Analysis
-
max time kernel
51s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-12-2024 21:21
General
-
Target
48a776e5effacaaee83b198a43a9252d9456fd6f488a8f44af4fd6ee5835d8a9.xls
-
Size
192KB
-
MD5
054c7c9df65480b67c1762fdf1071692
-
SHA1
e9962aa07b013c9d2f56a257f08c3873919c57bf
-
SHA256
48a776e5effacaaee83b198a43a9252d9456fd6f488a8f44af4fd6ee5835d8a9
-
SHA512
54403bb19f320a9e7c241ba28f9c0b2b67b9beb8585ab13a9e434a6edf9d4bfbd99047710197f784d685879b6af2929574a5e00347b406dcd2493244b12ac3ad
-
SSDEEP
3072:PrxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAq3OLFyhxTchWwaZYwP+1oVET5K8lsq/:zxEtjPOtioVjDGUU1qfDlavx+W2QnAqE
Malware Config
Extracted
xenorat
dns.stipamana.com
Xeno_rat_nd8912d
-
delay
12000
-
install_path
appdata
-
port
4567
-
startup_name
mrec
Signatures
-
Detect XenoRat Payload 1 IoCs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Xenorat family
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
-
Suspicious Office macro 1 IoCs
Office document equipped with macros.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 23 IoCs
-
Suspicious use of WriteProcessMemory 59 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\48a776e5effacaaee83b198a43a9252d9456fd6f488a8f44af4fd6ee5835d8a9.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\PFLLTU.vbs"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 804⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "mrec" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEC25.tmp" /F4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe"C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 806⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3672 -ip 36721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4496 -ip 44961⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
504B
MD5468c10fe6e033605fdc3eb77dac1a0b9
SHA1f2afc12dc5c537c067334987f42d0e23457d50ae
SHA2566f1ccbff6df00d9812182caa9e98b2ceea1f056527efff69f28f38b1fac8b817
SHA5127e08a6d72c7d809edd92fe4560008f69fd98d2f0d802bea341acb6ef6fb7beb073e953b838a735761ea0d081749982bb16426e322923596feed78d08ad79e77d
-
Filesize
471B
MD5b51ec1bb8e0b2545ab3f8edd052142fc
SHA12b01f53f310e9924c290b045804475401062357e
SHA2563a1146c1f4bf199350370cbac825d792895128cda813fed5020df57d0935def1
SHA51200341b3a3d843c8647eb9e96153db3f1792acba43fe394d9d2aee536e597ef8c492fb1e3f6616bc5aff99b106e71b2fdc335f425ac1405cd432e221fdbde5ac9
-
Filesize
192B
MD5a219f30f71d7fdfb1a3056f67fc0ca9f
SHA15148c84948904df7db3a01950f6daf7e3246c6ad
SHA256b02f4bb1db12abe50fb24a2eb68a1abbc73247f168b8043cbdcaa048755c1526
SHA512cb7abf953671e5c6a8f079bd0447227dde1bc862e3dd5d70cee5b16efcfb1f4874baee9f28054c4aa2acb31b079e19834d6dbdeb943603ac77cc659683157c3e
-
Filesize
546B
MD556c8981097c15fef1d558930d176ba34
SHA150c76f328e2d5558ce6931223554a17791ee165a
SHA2568fa0e8f49aa63b167be0d5175ff839401ccc4d54e0b97e627a7e9b76ecfe8ec4
SHA512a71bd6d0e6a87e85ede2d44dd67d498c3d94c8ed12ea667f79fcdc7ef8c74d32288ef6c6780038917e0506d7efceaeb28316ff5d6c80de9f090e8b6c48ba4cff
-
Filesize
420B
MD5b02cf0d93c809a9b92c7749c4623edc9
SHA1b4e24323ca769061c7c4f96db472a3b3dca1c776
SHA25604fb86de701f0861f5d09e20ed80b9e7f0239ed913799657d5333d92b5ed3593
