Overview

overview

10

Static

static

8

Estado de cuenta.xls

windows7-x64

10

Estado de cuenta.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2024 08:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Estado de cuenta.xls

  • Size

    192KB

  • MD5

    4b5efde48442f60d1563164c1e728061

  • SHA1

    f371b6ea0311f9175c78102e3a087ab5fc7fe687

  • SHA256

    8464e28250faf8cc3d316329b9b39cbc029659d93db9da3086ce9fc5e37bbcd1

  • SHA512

    cc18300b59ad15c59fd3dd96a88df4cb4526da5b7bb92dffd0c4fe6c616268d0de0197a59b2b403ae6f35d7e027137d7db6baa713e74c3401abd58b1d101cbd8

  • SSDEEP

    3072:PrxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAq3OLFyhxTchWwaZYwP+1oVET5K8lsq/:zxEtjPOtioVjDGUU1qfDlavx+W2QnAqE

Score
10/10
xenoratdiscoverymacromacro_on_actionrattrojan

Malware Config

Extracted

Family

xenorat

C2

dns.stipamana.com

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    12000

  • install_path

    appdata

  • port

    4567

  • startup_name

    mrec

Signatures

  • Detect XenoRat Payload 1 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Office macro that triggers on suspicious action 1 IoCs

    Office document macro which triggers in special circumstances - often malicious.

    macromacro_on_action
  • Suspicious Office macro 1 IoCs

    Office document equipped with macros.

    macro
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 23 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Estado de cuenta.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3824
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\PFLLTU.vbs"
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      PID:3124
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3624
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:896
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1432
        • C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe
          "C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4852
          • C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe
            C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe
            5⤵
            • Executes dropped EXE
            PID:4880
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 80
              6⤵
              • Program crash
              PID:448
          • C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe
            C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe
            5⤵
            • Executes dropped EXE
            PID:2040
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 80
              6⤵
              • Program crash
              PID:4468
          • C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe
            C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3956
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1060
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:592
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF107.tmp" /F
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:4436
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2040 -ip 2040
    1⤵
      PID:1676
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4880 -ip 4880
      1⤵
        PID:536

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
        Filesize

        717B

        MD5

        822467b728b7a66b081c91795373789a

        SHA1

        d8f2f02e1eef62485a9feffd59ce837511749865

        SHA256

        af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

        SHA512

        bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\571AD299D4068543C8553D40E79010FA
        Filesize

        504B

        MD5

        7a1f814e2a871f3d16dcd5a88a4865f3

        SHA1

        bbb720fedc188a92c19b1303cf42551c4636b948

        SHA256

        da477890ff49815dce6931f9aeda5aeff9b36f548a891d820084e7256a077ee6

        SHA512

        87c5b06faa5f09504a78f057690a548aee5378058f0e4aa704132037e6092a67e57dba9f4a5a635b492378a280d55135ca6f5060ccd35596cde90f16ae12cea5

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
        Filesize

        471B

        MD5

        e81d1a452656da5266f453cb1a0fbcd4

        SHA1

        142b115501d7af306d8f887be66bc89e92e81521

        SHA256

        0a36be52eebc55142cc433203364f79cbe29bef5a6d0ce4bbf04fa41656de368

        SHA512

        4f782226101f3d628a7853c1ed828b16acd3fded03b3dc3329a68f3cf6f1c2c8a9748ff4abd5970c74244a7656eeafd2f3041743a8961ad0fced2843f2cbc987

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
        Filesize

        192B

        MD5

        61385a9c9ccfe53a5650fd26ea0649b2

        SHA1

        1ee3ef4c5193707474270bc7dfcf502404a33e86

        SHA256

        bfa33473cff4f675b2e359b6168aaf1eb9fceab09721e63c2d30428d200d909c

        SHA512

        7f168c0ad6e53216dab7e87fe5e3d3fa8154c9e3e1348f94ab85bbc45299937900aeb85b9e7c50026232ff64d01695a0b8734237d96ed694d9416f6a3cfd228b

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\571AD299D4068543C8553D40E79010FA
        Filesize

