Analysis
-
max time kernel
52s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-12-2024 21:20
General
-
Target
ac8c49cef98c9ba6667891694a81169222cb53feed5c22fbeac0afbf7c31208c.xls
-
Size
192KB
-
MD5
84d6b509972268981bab9932386c549c
-
SHA1
dfa0dba8ae581f80e94dd5d69625e1b8b50ebfa9
-
SHA256
ac8c49cef98c9ba6667891694a81169222cb53feed5c22fbeac0afbf7c31208c
-
SHA512
d2a3c06bc33f6c0ac2f26c68b33a486d5ceb01e1e1f58cf8f72d63632e78e4f692bb0f10dc9680d36a14c212f6915d9ecc5927b601e1ddc7ea13babf10617c6d
-
SSDEEP
6144:BxEtjPOtioVjDGUU1qfDlavx+W2QnAu+Ly9ckwDwPq5XlsqhwxNNipu:s+VkGUqLsqyi
Malware Config
Extracted
xenorat
dns.stipamana.com
Xeno_rat_nd8912d
-
delay
12000
-
install_path
appdata
-
port
4567
-
startup_name
mrec
Signatures
-
Detect XenoRat Payload 1 IoCs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Xenorat family
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
-
Suspicious Office macro 1 IoCs
Office document equipped with macros.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 19 IoCs
-
Suspicious use of WriteProcessMemory 59 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ac8c49cef98c9ba6667891694a81169222cb53feed5c22fbeac0afbf7c31208c.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\TDCNX.vbs"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe"C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "mrec" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBA3.tmp" /F4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
504B
MD5468c10fe6e033605fdc3eb77dac1a0b9
SHA1f2afc12dc5c537c067334987f42d0e23457d50ae
SHA2566f1ccbff6df00d9812182caa9e98b2ceea1f056527efff69f28f38b1fac8b817
SHA5127e08a6d72c7d809edd92fe4560008f69fd98d2f0d802bea341acb6ef6fb7beb073e953b838a735761ea0d081749982bb16426e322923596feed78d08ad79e77d
-
Filesize
471B
MD5b51ec1bb8e0b2545ab3f8edd052142fc
SHA12b01f53f310e9924c290b045804475401062357e
SHA2563a1146c1f4bf199350370cbac825d792895128cda813fed5020df57d0935def1
SHA51200341b3a3d843c8647eb9e96153db3f1792acba43fe394d9d2aee536e597ef8c492fb1e3f6616bc5aff99b106e71b2fdc335f425ac1405cd432e221fdbde5ac9
-
Filesize
192B
MD5694eb6f7628b6f2a358eefac99c91eb9
SHA166ec064a560f6579ef1125dc6f4bf854c4c672e2
SHA2563542ed7d8acb6264f043191e3f3d81fbcc371132c478979e4229f43029ada4e3
SHA5125f34871235d953feece7e0eedd2ab7b06fe8b00e85f83b6686fea86b1b0aee3949d59bb60b424b6bcd7e980b81c3234563e827d1a5fabb57befb1ad7f60755de
-
Filesize
546B
MD51fc4e170d6ce7486b784210ed2bf3d89
SHA183eeab7d19e1f11b64035ec336fed10d3577a0ee
SHA256b4e57c53c4cbe169d9f2b675a5b2e807048be75c90133da4e4d4f24c4a858e2a
SHA512c6db20a2ad25d7aad13fb9e67826403078c444f0c7fae7edb9cfce12bcdd5865bf31848771675bb7736a0ded62211b2a33180f838c1c9f685cad44d34e0ac10b
-
Filesize
420B
MD524de300a8a1ebc0168bc5cb3583b02e5
SHA16e8daa8ebe8748902d2f4581ba6a9999cf10e785
SHA256e5c0298a67432fa243847930f2caf26f3b6b5778d1e8d4bacd54234acb819d93
SHA51249741f38f148a7ba100519f722e5699f38e2cd7ebe4f863384131ecb6e020649d3b839096b4078f6ab31d167f7471b9204da2dbaaef83c4f7b0a55f4386f5919
-
Filesize
706B
MD5d95c58e609838928f0f49837cab7dfd2
SHA155e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA2560407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d
-
Filesize
176KB
MD5983961a3194da310631886f9d47c2c18
SHA19990fabce4e4e432dffe0393eed4a5bafba48865
SHA256fcf14f61cdfb1b3beb418a9222d9917cc533d6da742e2e14f6cff265a94c0f3e
SHA512d3ddefd76fd197518eb7e3bb833c3f8c44a94f5d2229e12a376e88da76b234ef0d98e99ec852a1b9a2f3a37300d17df22e50d657b7a6efe3a0f0e3519157de7c
-
Filesize
11KB
MD56ee4e6d18d0e858e0fe68c14b52412ef
SHA105f1168ce93fdef81be02740814cd8a4b0b25306
SHA256f570c594ba0d46c3685d0d60ea0e7c95e7afb4cc2ccf9240a092615d168ea35f
SHA512d2e5f70e8ab663b913e1eda647dcc575a2e5acb290f795d0c6d3acda5032b6a0033c498c0883d05f04a446950076be5c6e03c2e2952d19aa825c142dc96ce1f5
-
Filesize
2KB
MD51a06486877b86551f6605fcecafcc00d
SHA17161e757df1db179fc81d6decee6a48e5178844b
SHA2563014b30524115d84e82e8a3cea8438b254c38065c4112759d398bc12330916d3
SHA5124187c995e1beec5b21cadc29034af80e9ca3faa4c050b9ced74551a16abc19e3d744b6030b4c4ce2253bae3766b2c756ab63264f5cb1ab65315599647beadefe
-
Filesize
2KB
MD5144a316a60d5ee41170ecd1f60018d08
SHA152162adfd61b42daff884983661ff75cdaf93807
SHA256109e9c1f1ed1bdd7b347e01f0acdee6b9a3c66244dbd70dd876fd18d0353aac4
SHA5121d5f7c2c6b9d899cff83a21f3ca957d78e7e89637ca3c1df67105a25660ab0eb570f74cef97e50fc0bb6f2014de8286b0622fd8408efa071df684e95df47f1de
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
1KB
MD5dabe93a03c5560ab1670cf79b8d28566
SHA169738fe43d4550ece028ff2795a54bbad0985414
SHA256743e8b28a38e98ea27ef07f17b7529976979c7b01eab92586a6cb686c0d1f68d
SHA51215b3b49c46901e00a73def834225df28fd843af1e9ae594c7d061406209f6ce57277673c9c1ae3ed541f989fa499fd3e88929e00ebded6d23301f8d3680a6c57
-
Filesize
195KB
MD57ea9da3dd3db6f3fadf04ac76b54434b
SHA1b30b950191046d999e71aaa54fb2648c6655ce9b
SHA256947bce97211371e730a2b8b79c2ec4d154904e8faa7bed2583c5c6c420230170
SHA512f94eb382dedb8c3952dbc0f3b9040201455cec641c845bedf5765a2772aa98cb20d92b3e0edadcd92fd7cdb77e7c6f37d26bdd276cceea733237e28f04240f9d
-
Filesize
1KB
MD505d7647cf6e69110a581ad88dfa01fec
SHA1961b61c1a63fe110985b3342a79f4968b8370ccf
SHA256a7dc3c49a8846cc888b3f254dbdb910371d5eb3dd8095217c8a33f9dcf6cde3b
SHA51260405dea19174a8224ab4893acca1037f6a676f69ab1cd4296147d4a0a0d0c415856be4571ccec8487deae74a73354a82c6cb03cb8e0b6c7889de81ddc0e0ec1
-
Filesize
166KB
MD557fcc042b0f7783567878d217ae69e25
SHA183032ec361ea8b15ef956536999b754db6a12423
SHA25613bd3ee226114db8e18f2fe414a7e2c4e0937eda7d8a02b2efebaa2af8238564
SHA5124fe2ce713333d9a16d65ca5ccdc3a2e687b84a58b6b1e43b43c3f508edb2cc04478a5595efc43202decf7f86b50fd43382246fbc12553117a9177fb13d987b67
-
Filesize
10KB
MD5087bcef76143b81090deef4ee4679995
SHA16ebd4fd212d0583157ae03bb0eb5841c53e281fc
SHA25687334eb3f39cffdfeed453f67a7c338fe378b75c49946451ca1a0e4e151bba00
SHA512b2f93705760d4d1cf5fe0ac354100916d16b6c4fd62117254238a600aabe6257fc791f1ce498bd2d0cfdd47e19f304dc5a68a06b7958658f34859afaa582ed4d
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
24KB
-
Filesize
584KB
-
Filesize
200KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB