Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-12-2024 08:06
General
-
Target
Estado de cuenta.xls
-
Size
192KB
-
MD5
31795aff2f438defa01c82368886353c
-
SHA1
3f4c6dfa01693fea70f3113c11aeb5812b0c6cdb
-
SHA256
75a5568c91850b8332bf8ac3d6a0acbe24a2bbb9a7941994709ba3cbaa255c5a
-
SHA512
9ceebe6f8c7ee47b23c9e9350b7afdb21064edc45009ad8d1400566959d669b5aa2fd426d19c3302d701e05d5a09e9ed4088c1869168f4237b2b7417e21a49df
-
SSDEEP
6144:BxEtjPOtioVjDGUU1qfDlavx+W2QnAu+Ly9ckwDwPq5XlsqhwxNNipu:s+VkGUqLsqyi
Malware Config
Extracted
xenorat
dns.stipamana.com
Xeno_rat_nd8912d
-
delay
12000
-
install_path
appdata
-
port
4567
-
startup_name
mrec
Signatures
-
Detect XenoRat Payload 1 IoCs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Xenorat family
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
-
Suspicious Office macro 1 IoCs
Office document equipped with macros.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 21 IoCs
-
Suspicious use of WriteProcessMemory 59 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Estado de cuenta.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\TDCNX.vbs"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe"C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exeC:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exeC:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exeC:\Users\Admin\AppData\Roaming\UpdateManager\DNKFU.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 806⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\DNKFU.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "mrec" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD997.tmp" /F4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 652 -ip 6521⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
504B
MD57a1f814e2a871f3d16dcd5a88a4865f3
SHA1bbb720fedc188a92c19b1303cf42551c4636b948
SHA256da477890ff49815dce6931f9aeda5aeff9b36f548a891d820084e7256a077ee6
SHA51287c5b06faa5f09504a78f057690a548aee5378058f0e4aa704132037e6092a67e57dba9f4a5a635b492378a280d55135ca6f5060ccd35596cde90f16ae12cea5
-
Filesize
471B
MD5e81d1a452656da5266f453cb1a0fbcd4
SHA1142b115501d7af306d8f887be66bc89e92e81521
SHA2560a36be52eebc55142cc433203364f79cbe29bef5a6d0ce4bbf04fa41656de368
SHA5124f782226101f3d628a7853c1ed828b16acd3fded03b3dc3329a68f3cf6f1c2c8a9748ff4abd5970c74244a7656eeafd2f3041743a8961ad0fced2843f2cbc987
-
Filesize
192B
MD56e81811affab27cf04e9f5d0ecbad708
SHA195415cd4ca7c34165c2582470d9ecc7937282771
SHA25608ce74d29987cdefe99cfb644df374acf9c0cbcca671288fcc3bd94fc0c4655f
SHA512e3870a016eef636443af56d67eb24d96bfeb9619b2b6ff228b3cf727b848c080e9874cae8b3af9f8f4eb3338210510635f792f31c8ccf58324abbfdfd6b5730e
-
Filesize
550B
MD539a0586de3d184a7b24d7e1658584458
SHA1ea8603e7833b0ed8611bfe18ee917a5c081c7b9c
SHA2562f08b4c5603396309006ad75611ac3d659f2332c64a47344dc9486a0e79e122a
SHA5121fa19b4f33c6971295ddc7d8b36735c8bcbe9b4b01c18de233ac36b1df47cf54cf3fbbc7f5b95970656138718f136565600209a575fb49869c1c58c0363aae1e
-
Filesize
412B
MD5a967e83a8caa64a7b6d0cee11b575786
SHA18d28e483f259b33446bf18bbb0bc695475f209de
SHA25671ad59db8ce6e830ed770f71a768139e1cb1b09b709a664faa7bb0007b71fe14
SHA512152530e128c12d76c1ca19f181f1fc255239ef1b5f3921200893eb014365789b53aab329e7131d7680fd5e59a6d98f61e02461b90db20d16025b9510e9866022
-
Filesize
706B
MD5d95c58e609838928f0f49837cab7dfd2
SHA155e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA2560407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d
-
Filesize
176KB
MD562fde58b63f2824cdf89e6213022f6d6
SHA143eedbcfea082877f1e1897667f0cb7c3eb3b3f4
SHA2562ff7705d36c292b69cf8bbc3ee1f7db884df32b66ba1080ca9ab22ed3e38fa19
SHA512d84d809f4273324da53d4fa1e0ad0cbced7abaa4a598cef6846a8fb43009f4bd7c20887406c74e773377de6bc8beee11f2dadbf64722ef2c44c4e3682cbadb64
-
Filesize
11KB
MD51e5ecfdfa98f838a803bb7134228ce1f
SHA1b6f79d3cb54e61c291398add463176f384a3d035
SHA256ba510da203f301dcd9d198015f7a4a52eb6bcfc4a5068ccb5892beb4afe7f607
SHA512343e220c823385a9c8b3a79dc151e69b6e4ce6cf57c342e8823bea231561c375f94b8ddff184ce98ed10fbfa5493e0869996cb2e56c047f2434880133e4f23ae
-
Filesize
2KB
MD56c93c72fa8f701afee0a3cc05aba1441
SHA16e026ab5e256bae370d17138afb7e6622301b2fb
SHA25695089baaed092aa2dd45f8e90f03dbd594b9090a234691eca4ad93415f787f83
SHA5129014dc25fa87cc49009e6eef72bf5f09aa919fe22bc3f121c95bb326b59a771cc924e7309eb59206c23ac9442b1cda780dc08cf575fc879d62f62a59fa3cf4cd
-
Filesize
2KB
MD58c4a58a55bb5d93e20fa32ecb2655e4b
SHA173f4f18f599646cded89cbabaf225443c59ec163
SHA2561c9da7f140163a8d737f41d0d3904905a51e1d40c2aff3e41a44c0cffd4a6aaa
SHA5129e80586624eb33039bce58e7259231d3e080de391a9a41ae2889b7fbf6503ff4d8f7cc6113c40cc9d17791a36c7379e3af8f5ad2607b44bda69e4989096b9125
-
Filesize
193KB
MD5ce24313f8b01015afc7d6f5e668bd703
SHA1d86c8ee00b3f4db999a94557e7ae62ee2cd87c0e
SHA256b7d50f4fb2342f63f86df5da89e7be2d3490adaccb37a5a6df2c1927c46aec60
SHA512b5e1f7a31e22afdf20b6b206e3815613714758f091481e15f73ca371f2bccb6833fd4b50c4f53869a315948c0a2e94ad7cb1753a764b0d0d234b5f511bf7b710
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
1KB
MD55c8fe4f5f1e1e45ed639b7c4c8c8ab0a
SHA1f46c6596614c34e0dc0dd04b31b0d9863ed80d2e
SHA2562bdd53d79e6397484b617c2c307d3b88e0e93e29546ef0dd7389614c1e7d3c20
SHA512c1b2c9a3f452e3f7b09f9d3c76a37f86de76884e1a388f51ef41cc4a9a78a74504a03ea000fbe6204861e251a7bb2a0ddf4d6e0ac51ef184dd9d8c61e60ef9fe
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
Filesize
2KB
MD58e50e0a41484221c20514b70474248b2
SHA1f5837d02eaa46829aecec7e341a20dbec55ca3ae
SHA2567f701640f39adcbfe357822022a84d6371374a244187faf1998c7a4b2d370975
SHA512c86f6a500ab72bb38639b8c3609734e1ad310c9604fb2a1ac1a563d5cee4855723969db46746ba6a7432b887dcd3e832e1bdc7d6747549ed36e20ba23ca79a55
-
Filesize
174KB
MD5da302f1f3b3f3a7df3dde94d870a2e22
SHA14c8e57bce883b2c2357065e95e4f4e1119d7b08d
SHA256e84e765247bd6d7d756789ba7c07d61a12c2e265136e0ca65acdc919d4ca98bc
SHA5120c4e38cb7387e647e2238cfd086c0122c12d9a9b9f827a56515722d4534a1ac3cc5a9c3e538095a696e84c52df1b7a75dd08a03a0e286cc79bdf398b2a93fdec
-
Filesize
10KB
MD5c818cba07e014f95bcf8b133eaba0ee6
SHA183852a470bf54205d59cf40675034f2129a10771
SHA2566b30fade6f3a26071148b661172fb9d8976c5d1d890a407bd06b5a4ae801b9b3
SHA512c718d0d1d43d7b36f6b3988d5e7de327d14f9d94ae43b62d7a5169c7580b57fbb83e49c2cb209e0328f748668a554878a083a763639b640806f4addd9430e78b
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
72KB
-
Filesize
24KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
208KB
-
Filesize
24KB
-
Filesize
192KB