        550B

        MD5

        a64db662e3966e0a68effac937c69272

        SHA1

        6483b987d64161e0e7ab961bc9b27120873c2bb2

        SHA256

        b1150609414f915a88f80f2834b1c63ae96037b4bcca60b9c2e64ee4c4527d6c

        SHA512

        d43855a216ed4baecac614e74173c64696188be9f2cd422ec597641c19d8d87b76a649b8de175bd54a4c50004a3b4c5442144eb8378175bfaae8feeb7f61302c

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
        Filesize

        412B

        MD5

        0d816f19b762e64fea547f2abca5726c

        SHA1

        d11a448053061091c716331c8a5cb314296622f6

        SHA256

        097c50383cc71f7811077f4c5746695942d94daa583b371cfefcac23f837d837

        SHA512

        d15c71aa20c36fb606920de9fdfc3b9c0c5152976d4371828eb3f05c66b8917ab6b6f6769d7a5ea4895ca3afb6cf0d881ff74b4b60dbe86a21226c7d0f66e866

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DNKFU.exe.log
        Filesize

        706B

        MD5

        d95c58e609838928f0f49837cab7dfd2

        SHA1

        55e7139a1e3899195b92ed8771d1ca2c7d53c916

        SHA256

        0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

        SHA512

        405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\AC71E9B7-2E9E-4A39-B738-BD22F5199510
        Filesize

        176KB

        MD5

        1415b9b4d5cd5d52057d2ef2c4ccad15

        SHA1

        d001ba3000210a0071073cb9f0bcfb0e150217d8

        SHA256

        f071e742415c56075ddb0377eda53be38088414db8497f5cd3a01d357817f93b

        SHA512

        2cc8006e7441cd1633327c9f80c588e1cf7720ef1d120dca483c2e2532a3a5c5d3c5e09767b7ef8c045e44a97fbdd354a775b67a1fb9f875eb9c29932de8a82d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
        Filesize

        10KB

        MD5

        248c3dfdc55fd944b0ec4415d0709c3b

        SHA1

        3a22a886b148b7f6b91e6d9e3b85c0a8cb983023

        SHA256

        0fe13f022a7b9efd38e88f35c38e7b039f0f2f85fa9b68d46982692d4a89597c

        SHA512

        f1b921f4d2bf57a3c69b744f18d81f972a353cb71e7c4fb930d9b20d421ecad2425996effa7021e9e2eb4713abe71c0cd095989f5fe3517897106a98625dfa58

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
        Filesize

        2KB

        MD5

        7a5cf8de91428d21b500c0a854ed8daf

        SHA1

        4e0d12c476740f7009ce745616833fb3ad6b2393

        SHA256

        edf5043cb39cc21d895a61384840bfef0a40d84fa0ac41ae024f1896eb2b8018

        SHA512

        9b8f3b782bdc853943966cea759abd39d0d7e39ac58caca8a4784612e3239345ca4d0072e86c048d2804800fddd1f6fd94b91e5fd98daba2aca0a7c03d37e734

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
        Filesize

        2KB

        MD5

        af2589dffafa3ff7bb0686b31854af1d

        SHA1

        13450a2443f7cbc7beea09f855ecbd8905bf5b74

        SHA256

        00fac31a926f2ec034e813c28575f439420e7d0770963cdde61f2f2e84db6929

        SHA512

        8f9a7f660877ca207eaaa9544b340b2806a17ad7945c786536a5897ccc42200c4295455ac67b2f2e6dcdba610ce283d59e118241ae3402a2ec62af65265d1109

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Qj.doc
        Filesize

        193KB

        MD5

        ce24313f8b01015afc7d6f5e668bd703

        SHA1

        d86c8ee00b3f4db999a94557e7ae62ee2cd87c0e

        SHA256

        b7d50f4fb2342f63f86df5da89e7be2d3490adaccb37a5a6df2c1927c46aec60

        SHA512

        b5e1f7a31e22afdf20b6b206e3815613714758f091481e15f73ca371f2bccb6833fd4b50c4f53869a315948c0a2e94ad7cb1753a764b0d0d234b5f511bf7b710

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\TCDF2B6.tmp\gb.xsl
        Filesize

