Analysis
-
max time kernel
59s -
max time network
60s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-12-2024 21:05
General
-
Target
ad58a779119b226a8f322acfc28bb19997def17a0c4a3f17ab4c57d83269650a.xls
-
Size
192KB
-
MD5
6917e598649923e5cf22957e24caffa4
-
SHA1
6365e7abd6413cec0f51ff997cdba24e263ccbe4
-
SHA256
ad58a779119b226a8f322acfc28bb19997def17a0c4a3f17ab4c57d83269650a
-
SHA512
d5c3b9b7ab59a0ac8d94205a7748a06b194d6bd2921ee6fd799306d4802fd5b785aaf31cf422c9dfa4d671571729d10bbfdcea4cba37088cfc7cc88e0671552d
-
SSDEEP
3072:DrxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAq3OLFyhxTchWwaZYwP+1oVET5K8lsq/:nxEtjPOtioVjDGUU1qfDlavx+W2QnAqE
Malware Config
Extracted
xenorat
dns.stipamana.com
Xeno_rat_nd8912d
-
delay
12000
-
install_path
appdata
-
port
4567
-
startup_name
mrec
Signatures
-
Detect XenoRat Payload 1 IoCs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Xenorat family
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
-
Suspicious Office macro 1 IoCs
Office document equipped with macros.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 21 IoCs
-
Suspicious use of WriteProcessMemory 59 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ad58a779119b226a8f322acfc28bb19997def17a0c4a3f17ab4c57d83269650a.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\PFLLTU.vbs"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "mrec" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCDB0.tmp" /F4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe"C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 806⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 784 -ip 7841⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
504B
MD5468c10fe6e033605fdc3eb77dac1a0b9
SHA1f2afc12dc5c537c067334987f42d0e23457d50ae
SHA2566f1ccbff6df00d9812182caa9e98b2ceea1f056527efff69f28f38b1fac8b817
SHA5127e08a6d72c7d809edd92fe4560008f69fd98d2f0d802bea341acb6ef6fb7beb073e953b838a735761ea0d081749982bb16426e322923596feed78d08ad79e77d
-
Filesize
471B
MD5e81d1a452656da5266f453cb1a0fbcd4
SHA1142b115501d7af306d8f887be66bc89e92e81521
SHA2560a36be52eebc55142cc433203364f79cbe29bef5a6d0ce4bbf04fa41656de368
SHA5124f782226101f3d628a7853c1ed828b16acd3fded03b3dc3329a68f3cf6f1c2c8a9748ff4abd5970c74244a7656eeafd2f3041743a8961ad0fced2843f2cbc987
-
Filesize
192B
MD5a481b67e8df7aa67d43362b4e2f7d704
SHA161c59ad5ed40fa3dbf5ab2e1570f7795f71e694b
SHA2560c37ad033da3a2fad2e47f91110bbb48fe5ee0205205d401fcf06c1c18d9b407
SHA5121d7fff182a0fcf05eb6ae26bd74f4212c6890e791fae01f6c3efe38e4bc98aadabb1b4db798d0a581b2b5410dc399fe24d6a5a9e2ad403157e5fec9b37355ef9
-
Filesize
546B
MD5aebbe40ef668316003f84b3ec34cdbb2
SHA130c1c70ac27af855c584c3a625f7b758193cf9b4
SHA2563ec413f7e44d729d8b619db58852e45f588b01281354a7b9dfbe5f845d8e3b76
SHA5126f37a1419f990181b833deab603656758439e644bdc31384cbf68a2625ea1da35c7f5b3621ab6e5c42a022eea3ac33fd1bcec6f67015b1e78089ec0104f6935b
-
Filesize
412B
MD5bcb50fac78c50d0d5f1ac517c93920a5
SHA160436db795d371f4b9c8fd307ef93091c4d289c7
SHA256d38cb1fa09ed15855256bcaa532e23261a6498b411599ca7e3796896a9bad0cc
SHA512f2593f3c54925f639a8a4fb1b24a2ee30eefcc6b35842e6214e272aba1cc38d0f4e8dd7c46d37b5765ce2af51514102324b705de673bf32a77d345a826d8709e
-
Filesize
706B
MD5d95c58e609838928f0f49837cab7dfd2
SHA155e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA2560407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d
-
Filesize
176KB
MD5429a0d3d3bf29929cd1341eb30099a7e
SHA1c245ada30b72844e1253ade51edde7da533ec9ce
SHA2567e9d31938a1800f8d90b0c05fcc7a351cbad367b64b25b129cacf9c3b62416e3
SHA512974bd8598e59425fca03edd02f818d3051ebb5fcf10b7afc107474a03c242592255beef2004d8faf60d343bdefcf651811c1bacb81f2f9a5581a143cd2af794a
-
Filesize
10KB
MD56d0b7d17a386ed150dcd9ad2836161e7
SHA1109a9eb7b4b53a5f5705b8a01248b2ce9005f48f
SHA256e7650175b7bb2c49e74be8f2b162f11b7e8b9845b6f7ce2ea610223e2bb89449
SHA512ae4321f921e9a3eba8c4b162150c2ae95a46a71aece9c3f1c3a8301cd4f4f2f95a7fa15213729a8d495a18ce8c99366772af8333039f0e8c987fa075516d2ab9
-
Filesize
2KB
MD5cc7c748d75ebabbbe7d1b0c9d39bf029
SHA16e8144cb8b7f7d0573ecd8a991e315726fa9c6f4
SHA256bb3a16ffa02a8d964fed91d8a1c7eb587731dec6ec08eeb6ad48aef625289302
SHA51239f152d7fe8592f448bf887309c7558f77b1015cc884b15232d2898a1a2eb64aa45eb8200676abedb93d4f3013ac759e847de8dbc457d1cd573f6359f0c530d9
-
Filesize
2KB
MD598e10a4834b46a2814ca0253cf5b2cdc
SHA11cf9ecee04aab640c64c21a05784c32b538f96f9
SHA256b97a97129cbeb1f768930c3ed7b2c13bfd097e4852c65f837f04392bdfa6b08a
SHA5125d5cd793854dbf6cd038dc75a4d5ec38f8a347b560ff32e55447c4dc2cb43793e0459c63be2e6f7fbcf420918f6e21d114836a203d8aee2abe0aaefc94284b3d
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
195KB
MD57ea9da3dd3db6f3fadf04ac76b54434b
SHA1b30b950191046d999e71aaa54fb2648c6655ce9b
SHA256947bce97211371e730a2b8b79c2ec4d154904e8faa7bed2583c5c6c420230170
SHA512f94eb382dedb8c3952dbc0f3b9040201455cec641c845bedf5765a2772aa98cb20d92b3e0edadcd92fd7cdb77e7c6f37d26bdd276cceea733237e28f04240f9d
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
Filesize
1KB
MD5cc40a6eae97c5cdd7a7703ce942ccd3d
SHA18d949d56d96f6e97707effbc24e07fe2c3fdfb69
SHA25640659bcf06073bc4b2c45b47460555e023593b150d1cd85426379f0e149125f6
SHA512f4debf6fc2b104dee278ae07990cb99ed897b4a8ca44823219bb076c403298ab69b1cf5738dc9f89a3dcb4adf6a94e771546e7f0bc038753eef43b61c5c49fdb
-
Filesize
166KB
MD557fcc042b0f7783567878d217ae69e25
SHA183032ec361ea8b15ef956536999b754db6a12423
SHA25613bd3ee226114db8e18f2fe414a7e2c4e0937eda7d8a02b2efebaa2af8238564
SHA5124fe2ce713333d9a16d65ca5ccdc3a2e687b84a58b6b1e43b43c3f508edb2cc04478a5595efc43202decf7f86b50fd43382246fbc12553117a9177fb13d987b67
-
Filesize
10KB
MD5087bcef76143b81090deef4ee4679995
SHA16ebd4fd212d0583157ae03bb0eb5841c53e281fc
SHA25687334eb3f39cffdfeed453f67a7c338fe378b75c49946451ca1a0e4e151bba00
SHA512b2f93705760d4d1cf5fe0ac354100916d16b6c4fd62117254238a600aabe6257fc791f1ce498bd2d0cfdd47e19f304dc5a68a06b7958658f34859afaa582ed4d
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
24KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
200KB
-
Filesize
24KB
-
Filesize
192KB
-
Filesize
200KB