Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09-12-2024 02:27
General
-
Target
75a5568c91850b8332bf8ac3d6a0acbe24a2bbb9a7941994709ba3cbaa255c5a.xls
-
Size
192KB
-
MD5
31795aff2f438defa01c82368886353c
-
SHA1
3f4c6dfa01693fea70f3113c11aeb5812b0c6cdb
-
SHA256
75a5568c91850b8332bf8ac3d6a0acbe24a2bbb9a7941994709ba3cbaa255c5a
-
SHA512
9ceebe6f8c7ee47b23c9e9350b7afdb21064edc45009ad8d1400566959d669b5aa2fd426d19c3302d701e05d5a09e9ed4088c1869168f4237b2b7417e21a49df
-
SSDEEP
6144:BxEtjPOtioVjDGUU1qfDlavx+W2QnAu+Ly9ckwDwPq5XlsqhwxNNipu:s+VkGUqLsqyi
Malware Config
Extracted
xenorat
dns.stipamana.com
Xeno_rat_nd8912d
-
delay
12000
-
install_path
appdata
-
port
4567
-
startup_name
mrec
Signatures
-
Detect XenoRat Payload 1 IoCs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Xenorat family
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
-
Suspicious Office macro 1 IoCs
Office document equipped with macros.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 25 IoCs
-
Suspicious use of WriteProcessMemory 59 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\75a5568c91850b8332bf8ac3d6a0acbe24a2bbb9a7941994709ba3cbaa255c5a.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\TDCNX.vbs"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 804⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe"C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "mrec" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD968.tmp" /F6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 806⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 804⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3708 -ip 37081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4604 -ip 46041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1348 -ip 13481⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
504B
MD5468c10fe6e033605fdc3eb77dac1a0b9
SHA1f2afc12dc5c537c067334987f42d0e23457d50ae
SHA2566f1ccbff6df00d9812182caa9e98b2ceea1f056527efff69f28f38b1fac8b817
SHA5127e08a6d72c7d809edd92fe4560008f69fd98d2f0d802bea341acb6ef6fb7beb073e953b838a735761ea0d081749982bb16426e322923596feed78d08ad79e77d
-
Filesize
471B
MD5b51ec1bb8e0b2545ab3f8edd052142fc
SHA12b01f53f310e9924c290b045804475401062357e
SHA2563a1146c1f4bf199350370cbac825d792895128cda813fed5020df57d0935def1
SHA51200341b3a3d843c8647eb9e96153db3f1792acba43fe394d9d2aee536e597ef8c492fb1e3f6616bc5aff99b106e71b2fdc335f425ac1405cd432e221fdbde5ac9
-
Filesize
192B
MD5e5e5ad30cc54b54ed0f224c1b5cfe934
SHA1e53bcf84ae673d8552ae51787b8278e2a07d335c
SHA256859e2d2b36a9986ec27a85b4fd5380013e53715a60d0963490062c05962399e5
SHA512c1c6f570ad4521d1c33fb2e93ebbe266157afc0cc96886ace66b61b40384f1b2c24d085cb83b05251fe9ae62ea6e1cc28ad1764370f6a0021dbd90a9720429f8
-
Filesize
546B
MD5cf2fb120a2bb418b5e0aeaada4a8edeb
SHA104f12118d447b0fa421a58c292a9721b1bdef4a7
SHA256a770642f86b957ef448c10613b57cf7f67a753fc117e34df4d9c9117dfc89968
SHA5126dd4fb7362b927c963d03a944a66f3dc64fcc6283a616fd1e288647a9004a29e2c17b34630b58a04a97a376589787ec3a5dd7bb498a7015f2a0ce1e6eb4b2d5e
-
Filesize
420B
MD51e2b2ead90047ea05eb457a1ffcb4927
SHA1bfb99bf007ea25ab3bb37c9937a9eb49ec57b01c
