Analysis
-
max time kernel
50s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-12-2024 21:07
General
-
Target
b8e91461d8d0db828a63eee57785437e8a0f2e939c2f576e1f5569917e6a348b.xls
-
Size
192KB
-
MD5
a0d948d0fbf62f7e4b6e54892a49ccf6
-
SHA1
151f7cc6960406e3ce9d3579c483e820daa074f2
-
SHA256
b8e91461d8d0db828a63eee57785437e8a0f2e939c2f576e1f5569917e6a348b
-
SHA512
3cec3d407ee2146f931f64114d545e00ef5d81a9cfbe44fca8e5822d20efa71c77eda92750fff277a26d7314da92e4b272642eda74ac4ea62b9435ff23860e72
-
SSDEEP
3072:brxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAq3OLFyhxTchWwaZYwP+1oVET5K8lsq/:/xEtjPOtioVjDGUU1qfDlavx+W2QnAqE
Malware Config
Extracted
xenorat
dns.stipamana.com
Xeno_rat_nd8912d
-
delay
12000
-
install_path
appdata
-
port
4567
-
startup_name
mrec
Signatures
-
Detect XenoRat Payload 1 IoCs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Xenorat family
-
Blocklisted process makes network request 1 IoCs
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
-
Suspicious Office macro 1 IoCs
Office document equipped with macros.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 23 IoCs
-
Suspicious use of WriteProcessMemory 59 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\b8e91461d8d0db828a63eee57785437e8a0f2e939c2f576e1f5569917e6a348b.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\PFLLTU.vbs"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe"C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 806⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 726⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "mrec" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD1F6.tmp" /F4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2476 -ip 24761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 408 -ip 4081⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
504B
MD5468c10fe6e033605fdc3eb77dac1a0b9
SHA1f2afc12dc5c537c067334987f42d0e23457d50ae
SHA2566f1ccbff6df00d9812182caa9e98b2ceea1f056527efff69f28f38b1fac8b817
SHA5127e08a6d72c7d809edd92fe4560008f69fd98d2f0d802bea341acb6ef6fb7beb073e953b838a735761ea0d081749982bb16426e322923596feed78d08ad79e77d
-
Filesize
471B
MD5b51ec1bb8e0b2545ab3f8edd052142fc
SHA12b01f53f310e9924c290b045804475401062357e
SHA2563a1146c1f4bf199350370cbac825d792895128cda813fed5020df57d0935def1
SHA51200341b3a3d843c8647eb9e96153db3f1792acba43fe394d9d2aee536e597ef8c492fb1e3f6616bc5aff99b106e71b2fdc335f425ac1405cd432e221fdbde5ac9
-
Filesize
192B
MD5bd01e0b563598b8087d5cdeed6d39e96
SHA153f9fdf4f26c4ab7ad66817e6622f2e4b96cef69
SHA2569fd792d79bb6dd29a134a2f8b0e15602661e124f492c94a3c3102f5983738aa7
SHA512c5802dd57e71e2ee35d5d895e3d3da3a51e4b963683c25d87cad4f983df4ebb860e44858d4d0fce9b5022808f8b753c30a280e35e9629b73f2ec959de532586c
-
Filesize
546B
MD52d3092c269e09c15660aa4567590e780
SHA1a2174d878f36d2d5b652686c6a1d61f0ee5a899b
SHA2561502cb07d0ed6674eeac533577b8b3f8f417994c4f6ac5078b4ef454427c1f2d
SHA5129903a9e24caf77f5cfcc9595b919e2cedf92e414f32d69bb70e9da548f8d1933121ec09d8a6aa94aa18133d1619d64ccd2d0d29a5100ae717c014b547cf9a95c
-
Filesize
420B
MD5f5ebd63233558b26d87423c3be899ed4
SHA1b9a3197eee7e49a6796d927692a0c8592f9bd382
SHA2568103a53ef277b9bd337b0804594dea083f842960c9c545fcd84c9cc5effe93cc
SHA51217d562f9ab93b6ab23822b51b88278ea4fa53c2b85ce53e74fa2bd1f2ea5807865a9408856061d4e0d48d11a2e473d72171d238dbac6985e301fa42ece4dc403
-
Filesize
706B
MD5d95c58e609838928f0f49837cab7dfd2
SHA155e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA2560407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d
-
Filesize
176KB
MD5acc10f3576725098f9e6a7f906a203d3
SHA1633e3eec3c78baf0513327ae0b231810332f9957
SHA2567ab634be5c794e4c96edd0600024f89968221ce82d7c9d28f5fb43c0b70436e2
SHA512e5662f43b55d997a0ba383e5dd83e64c06e228209ea8cd33def94391da22e5b433b664eb44759d570a303deee34585c8c8439d4ca16569248f22bd02f33f8080
-
Filesize
10KB
MD51faf25114cd4b68b55a42a744af76909
SHA1275e0d006cb92b771f6eaa93e5c0766f07197615
SHA256b27729777763f06f1fbef55e4575a1c26ad4983a869775290ddb186518463f59
SHA51261e940c2a717ecb7339f23b7083b2a15f82716f3a93be0b0104ca1278e0a3044d881975df0e7425a39f937099013a6e58138416e9ebae47018ddff5b5728a2b1
-
Filesize
2KB
MD5d609e6fb7c5cc9723325c6870584994b
SHA1ceec5524bfa3bcbed2cae96de7ae63adbca3cd98
SHA256fe708e53ecb42e55310daad6045a3a126f78e4d1d2fc7b3e5a6a92ef3eeb5177
SHA512088b80e1276ffad9c894ad083890a880d83dcdf4f499772f1d6d7c2cd6b3ed7c080e46f227b8e711707ba34e614a7872d8a34cd96a3cc13e5b8c10b74b8a9faf
-
Filesize
2KB
MD5d5c2d92c0b70e47ae59d9f4524ee0109
SHA1bc9106c7564b358f316fc714bf6a9a61bdd862fa
SHA256fa44bfb343f43f691a475a06cc16c77fe2529950e31fae1430eee82d9d2aa9ff
SHA5129d4cad635408bc5d688a10edcdf7920c686535e421a713fe16c3691dc10afa33cc4a9b0d0222a82392cc52d7297f3df502a09eb86944a9fe73e628a33e6269f8
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
1KB
MD5dabe93a03c5560ab1670cf79b8d28566
SHA169738fe43d4550ece028ff2795a54bbad0985414
SHA256743e8b28a38e98ea27ef07f17b7529976979c7b01eab92586a6cb686c0d1f68d
SHA51215b3b49c46901e00a73def834225df28fd843af1e9ae594c7d061406209f6ce57277673c9c1ae3ed541f989fa499fd3e88929e00ebded6d23301f8d3680a6c57
-
Filesize
195KB
MD57ea9da3dd3db6f3fadf04ac76b54434b
SHA1b30b950191046d999e71aaa54fb2648c6655ce9b
SHA256947bce97211371e730a2b8b79c2ec4d154904e8faa7bed2583c5c6c420230170
SHA512f94eb382dedb8c3952dbc0f3b9040201455cec641c845bedf5765a2772aa98cb20d92b3e0edadcd92fd7cdb77e7c6f37d26bdd276cceea733237e28f04240f9d
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
Filesize
1KB
MD56aee2e69dc8f1f36255cc89b663f5f32
SHA1e8045afc1c1027415565e8abc762bd1a7c4efbcb
SHA25660412f5b5eaf82ee9fd42305cb4296ee4a58b66a1f0592acf9988965da26d14e
SHA51283c2244e8f9fa899d3b7b3c9ab42cd7a2e4dd19441da53ae22e9f286c880fb8b08f59ea3bbb69d316e6242903b93e7b165b6d6f7945d85a7aeb9d4638c875927
-
Filesize
166KB
MD557fcc042b0f7783567878d217ae69e25
SHA183032ec361ea8b15ef956536999b754db6a12423
SHA25613bd3ee226114db8e18f2fe414a7e2c4e0937eda7d8a02b2efebaa2af8238564
SHA5124fe2ce713333d9a16d65ca5ccdc3a2e687b84a58b6b1e43b43c3f508edb2cc04478a5595efc43202decf7f86b50fd43382246fbc12553117a9177fb13d987b67
-
Filesize
10KB
MD5087bcef76143b81090deef4ee4679995
SHA16ebd4fd212d0583157ae03bb0eb5841c53e281fc
SHA25687334eb3f39cffdfeed453f67a7c338fe378b75c49946451ca1a0e4e151bba00
SHA512b2f93705760d4d1cf5fe0ac354100916d16b6c4fd62117254238a600aabe6257fc791f1ce498bd2d0cfdd47e19f304dc5a68a06b7958658f34859afaa582ed4d
-
Filesize
72KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
24KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
200KB
-
Filesize
24KB
-
Filesize
192KB