        262KB

        MD5

        51d32ee5bc7ab811041f799652d26e04

        SHA1

        412193006aa3ef19e0a57e16acf86b830993024a

        SHA256

        6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

        SHA512

        5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpF107.tmp
        Filesize

        1KB

        MD5

        5c8fe4f5f1e1e45ed639b7c4c8c8ab0a

        SHA1

        f46c6596614c34e0dc0dd04b31b0d9863ed80d2e

        SHA256

        2bdd53d79e6397484b617c2c307d3b88e0e93e29546ef0dd7389614c1e7d3c20

        SHA512

        c1b2c9a3f452e3f7b09f9d3c76a37f86de76884e1a388f51ef41cc4a9a78a74504a03ea000fbe6204861e251a7bb2a0ddf4d6e0ac51ef184dd9d8c61e60ef9fe

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
        Filesize

        3KB

        MD5

        a34137ef365b1de1ea6eecf876b878e4

        SHA1

        f939380a6099e1171dd23bde42d1aa8196249a81

        SHA256

        b6197ce321d8247591298d36f2f788db8b14c140badc2f758eb5beadd19c19f6

        SHA512

        590f8035208bc1c180428bde06b818040b7f2ca2e8af57018af7593bf32d49137d6d47860729881172c02d3c351ec4f81c2dfbb4a76e99d113cb1ac8060ed718

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe
        Filesize

        174KB

        MD5

        da302f1f3b3f3a7df3dde94d870a2e22

        SHA1

        4c8e57bce883b2c2357065e95e4f4e1119d7b08d

        SHA256

        e84e765247bd6d7d756789ba7c07d61a12c2e265136e0ca65acdc919d4ca98bc

        SHA512

        0c4e38cb7387e647e2238cfd086c0122c12d9a9b9f827a56515722d4534a1ac3cc5a9c3e538095a696e84c52df1b7a75dd08a03a0e286cc79bdf398b2a93fdec

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\PFLLTU.vbs
        Filesize

        10KB

        MD5

        c818cba07e014f95bcf8b133eaba0ee6

        SHA1

        83852a470bf54205d59cf40675034f2129a10771

        SHA256

        6b30fade6f3a26071148b661172fb9d8976c5d1d890a407bd06b5a4ae801b9b3

        SHA512

        c718d0d1d43d7b36f6b3988d5e7de327d14f9d94ae43b62d7a5169c7580b57fbb83e49c2cb209e0328f748668a554878a083a763639b640806f4addd9430e78b

        Download Submit

      • memory/592-268-0x0000000005B60000-0x0000000005BC6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/896-101-0x0000000000D00000-0x0000000000D30000-memory.dmp

        Filesize

        192KB

        Download

      • memory/896-103-0x0000000003110000-0x0000000003116000-memory.dmp

        Filesize

        24KB

        Download

      • memory/896-108-0x00000000051F0000-0x00000000051F6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/896-107-0x0000000007CF0000-0x0000000007D82000-memory.dmp

        Filesize

        584KB

        Download

      • memory/896-106-0x0000000008200000-0x00000000087A4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/896-105-0x00000000056F0000-0x000000000578C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/896-104-0x0000000003130000-0x0000000003164000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1432-109-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3824-26-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3824-118-0x00007FFB010AD000-0x00007FFB010AE000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3824-102-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3824-31-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3824-2-0x00007FFAC1090000-0x00007FFAC10A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3824-4-0x00007FFAC1090000-0x00007FFAC10A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3824-5-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3824-7-0x00007FFAC1090000-0x00007FFAC10A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3824-25-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3824-32-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3824-1-0x00007FFB010AD000-0x00007FFB010AE000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3824-6-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3824-119-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3824-8-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3824-136-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3824-137-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3824-11-0x00007FFABE990000-0x00007FFABE9A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3824-146-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3824-3-0x00007FFAC1090000-0x00007FFAC10A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3824-0-0x00007FFAC1090000-0x00007FFAC10A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3824-10-0x00007FFABE990000-0x00007FFABE9A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3824-9-0x00007FFB01010000-0x00007FFB01205000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4852-130-0x0000000004C30000-0x0000000004C64000-memory.dmp

        Filesize

        208KB

        Download