Analysis
-
max time kernel
51s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-12-2024 21:23
General
-
Target
8464e28250faf8cc3d316329b9b39cbc029659d93db9da3086ce9fc5e37bbcd1.xls
-
Size
192KB
-
MD5
4b5efde48442f60d1563164c1e728061
-
SHA1
f371b6ea0311f9175c78102e3a087ab5fc7fe687
-
SHA256
8464e28250faf8cc3d316329b9b39cbc029659d93db9da3086ce9fc5e37bbcd1
-
SHA512
cc18300b59ad15c59fd3dd96a88df4cb4526da5b7bb92dffd0c4fe6c616268d0de0197a59b2b403ae6f35d7e027137d7db6baa713e74c3401abd58b1d101cbd8
-
SSDEEP
3072:PrxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAq3OLFyhxTchWwaZYwP+1oVET5K8lsq/:zxEtjPOtioVjDGUU1qfDlavx+W2QnAqE
Malware Config
Extracted
xenorat
dns.stipamana.com
Xeno_rat_nd8912d
-
delay
12000
-
install_path
appdata
-
port
4567
-
startup_name
mrec
Signatures
-
Detect XenoRat Payload 1 IoCs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Xenorat family
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
-
Suspicious Office macro 1 IoCs
Office document equipped with macros.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 19 IoCs
-
Suspicious use of WriteProcessMemory 59 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8464e28250faf8cc3d316329b9b39cbc029659d93db9da3086ce9fc5e37bbcd1.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\PFLLTU.vbs"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe"C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "mrec" /XML "C:\Users\Admin\AppData\Local\Temp\tmp28EF.tmp" /F4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
504B
MD5468c10fe6e033605fdc3eb77dac1a0b9
SHA1f2afc12dc5c537c067334987f42d0e23457d50ae
SHA2566f1ccbff6df00d9812182caa9e98b2ceea1f056527efff69f28f38b1fac8b817
SHA5127e08a6d72c7d809edd92fe4560008f69fd98d2f0d802bea341acb6ef6fb7beb073e953b838a735761ea0d081749982bb16426e322923596feed78d08ad79e77d
-
Filesize
471B
MD5e81d1a452656da5266f453cb1a0fbcd4
SHA1142b115501d7af306d8f887be66bc89e92e81521
SHA2560a36be52eebc55142cc433203364f79cbe29bef5a6d0ce4bbf04fa41656de368
SHA5124f782226101f3d628a7853c1ed828b16acd3fded03b3dc3329a68f3cf6f1c2c8a9748ff4abd5970c74244a7656eeafd2f3041743a8961ad0fced2843f2cbc987
-
Filesize
192B
MD5eb28c3f8629a44d4bcab5fec606ea152
SHA1dcfd2879bc1cdc2cddaa04085fac77d5e5dca29a
SHA2567f3796c4d3a7acb2e6cf1f21f363a8f6d3c3f45afaf5dd10c1eef8ce0fe89663
SHA512dd64f42dc3ba08ff614f9988842e4d0eb759a3763b3f9ff7b48848bf75e8ca3a9874d7d77e7dae06f0f2519c0870f6d8d1c3bce8acda1d869fce01f04f524f46
-
Filesize
546B
MD5617d99ef814eecd9b5d35fe35ef02686
SHA1c6bbeef9cc1bbb96fc70c9ac1a3f84ffcd5ef39b
SHA256bb7adbc01b0124dea5c98a0113f5b2035a56df4bb1cf02cb3488a04cccfc0c10
SHA5125072acad5eb018f80f2a9f1c68ea6fa6f6fab4ccdbfd52a217a69fb3344623a83a62c630e7e2c38e8646cac82448af3223f3b03f1c9f2401fa64e70a7989ab0c
-
Filesize
412B
MD5a1510f15ba574db10028412a8434c7ed
SHA19f7af7f3195da72ed91ea32d4291db82bd3b21c3
SHA256477f41765b1c19fa0b319f64803d655e9b0b9906581483f85b9b9bb10057a32b
SHA5128ee6f13d32c7b495f0868129327a3e136f382f06731bad68543434f89611a104b99fe5980417fc6a478c9d80952c868a69576e5418b93f9cac21b963157749be
-
Filesize
706B
MD5d95c58e609838928f0f49837cab7dfd2
SHA155e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA2560407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d
-
Filesize
176KB
MD522e6bcbacff9c27a6ffbfb6cd0b5b7b7
SHA1ddb0cc13148f0d8a676acd3b3005f381be1d0cbf
SHA256629cf68d80030ac404911e9a8f4a9fe0e74b892f5a4a1e8faec4d7cfe6cae004
SHA512e17b80cf559c3161dbca3fdaa27acc35b0b7c7433d9b3a3708b638c63bde8574faa9f23e27e98cb96d8ce5372f6e35b19dd47bcff1abebf249f24faa6ac2526c
-
Filesize
11KB
MD5a4a6453aadfeaa5418d53d5ceb22266e
SHA16852b4a5a560679424d5e39ac45f15d867ca61e0
SHA2564dec891525e421844632771d50c9b590b403881be162e398c58c0d768b7fbe99
SHA51227ffcad70f01313ed96c2cec2ac38baaa71f21142d8fddb98f171d877cfa635abc8e54e833aa02f020deb249a48293128519dbd3e8745c84a687f43a8ec126da
-
Filesize
2KB
MD537448683bbd7f4b809306ac44a25d4d4
SHA1993b5c2ef7386815dc5634d9b0ccc03ae74190e9
SHA256b2f930aa36b56ddddddea0c5cb6691e34aa6f2baa1a702b41ba132b8c19346e8
SHA512e9b51b601d123bc1b5c7b28da3dd40d5dd7620e69abf8a3762e2516d78df23e49f51ba36e04276d7da5b03b092d93d622b8ba60083ea9dfa03ed023c27cbd798
-
Filesize
2KB
MD5cbee91b9bd1498e3cb3fa3751b731d11
SHA1a6db4d4ce263caffd99abbae727b1b9d1c54d6a6
SHA2567b23882aa6d8b67c99b86d2ed70e8a6a9e548044dcb834364cc78d25c8eabe0e
SHA512144303abf992e9c23ff279585977ccd99c0f98dfafc32caceb8dd1f5236855a36072cb9ef721c7411394939ddf749e0bada68c21238e311ff21d60b8cb282b68
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
1KB
MD5dabe93a03c5560ab1670cf79b8d28566
SHA169738fe43d4550ece028ff2795a54bbad0985414
SHA256743e8b28a38e98ea27ef07f17b7529976979c7b01eab92586a6cb686c0d1f68d
SHA51215b3b49c46901e00a73def834225df28fd843af1e9ae594c7d061406209f6ce57277673c9c1ae3ed541f989fa499fd3e88929e00ebded6d23301f8d3680a6c57
-
Filesize
195KB
MD57ea9da3dd3db6f3fadf04ac76b54434b
SHA1b30b950191046d999e71aaa54fb2648c6655ce9b
SHA256947bce97211371e730a2b8b79c2ec4d154904e8faa7bed2583c5c6c420230170
SHA512f94eb382dedb8c3952dbc0f3b9040201455cec641c845bedf5765a2772aa98cb20d92b3e0edadcd92fd7cdb77e7c6f37d26bdd276cceea733237e28f04240f9d
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
Filesize
3KB
MD50ae6b6b085c6e09ef80efa1a7e85a38d
SHA1e6bd822d2ed3e5e6d05d98dbd749c9295eba6c70
SHA256c55f67458a7f49c0e59dfb0c3d56295b8ebd288213896189b9949d049482b719
SHA51232010a6b20b068777e6591c23163048f3d77bd19afb077899ec2974a2276d1fa597380ec77a2d1b14f4b65cbcf7583e465ce2542f24bedbbc61991a5c922df40
-
Filesize
166KB
MD557fcc042b0f7783567878d217ae69e25
SHA183032ec361ea8b15ef956536999b754db6a12423
SHA25613bd3ee226114db8e18f2fe414a7e2c4e0937eda7d8a02b2efebaa2af8238564
SHA5124fe2ce713333d9a16d65ca5ccdc3a2e687b84a58b6b1e43b43c3f508edb2cc04478a5595efc43202decf7f86b50fd43382246fbc12553117a9177fb13d987b67
-
Filesize
10KB
MD5087bcef76143b81090deef4ee4679995
SHA16ebd4fd212d0583157ae03bb0eb5841c53e281fc
SHA25687334eb3f39cffdfeed453f67a7c338fe378b75c49946451ca1a0e4e151bba00
SHA512b2f93705760d4d1cf5fe0ac354100916d16b6c4fd62117254238a600aabe6257fc791f1ce498bd2d0cfdd47e19f304dc5a68a06b7958658f34859afaa582ed4d
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
24KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
200KB
-
Filesize
24KB
-
Filesize
192KB
-
Filesize
200KB
-
Filesize
72KB