Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-12-2024 21:13
General
-
Target
ad58a779119b226a8f322acfc28bb19997def17a0c4a3f17ab4c57d83269650a.xls
-
Size
192KB
-
MD5
6917e598649923e5cf22957e24caffa4
-
SHA1
6365e7abd6413cec0f51ff997cdba24e263ccbe4
-
SHA256
ad58a779119b226a8f322acfc28bb19997def17a0c4a3f17ab4c57d83269650a
-
SHA512
d5c3b9b7ab59a0ac8d94205a7748a06b194d6bd2921ee6fd799306d4802fd5b785aaf31cf422c9dfa4d671571729d10bbfdcea4cba37088cfc7cc88e0671552d
-
SSDEEP
3072:DrxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAq3OLFyhxTchWwaZYwP+1oVET5K8lsq/:nxEtjPOtioVjDGUU1qfDlavx+W2QnAqE
Malware Config
Extracted
xenorat
dns.stipamana.com
Xeno_rat_nd8912d
-
delay
12000
-
install_path
appdata
-
port
4567
-
startup_name
mrec
Signatures
-
Detect XenoRat Payload 1 IoCs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Xenorat family
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
-
Suspicious Office macro 1 IoCs
Office document equipped with macros.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 19 IoCs
-
Suspicious use of WriteProcessMemory 59 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ad58a779119b226a8f322acfc28bb19997def17a0c4a3f17ab4c57d83269650a.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\PFLLTU.vbs"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe"C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "mrec" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE416.tmp" /F4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
504B
MD5468c10fe6e033605fdc3eb77dac1a0b9
SHA1f2afc12dc5c537c067334987f42d0e23457d50ae
SHA2566f1ccbff6df00d9812182caa9e98b2ceea1f056527efff69f28f38b1fac8b817
SHA5127e08a6d72c7d809edd92fe4560008f69fd98d2f0d802bea341acb6ef6fb7beb073e953b838a735761ea0d081749982bb16426e322923596feed78d08ad79e77d
-
Filesize
471B
MD5b51ec1bb8e0b2545ab3f8edd052142fc
SHA12b01f53f310e9924c290b045804475401062357e
SHA2563a1146c1f4bf199350370cbac825d792895128cda813fed5020df57d0935def1
SHA51200341b3a3d843c8647eb9e96153db3f1792acba43fe394d9d2aee536e597ef8c492fb1e3f6616bc5aff99b106e71b2fdc335f425ac1405cd432e221fdbde5ac9
-
Filesize
192B
MD56e1a2edb3d3cc88674087ad736273953
SHA1446fd1fe32bbea4d12441f16152ec610f82629ad
SHA2563d482c2d2451e80438b4156d034b9277b9f1f6b954ce952cd0558a52b3a3d7e9
SHA51281e149d6b4125ee9d5eec2eb8c5572ff53a0c341d3097b37a068dbf1aa2a5ff7ddf875e7b4efceb6d12df46b6e1870fa6b4350a245ee8747ec6b51bfddaf53f2
-
Filesize
546B
MD5b6cf4c7c2f0801d82359cf465fc79661
SHA1ce1a6e70994f1f48c8fddf0aff2a8ec3d6c997d4
SHA25621e2d3ba2d7fda37bfd0966f23fae6278d24671e092f8eaae19237d13b474189
SHA5124782078f13e7870ff35d262b98134bcfd7e61dea281864efb8f93dc0d4001a093daa6f8a13372b23598e5b87a2f78b7072dd249ffab64b700654b28aa5930647
-
Filesize
420B
MD551bb5f29831767451533865d6a38ce89
SHA11fe09caacd5e9d3f7b24a43a42478a9a25179225
SHA2568575ea6ae62a71ede12130b18cca008b49d61453fad116b850fb44d5a7df2399
SHA512d7784c0abdc65a46d12e076cc47f1bc2dd8c0cbaa442fcad0e2eb43d72ecad5fe287bb88037b6abe3a54224b626342c235e0ec3b2b114d195bda9fb627bdd968
-
Filesize
706B
MD5d95c58e609838928f0f49837cab7dfd2