SHA2562d3f5708f48f3d6acb2c288d3e646ae294de3a93d7e09df07d038633b7952c5e
SHA512046678f20e197aea208dff80f085dd255e01825b1124dc3673e5927680130327057c03e11375bbb77f1fcdb4f3129e1dbcc091e0869797bfb474c7822d5b774b
-
Filesize
706B
MD5d95c58e609838928f0f49837cab7dfd2
SHA155e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA2560407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d
-
Filesize
176KB
MD5fd05b1f3e1d2aece8e3a30051cd16992
SHA1576bc5828750d281d27c4381813e8b999a2deb93
SHA2560e1c2190f93910d583c26e2c8a327792dc501cb9d4604046f585d48f95db4432
SHA51242640125365898866df5b98cbb1ba1538574c74247cddab03362a3f87a2cba82293d0d78efa552f8433e5c0f0cb12e0eea751c324e16f7fc341c979675a48d78
-
Filesize
11KB
MD5885b92d980248e66356c6adc2cb6e774
SHA13e7dd35f6499330f4e95b9100e587bde9e675060
SHA2568b22ca3aca95fb6231262e7e4f1af7aaa34b450f3aea35291795a246971d154d
SHA5125637d873d9549abc27054328b8e7b5816ab48389fd8fa2ee21adc9e21317b57339551f7f175f995362f0f49068199da96e3f96a15d45d8395d18355e3322a865
-
Filesize
2KB
MD527ca10bdbbcf15ed9725d0eed3f7a762
SHA13342bba35f8d9c17f67022f4fd0df26acb56d32e
SHA2568ee7c420753658a2df878df4b16a85009fec7ec8349386dff78073bad5ff8063
SHA512bfc5ac1b3896c58af0c0656d4815fb93ff16c62c4eb7d6b75c4a99b9e3ad8565737c6fa375f327e48fc00d122ca5d1d8f39a4a9d43fa5f6fdc540134e86449f5
-
Filesize
2KB
MD51e3a49d0a5fef184912a43f8196372d7
SHA11b3490f9a0adc65724c5ce572d44b5c389ca9994
SHA2562faeecbdafc71e525ad8c917325a53101af9e652cebc69c4506f057f13b57e53
SHA5121c95ffc49022a514108338623c70fff61ca240a47904496a92ac4051a5da0140133257ee138ce50268a107e49018dab0bde85d1932a1e8acb3379026b6a6cf42
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
1KB
MD5284e416e02187ce3d7f57e1f6de8e9ff
SHA1eb99094dfd8e312947b03befb46dca38fbe1ee27
SHA256bc0fa777e4a5772ae4af0eef1df3c5fc3253042a9072281bb95f56a92f3136b2
SHA512961df349b8685fed8325c5067a1de2513d505f002e4304a78834c52fd6827e689aa8908797636f4ad79c47004a772a4b0b1f665bf70f71de7bfdc78d057ea1c7
-
Filesize
195KB
MD57ea9da3dd3db6f3fadf04ac76b54434b
SHA1b30b950191046d999e71aaa54fb2648c6655ce9b
SHA256947bce97211371e730a2b8b79c2ec4d154904e8faa7bed2583c5c6c420230170
SHA512f94eb382dedb8c3952dbc0f3b9040201455cec641c845bedf5765a2772aa98cb20d92b3e0edadcd92fd7cdb77e7c6f37d26bdd276cceea733237e28f04240f9d
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
Filesize
166KB
MD557fcc042b0f7783567878d217ae69e25
SHA183032ec361ea8b15ef956536999b754db6a12423
SHA25613bd3ee226114db8e18f2fe414a7e2c4e0937eda7d8a02b2efebaa2af8238564
SHA5124fe2ce713333d9a16d65ca5ccdc3a2e687b84a58b6b1e43b43c3f508edb2cc04478a5595efc43202decf7f86b50fd43382246fbc12553117a9177fb13d987b67
-
Filesize
10KB
MD5087bcef76143b81090deef4ee4679995
SHA16ebd4fd212d0583157ae03bb0eb5841c53e281fc
SHA25687334eb3f39cffdfeed453f67a7c338fe378b75c49946451ca1a0e4e151bba00
SHA512b2f93705760d4d1cf5fe0ac354100916d16b6c4fd62117254238a600aabe6257fc791f1ce498bd2d0cfdd47e19f304dc5a68a06b7958658f34859afaa582ed4d
-
Filesize
5.6MB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
584KB
-
Filesize
624KB
-
Filesize
200KB
-
Filesize
24KB
-
Filesize
72KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB