Overview

overview

10

Static

static

8

75a5568c91...5a.xls

windows7-x64

10

75a5568c91...5a.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    57s
  • max time network
    61s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2024 21:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    75a5568c91850b8332bf8ac3d6a0acbe24a2bbb9a7941994709ba3cbaa255c5a.xls

  • Size

    192KB

  • MD5

    31795aff2f438defa01c82368886353c

  • SHA1

    3f4c6dfa01693fea70f3113c11aeb5812b0c6cdb

  • SHA256

    75a5568c91850b8332bf8ac3d6a0acbe24a2bbb9a7941994709ba3cbaa255c5a

  • SHA512

    9ceebe6f8c7ee47b23c9e9350b7afdb21064edc45009ad8d1400566959d669b5aa2fd426d19c3302d701e05d5a09e9ed4088c1869168f4237b2b7417e21a49df

  • SSDEEP

    6144:BxEtjPOtioVjDGUU1qfDlavx+W2QnAu+Ly9ckwDwPq5XlsqhwxNNipu:s+VkGUqLsqyi

Score
10/10
xenoratdiscoverymacromacro_on_actionrattrojan

Malware Config

Extracted

Family

xenorat

C2

dns.stipamana.com

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    12000

  • install_path

    appdata

  • port

    4567

  • startup_name

    mrec

Signatures

  • Detect XenoRat Payload 1 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Office macro that triggers on suspicious action 1 IoCs

    Office document macro which triggers in special circumstances - often malicious.

    macromacro_on_action
  • Suspicious Office macro 1 IoCs

    Office document equipped with macros.

    macro
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 25 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\75a5568c91850b8332bf8ac3d6a0acbe24a2bbb9a7941994709ba3cbaa255c5a.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\TDCNX.vbs"
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      PID:3016
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3660
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1827.tmp" /F
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:1952
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4312
        • C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe
          "C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5080
          • C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe
            C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4548
          • C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe
            C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe
            5⤵
            • Executes dropped EXE
            PID:3108
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 80
              6⤵
              • Program crash
              PID:2776
          • C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe
            C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe
            5⤵
            • Executes dropped EXE
            PID:2884
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 80
              6⤵
              • Program crash
              PID:3848
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
        3⤵
        • Executes dropped EXE
        PID:1608
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 80
          4⤵
          • Program crash
          PID:3096
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1608 -ip 1608
    1⤵
      PID:1068
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3108 -ip 3108
      1⤵
        PID:1940
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2884 -ip 2884
        1⤵
          PID:2844

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
          Filesize

          717B

          MD5

          822467b728b7a66b081c91795373789a

          SHA1

          d8f2f02e1eef62485a9feffd59ce837511749865

          SHA256

          af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

          SHA512

          bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5EC004B7FD8CB72D80A747F531B799BC
          Filesize

          504B

          MD5

          468c10fe6e033605fdc3eb77dac1a0b9

          SHA1

          f2afc12dc5c537c067334987f42d0e23457d50ae

          SHA256

          6f1ccbff6df00d9812182caa9e98b2ceea1f056527efff69f28f38b1fac8b817

          SHA512

          7e08a6d72c7d809edd92fe4560008f69fd98d2f0d802bea341acb6ef6fb7beb073e953b838a735761ea0d081749982bb16426e322923596feed78d08ad79e77d

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
          Filesize

          192B

          MD5

          fc555ad437d2f86dac326824546f7027

          SHA1

          f0c39b1d27d3231e1995d55b163a5a497d65d3c5

          SHA256

          8ed2748e1423bebf26d56b144c48c654089f31bc34019968aad01f8241bcf4ef

          SHA512

          80ad5fc4e0a162ccab71877d188d951479109303207b6194f514c1fa685fdc16b83788e768a6a690678c89420f4771bd496b203360c15747ea6489e2a4a60506

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5EC004B7FD8CB72D80A747F531B799BC
          Filesize

          546B

          MD5

          a1ecd18bd56264abab15bc78d4716c1d

          SHA1

          ba4e14f558baf12df3f8689d3fbc0141a0225c80

          SHA256

          951cad153989512a35ef7b1383ef2a724fa507980e07586db62342daf0d4c3ec

          SHA512

          f40e3b6b4d98cec5c538b58180ae0b89d62a6172de09b0a54f21f6e59011c1fa34104862f4609fc9e350776efba0eadc575f968b89632f10c02c85d7df662ead

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GFKMTE.exe.log
          Filesize

          706B

          MD5

          d95c58e609838928f0f49837cab7dfd2

          SHA1

          55e7139a1e3899195b92ed8771d1ca2c7d53c916

          SHA256

          0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

          SHA512

          405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E6887515-E2AD-4849-BA6E-49F7BA81EA73
          Filesize

          176KB

          MD5

          79943f0472bd0a227e7a198b13a3114c

          SHA1

          6e0ad8ffad54cb692d4df6c479ab1ba7a4b328e8

          SHA256

          4113ae7c71fdfc73753966cd64c09219713a7cb77b567dc4a846e3e0eace8c97

          SHA512

          d21177fed585cb60879a832f13dc63bf2309d909067460cf843a563fb6ad68b20d1416259b9da7b7456dfea2aa00f4b902b9da8449616464c82ebd3d576397f0

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
          Filesize

          11KB

          MD5

          b9edde031cb73626893346613bbc074a

          SHA1

          e4573693c3f4563437fc8f2d4a33ee2047e6a484

          SHA256

          189e6e59c5ead5bc18b4d4e881fd5c5a170b761d96a1093c05bc14f84781432e

          SHA512

          a1ae946e06952c799f968b6400e2769958f2bb269a86b8e92dc9806823e7eb74e4e56f78ee1c273f405c5911e0563b9b95f069dcf182d37d2e9ec45edc36ac4d

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
          Filesize

          2KB

          MD5

          b89a7a86eb07222146f6d9e154fa36b8

          SHA1

          01f9e54c3d6a3b0a7b5ffd4dd539218084eec877

          SHA256

          d02fe7a3aaac7f2b7851acbb722d86ba0c39ec6b233e4babea0cd43bce2afc66

          SHA512

          db477aa5451a885cc6dc48b4126b7c088f980b758768375d28051f606832d9507413140c4e2bf8dd9b5f7e9018eb04cede974f502e508e4b1be110f4a3da6326

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
          Filesize

          2KB

          MD5

          b5a782a3a9ab6887aa6fc97f365b6e44

          SHA1

          7878096dbde4739f7bb75298b312ab86843a916d

          SHA256

          56d6839fe6e43010d06bdc976c47fe40f0a8185aa7ac04bdf75d6bc3aa4524d6

          SHA512

          3e57f61cc26d0819016d6a1d3c95abc6cfee8fff489dfeb1d6834bffc69ce7bfaf72ac6f33cb60267c0fb89ea60c846f9ffe47c4d14b6270c860d76ff51efcb1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\TCD1915.tmp\sist02.xsl
          Filesize

          245KB

          MD5

          f883b260a8d67082ea895c14bf56dd56

          SHA1

          7954565c1f243d46ad3b1e2f1baf3281451fc14b

          SHA256

          ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

          SHA512

          d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmp1827.tmp
          Filesize

          1KB

          MD5

          dabe93a03c5560ab1670cf79b8d28566

          SHA1

          69738fe43d4550ece028ff2795a54bbad0985414

          SHA256

          743e8b28a38e98ea27ef07f17b7529976979c7b01eab92586a6cb686c0d1f68d

          SHA512

          15b3b49c46901e00a73def834225df28fd843af1e9ae594c7d061406209f6ce57277673c9c1ae3ed541f989fa499fd3e88929e00ebded6d23301f8d3680a6c57

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\¸¸.doc
          Filesize

          195KB

          MD5

          7ea9da3dd3db6f3fadf04ac76b54434b

          SHA1

          b30b950191046d999e71aaa54fb2648c6655ce9b

          SHA256

          947bce97211371e730a2b8b79c2ec4d154904e8faa7bed2583c5c6c420230170

          SHA512

          f94eb382dedb8c3952dbc0f3b9040201455cec641c845bedf5765a2772aa98cb20d92b3e0edadcd92fd7cdb77e7c6f37d26bdd276cceea733237e28f04240f9d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
          Filesize

          166KB

          MD5

          57fcc042b0f7783567878d217ae69e25

          SHA1

          83032ec361ea8b15ef956536999b754db6a12423

          SHA256

          13bd3ee226114db8e18f2fe414a7e2c4e0937eda7d8a02b2efebaa2af8238564

          SHA512

          4fe2ce713333d9a16d65ca5ccdc3a2e687b84a58b6b1e43b43c3f508edb2cc04478a5595efc43202decf7f86b50fd43382246fbc12553117a9177fb13d987b67

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\TDCNX.vbs
          Filesize

          10KB

          MD5

          087bcef76143b81090deef4ee4679995

          SHA1

          6ebd4fd212d0583157ae03bb0eb5841c53e281fc

          SHA256

          87334eb3f39cffdfeed453f67a7c338fe378b75c49946451ca1a0e4e151bba00

          SHA512

          b2f93705760d4d1cf5fe0ac354100916d16b6c4fd62117254238a600aabe6257fc791f1ce498bd2d0cfdd47e19f304dc5a68a06b7958658f34859afaa582ed4d

          Download Submit

        • memory/2812-13-0x00007FF843660000-0x00007FF843670000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2812-12-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2812-17-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2812-15-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2812-18-0x00007FF843660000-0x00007FF843670000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2812-28-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2812-32-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2812-35-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2812-34-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2812-46-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2812-8-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2812-14-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2812-67-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2812-2-0x00007FF845D30000-0x00007FF845D40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2812-9-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2812-11-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2812-77-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2812-16-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2812-10-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2812-6-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2812-7-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2812-1-0x00007FF845D30000-0x00007FF845D40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2812-117-0x00007FF885CB0000-0x00007FF885EA5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2812-0-0x00007FF845D30000-0x00007FF845D40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2812-3-0x00007FF885D4D000-0x00007FF885D4E000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2812-5-0x00007FF845D30000-0x00007FF845D40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2812-4-0x00007FF845D30000-0x00007FF845D40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2836-138-0x00000000097C0000-0x000000000985C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/2836-139-0x0000000009E10000-0x000000000A3B4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2836-140-0x0000000005440000-0x00000000054D2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2836-141-0x0000000005230000-0x0000000005236000-memory.dmp

          Filesize

          24KB

          Download

        • memory/2836-137-0x0000000002C50000-0x0000000002C82000-memory.dmp

          Filesize

          200KB

          Download

        • memory/2836-136-0x0000000005200000-0x0000000005206000-memory.dmp

          Filesize

          24KB

          Download

        • memory/2836-135-0x00000000008F0000-0x0000000000920000-memory.dmp

          Filesize

          192KB

          Download

        • memory/3660-142-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download