SHA512c8e32ba5ba75ba0eef59c7de23b3d81590d32e111b02cfa271db491ab5f01573f662be6c2de3fcd830bd2d7a260b46dd032c54eee1cf19a3f7948335e1f24080
-
Filesize
706B
MD5d95c58e609838928f0f49837cab7dfd2
SHA155e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA2560407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d
-
Filesize
176KB
MD58d17a013300ffa0d9c877eaf724ce7d0
SHA1c523676d222c867e212fb91f6e40d8e096861053
SHA2561605e801ab89674f84b3e21aac3dbdf100e712aaaf2882c454c0abd95ccc409d
SHA512ce0f073bfa0b2195498dceb0da4be810c3d2ad1847c6612f23f4e5fb1cecb21b12e41218ae84a7dc89328dfda9ea382f506b16fa150bfb2d0ebe3c2b067c97c9
-
Filesize
10KB
MD5d9566285ce87ae4e4d79ae96685b4d1e
SHA146b54655376d3f2cf5aaf53f03b0e8ebccdc17ca
SHA25689d1b108b06f3c480b780a4397b34b2c990a6177488f0e34a934e04a74841311
SHA512949dfcb72c5e9c4e51ffaa0f4cb2f294cdc4bfedf9ab6d6997692966aa09a2b0f99bc7fc492c6b47ffeb7553cf29ae175558d84a1ac836d1c04b29f4912bc81f
-
Filesize
2KB
MD5f1da150f4e9898a8aa80e15b6b536533
SHA1efc1ed8322340293f66c31379f7ee9001b2244b1
SHA256b0c46216997099743660e2c00cb684832f8386349997b56f51f537a873d7ef47
SHA512554107290ace1effd1c57a5923d28a42e46362163140a6a1c1655475773d1904bcc8382fc03d496cbd6a7114fc0228f83fc0c114291b3d0f17ff527b91c623ad
-
Filesize
2KB
MD59e104d1380d39fb9b1c88ef77a05444e
SHA184a5e0314dc5fa6732c60b4cc2bf2b5d31862f1c
SHA256f392561c2c0087554688cd1863aed5780a97ff635060cde67ecb15d8ecdd8ed1
SHA51279507a01079697c4d8c5b1aff54fc299c6a962bce098e93460090d48ce553b193085065dac94f9a992e393764897c3a2e084d32c7bc034bb26975aa73e7e77e8
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
1KB
MD5dabe93a03c5560ab1670cf79b8d28566
SHA169738fe43d4550ece028ff2795a54bbad0985414
SHA256743e8b28a38e98ea27ef07f17b7529976979c7b01eab92586a6cb686c0d1f68d
SHA51215b3b49c46901e00a73def834225df28fd843af1e9ae594c7d061406209f6ce57277673c9c1ae3ed541f989fa499fd3e88929e00ebded6d23301f8d3680a6c57
-
Filesize
195KB
MD57ea9da3dd3db6f3fadf04ac76b54434b
SHA1b30b950191046d999e71aaa54fb2648c6655ce9b
SHA256947bce97211371e730a2b8b79c2ec4d154904e8faa7bed2583c5c6c420230170
SHA512f94eb382dedb8c3952dbc0f3b9040201455cec641c845bedf5765a2772aa98cb20d92b3e0edadcd92fd7cdb77e7c6f37d26bdd276cceea733237e28f04240f9d
-
Filesize
1KB
MD5bc46413561865400173b7ec0ee591a95
SHA18eba474ca91bf36a4e93ae918f0dbd78f93f45b6
SHA256563ce36bbfac5a0c1b1f55e68ce9efae199192d27a058d268a30b0b3d0095ec3
SHA512fe19192ddba215d2612b91dd129a7922192afc9e0b41bab410367bd3db3eb525442949ddaa8d53ab402f637a709d4b5a6b15e40cfcbe7aebbe5d8878c6e218d4
-
Filesize
166KB
MD557fcc042b0f7783567878d217ae69e25
SHA183032ec361ea8b15ef956536999b754db6a12423
SHA25613bd3ee226114db8e18f2fe414a7e2c4e0937eda7d8a02b2efebaa2af8238564
SHA5124fe2ce713333d9a16d65ca5ccdc3a2e687b84a58b6b1e43b43c3f508edb2cc04478a5595efc43202decf7f86b50fd43382246fbc12553117a9177fb13d987b67
-
Filesize
10KB
MD5087bcef76143b81090deef4ee4679995
SHA16ebd4fd212d0583157ae03bb0eb5841c53e281fc
SHA25687334eb3f39cffdfeed453f67a7c338fe378b75c49946451ca1a0e4e151bba00
SHA512b2f93705760d4d1cf5fe0ac354100916d16b6c4fd62117254238a600aabe6257fc791f1ce498bd2d0cfdd47e19f304dc5a68a06b7958658f34859afaa582ed4d
-
Filesize
624KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
200KB
-
Filesize
24KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB