Analysis
-
max time kernel
141s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09-12-2024 02:19
General
-
Target
548a95874bd76148ec652a03f114709880801c322700821f24349d1950bd94cb.xls
-
Size
196KB
-
MD5
e700160268262e4b240c83c431f11299
-
SHA1
fdea2e1e5f0904c186a53bd325550707f7aa2699
-
SHA256
548a95874bd76148ec652a03f114709880801c322700821f24349d1950bd94cb
-
SHA512
2460d16d033021dad30dfa88e547118c05f151070233eb4e39a1e9a8e320fc76b23001f315eb5c3ea18c3f5721c22bfcd9fcae8cca4670ed5ddce5f6da56a0ad
-
SSDEEP
6144:wxEtjPOtioVjDGUU1qfDlavx+W2QnAj+Ly9ckwDwPq5XlsqYwxNNiprC:E+VkGUqLsqhi4
Malware Config
Extracted
xenorat
dns.stipamana.com
Xeno_rat_nd8912d
-
delay
12000
-
install_path
appdata
-
port
4567
-
startup_name
mrec
Signatures
-
Detect XenoRat Payload 1 IoCs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Xenorat family
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
-
Suspicious Office macro 1 IoCs
Office document equipped with macros.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 23 IoCs
-
Suspicious use of WriteProcessMemory 59 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\548a95874bd76148ec652a03f114709880801c322700821f24349d1950bd94cb.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\FYXUDCNXK.vbs"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe"C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "mrec" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA3C.tmp" /F6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 804⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 804⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4884 -ip 48841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3928 -ip 39281⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
504B
MD5468c10fe6e033605fdc3eb77dac1a0b9
SHA1f2afc12dc5c537c067334987f42d0e23457d50ae
SHA2566f1ccbff6df00d9812182caa9e98b2ceea1f056527efff69f28f38b1fac8b817
SHA5127e08a6d72c7d809edd92fe4560008f69fd98d2f0d802bea341acb6ef6fb7beb073e953b838a735761ea0d081749982bb16426e322923596feed78d08ad79e77d
-
Filesize
471B
MD52acf368122d37891f4efc709886b793e
SHA19907a38938bcd709d8317568ccfcfda1d8c7ffc7
SHA2565d8bbdd66379c2b0b27d206e70fef5684043f3006a6049b6b8bd2358622ee1bc
SHA512936071e89f337c93249f59654145195e6af1bd6f97fc0554524b966d5b35141583b07811dd857f8e8331aa0aec3028698e28b9229d7d9dafc05dfe9b5f87da02
-
Filesize
192B
MD52a2dd7cb5429cdb2cecdae1b5782d335
SHA10818cd7904fdb715e9c6294460cf6e48b894bb4c
SHA2562a67eeecfd6b81294cfaa9a477c0389c0a401ee3cab78dbb46c9b25522c8efc5
SHA512d2a078fe9adfd35da233f58ad4a9e117b247abd6214b573a5c930135ff20f3c0bac416474083097806033ef0a5b583ee9315a27dc707ad487873669b4e9119ba
-
Filesize
546B
MD509225fc795d39b230084fc1ef634b073
SHA15bd69c9de5ea6ede3aa046aad350f6c7004a12cb
SHA256977af2677c9a85263680d9a41f262b522f414920c5ef9207cc38fcbfff900a75
SHA512eadbd9d2cc102629e3e2cf83abb006f6944893aedd397e126c38b732c3372768230da2adc22b773debbf508385bc8f92d176305fa700a3bd88d640df7de1cd30
-
Filesize
412B
MD5dcb973f3615ff0b7deb6f7e1248a7bca
SHA17b3b0b7a08688aae8428b400497bf91a1201459c
SHA2563924a982c7c175a44488a7f02c827fa5b8279813dfae7e4b19a5cda8fb93a9d7
SHA5129ea6e06096ae20e752b3a0aa987cb56f4a21637bcb69158379ca3e95f3fa6c5b40568cbdc85247872f99a45868bad4c66923b14481ecfc7f75269efb30efd92f
-
Filesize
706B
MD5d95c58e609838928f0f49837cab7dfd2
SHA155e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA2560407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d
-
Filesize
176KB
MD502935dd4026bf6c0c88bd92e804a33e0
SHA1dc6e2daa7a2b6a86d41a24c91c4017179e979c97
SHA25674ee92429113cd8294b874459dc9024d3db00de280c9a4d468b983824585fb85
SHA51215201c72aaaeb0b153e21e3f952957248a5a0c3cc8c8c1ea87165b24a85a03e4bc5a15de71053387f2ae98baa21ae0e00189b0abcc99f08760848fabd5973bda
-
Filesize
11KB
MD5889fa10cbc9ba1c3875fd7960dafbe8b
SHA16150a8122c2deb497c88cc1a05617851b0bda4b8
SHA256553e8beda56d4681d3a57db669469d060f0da66e2fca9f98f897b4d183c0f057
SHA512d49c368ae8b214fac141771fdd203b132bb9c7e3924d593af031b73fcf033622a79c262dd13fcfcd2c46427173f2840d221c7b0bb3c1d1db8d59c0a99d2c88b9
-
Filesize
2KB
MD5a026b2d29a178b79666cd284eac0104a
SHA1eb7d13b4583398a58f28589c5e0d4eaef12a2e7f
SHA256136810b268105c95f54921e5ac06a911706560d9f86461121e04ffc4ffdcd58c
SHA512d36f85b9723ebf1218ff2d7885ca4bc8a21d5fb7bdcabe8f7bb6cfc85e50518be046a6d2ade951910187a677e9034fea529143000814ad9829b99ef3ba44ed1b
-
Filesize
2KB
MD5388bee76f1d519266c1e7da50f640c02
SHA1e7202858539d3ea259c9b6418fff2d5fc38e678f
SHA256290bdcf0443b43f77b467b130aaf6d0bed7c606efd4d387191312a5ca1263de9
SHA512befc6ac73fec79ba250c1abdaa6e297a4851e3994955e9f034b866ef566113e6ce80697a191ffdab7b3961573f155b70db0b22baa3f3afa9f5633a124b95f503
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
1KB
MD5284e416e02187ce3d7f57e1f6de8e9ff
SHA1eb99094dfd8e312947b03befb46dca38fbe1ee27
SHA256bc0fa777e4a5772ae4af0eef1df3c5fc3253042a9072281bb95f56a92f3136b2
SHA512961df349b8685fed8325c5067a1de2513d505f002e4304a78834c52fd6827e689aa8908797636f4ad79c47004a772a4b0b1f665bf70f71de7bfdc78d057ea1c7
-
Filesize
195KB
MD57ea9da3dd3db6f3fadf04ac76b54434b
SHA1b30b950191046d999e71aaa54fb2648c6655ce9b
SHA256947bce97211371e730a2b8b79c2ec4d154904e8faa7bed2583c5c6c420230170
SHA512f94eb382dedb8c3952dbc0f3b9040201455cec641c845bedf5765a2772aa98cb20d92b3e0edadcd92fd7cdb77e7c6f37d26bdd276cceea733237e28f04240f9d
-
Filesize
1KB
MD5e1e9c5fff7fcfe5726e07afbe4f83571
SHA17865d54580997f7b1cebfde6e4f87b47d3d6265d
SHA25636912eed7c65f41b6c5ec8799ff8eb027463e52b243d11ab3e790d6652d464f3
SHA512bcc07800e30e186fe2603eff613d82eb793c04e9d64065f49349f8f9af253305f8d717b541030fbcb78f4e9df36121c9e1c1b9d213a8720c0fdc7cd347d61ba4
-
Filesize
10KB
MD5087bcef76143b81090deef4ee4679995
SHA16ebd4fd212d0583157ae03bb0eb5841c53e281fc
SHA25687334eb3f39cffdfeed453f67a7c338fe378b75c49946451ca1a0e4e151bba00
SHA512b2f93705760d4d1cf5fe0ac354100916d16b6c4fd62117254238a600aabe6257fc791f1ce498bd2d0cfdd47e19f304dc5a68a06b7958658f34859afaa582ed4d
-
Filesize
166KB
MD557fcc042b0f7783567878d217ae69e25
SHA183032ec361ea8b15ef956536999b754db6a12423
SHA25613bd3ee226114db8e18f2fe414a7e2c4e0937eda7d8a02b2efebaa2af8238564
SHA5124fe2ce713333d9a16d65ca5ccdc3a2e687b84a58b6b1e43b43c3f508edb2cc04478a5595efc43202decf7f86b50fd43382246fbc12553117a9177fb13d987b67
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
200KB
-
Filesize
24KB
-
Filesize
72KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB