2560407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d
-
Filesize
176KB
MD5241612db04c5c3a4929571535faf3f8b
SHA11ce3a8f4baa35cff6d5903d7791b2df94d73c606
SHA256307ee0edddabc9647ea44c423ddf495351187a2bf9e6a05d99b9288ca8971f6e
SHA512d33701c511d5e6c9f6535cb3927205c2dc6d4fcecc30f4e64878f98f7207d6cac995549651439b42de07f0fb3cf023235c36cbc1564dc56017fa0d3b9ba79c48
-
Filesize
11KB
MD5199a0ee597ff5e05febbd48f737396a0
SHA12cbe0c49f9176b78be63ba457c00ecfd3c4a5cd6
SHA2560c534f96b4cb78892752fcea92c0df49ade1eb9601fd4666372815a4982e4107
SHA51202ac44c32f056579935eaa96d1119b3a7ae279056414cb4b6a6e1d0de17fb83fc244fcd2c6b0df3746dfe2d9360732ccff65790ba430a0c409cb16eead9376c9
-
Filesize
2KB
MD5848779880d652864dd4678ce7f8b3a16
SHA1de7d3fabba863b834a95fcaac5f7cbf89fe75796
SHA2563d0437d5e517240174d2c774c967a3e9a1be77f4d034ec5b7ba7323d3a12d63a
SHA51208461b3f64859802ecf89403f9402908f963176089a722cd93ce8aa5734c1302d22c1413686b1ef0fe00c1a8c919de33c1a06d427a50fd8f864622e61a3f3c41
-
Filesize
2KB
MD5f94690cc3ef5055fedb7d48ce9154194
SHA1bdc1306aad7d6026c13c669d51962eb5f1d50927
SHA256205818b5bb53176b31f1b174dd420150b9a9b26a8bcbdc54f9f4240a421d24a2
SHA512de15b501c2475d6c1d6448836711106536f44d8ba3ff128f598fdebec29cb3a8ba3d95f6adecdb6c3a8b8afd9e07bd54d1903ddfcc9f6961e4bad18613d05e2c
-
Filesize
193KB
MD5ce24313f8b01015afc7d6f5e668bd703
SHA1d86c8ee00b3f4db999a94557e7ae62ee2cd87c0e
SHA256b7d50f4fb2342f63f86df5da89e7be2d3490adaccb37a5a6df2c1927c46aec60
SHA512b5e1f7a31e22afdf20b6b206e3815613714758f091481e15f73ca371f2bccb6833fd4b50c4f53869a315948c0a2e94ad7cb1753a764b0d0d234b5f511bf7b710
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
1KB
MD530c74b4a399ff4b4d938f764359fe1b6
SHA1e590e2381d16001d9b9458dd466224ed7c6565f3
SHA2564f67256957da298f9f69c61a5ff0b06dc1cf04f81d23f9a3984f80f85fb5466c
SHA51295ee88b6c7528d3c86e8227ddd184500f0ce278adfb2bf38bdf7e1ca66f093144bd1509054802459a6fa271c3c2826c907898f35bd2aba799cae6c0eb2143ffb
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
Filesize
1KB
MD52c8d283d853236bc31f33cb2ef01a0e9
SHA15638e5f603045ffab7705ae190d1269a0edb3757
SHA25653c2f291047ee0c254c7856e837edb8209a6e677f1acb71e06f2c037fa28218b
SHA5123eff2bf97538cc4224cc5033967387b9dbad91000de1f114acdaf998564a68a93dea7507a4afc04545e7f5eea10b7f48218e4455f445677c744605e0f996fd19
-
Filesize
174KB
MD5da302f1f3b3f3a7df3dde94d870a2e22
SHA14c8e57bce883b2c2357065e95e4f4e1119d7b08d
SHA256e84e765247bd6d7d756789ba7c07d61a12c2e265136e0ca65acdc919d4ca98bc
SHA5120c4e38cb7387e647e2238cfd086c0122c12d9a9b9f827a56515722d4534a1ac3cc5a9c3e538095a696e84c52df1b7a75dd08a03a0e286cc79bdf398b2a93fdec
-
Filesize
10KB
MD5c818cba07e014f95bcf8b133eaba0ee6
SHA183852a470bf54205d59cf40675034f2129a10771
SHA2566b30fade6f3a26071148b661172fb9d8976c5d1d890a407bd06b5a4ae801b9b3
SHA512c718d0d1d43d7b36f6b3988d5e7de327d14f9d94ae43b62d7a5169c7580b57fbb83e49c2cb209e0328f748668a554878a083a763639b640806f4addd9430e78b
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
24KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
208KB
-
Filesize
24KB
-
Filesize
192KB