SHA155e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA2560407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d
-
Filesize
176KB
MD5e490242d64ba5523665f72468d1aa328
SHA1e69201fa05e035f09fc1421c7b424beee39b5774
SHA2566d2c3008576dd9dae4d59eb104c1cc60c586d3c89ab2dfa50913f6a21fb34dab
SHA512c688d0faf6fd654cf978be284ffe889cf03d8c448c685c679ce3e77d19c1a06ae8480a00ed8f29c7d7a7d14ab13e8ac49fe7d82c46f36c223abd54e1b64bd293
-
Filesize
11KB
MD579ece63216dada3fb2dec389c61f9ce9
SHA1e05898a193178342330858ef426366b903703f80
SHA256758dedf71a56b2523be2e3d91c84608aa233e372f514955be6120231f757f7fd
SHA5125848380c0ceca54fba2f5d4f38a321848df7d25a8674cdda476cdfb67de6c1fa031e40c92b91a8b57fc54eb1f0b7047d9458891abe439114e666046b61ac1c77
-
Filesize
2KB
MD5dcc8e71de783447ce6a8a875c6cb5dd8
SHA1c2ace77ac8fb107200b88cf93122f6397c7f2509
SHA256a8cdcfd1b932db6b92cc6c00edc804d501f120d8cea73d0d5eb643bbfc7d7d1e
SHA5121841b62531521a91958136fc42885e480741d1e1a02e842d19d4ee314e93d7d81c591b846748ccc053f4ab1bbae0e7aa15c03b384afeb7d59577aa5b44e22079
-
Filesize
2KB
MD56b63f2d88934f2fda075f6bed94eeaae
SHA1e48b9360e862fe97d5b171cf95beb3e37c223289
SHA256a0e78c269bb847cd63388b34a121cfb1a5c5ddceced280408fed91e18002e03f
SHA512d67ac4d67207823b04318fe1de6e5d5535f2fa8be763cb2ab7b5e14c77cf388079999b62a16a0a43a6086938adadbc5e3c1bd6e8cedbfd2c980f455ec41be511
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
1KB
MD5dabe93a03c5560ab1670cf79b8d28566
SHA169738fe43d4550ece028ff2795a54bbad0985414
SHA256743e8b28a38e98ea27ef07f17b7529976979c7b01eab92586a6cb686c0d1f68d
SHA51215b3b49c46901e00a73def834225df28fd843af1e9ae594c7d061406209f6ce57277673c9c1ae3ed541f989fa499fd3e88929e00ebded6d23301f8d3680a6c57
-
Filesize
195KB
MD57ea9da3dd3db6f3fadf04ac76b54434b
SHA1b30b950191046d999e71aaa54fb2648c6655ce9b
SHA256947bce97211371e730a2b8b79c2ec4d154904e8faa7bed2583c5c6c420230170
SHA512f94eb382dedb8c3952dbc0f3b9040201455cec641c845bedf5765a2772aa98cb20d92b3e0edadcd92fd7cdb77e7c6f37d26bdd276cceea733237e28f04240f9d
-
Filesize
1KB
MD58dcbb9b08863e574d17752aeff9c9a2e
SHA14957ff1e2a465955f65baa999d8066e18f00ce8c
SHA2560cab22dc0b915219e1bd2d8cc1cb5792bf64ac75f5416b9a6c4854499e4fa157
SHA512f6a8b71b53836aff6f984157ec2828a463361fd187ffa900d7781dccea166acaf15794c770501a10216a4796b188393ad863b07989f47cc2c39a4336291fd05a
-
Filesize
166KB
MD557fcc042b0f7783567878d217ae69e25
SHA183032ec361ea8b15ef956536999b754db6a12423
SHA25613bd3ee226114db8e18f2fe414a7e2c4e0937eda7d8a02b2efebaa2af8238564
SHA5124fe2ce713333d9a16d65ca5ccdc3a2e687b84a58b6b1e43b43c3f508edb2cc04478a5595efc43202decf7f86b50fd43382246fbc12553117a9177fb13d987b67
-
Filesize
10KB
MD5087bcef76143b81090deef4ee4679995
SHA16ebd4fd212d0583157ae03bb0eb5841c53e281fc
SHA25687334eb3f39cffdfeed453f67a7c338fe378b75c49946451ca1a0e4e151bba00
SHA512b2f93705760d4d1cf5fe0ac354100916d16b6c4fd62117254238a600aabe6257fc791f1ce498bd2d0cfdd47e19f304dc5a68a06b7958658f34859afaa582ed4d
-
Filesize
624KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
200KB
-
Filesize
24KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB