xenorat | 3106e90067456404a9f3e768ce3b60de6ae91fa2be664255ad6fe86c3f87e67d

Analysis

max time kernel
139s
max time network
141s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3106e90067456404a9f3e768ce3b60de6ae91fa2be664255ad6fe86c3f87e67d.doc
Size

195KB
MD5

13326ed69d36aaa385c5eba9fa6e5cc2
SHA1

66946fa69204b91787c7eabb91c1fd8452b1cc24
SHA256

3106e90067456404a9f3e768ce3b60de6ae91fa2be664255ad6fe86c3f87e67d
SHA512

39e5df1db48b1afe1c2bf7f2b8ccfca38b0fd4c49dd04884299fcc8adc633e6171a8756bf9eca65ac37b59ce6ef4a3fb3c761848a94c04d9afe725a53d008edd
SSDEEP

3072:j877VGZ5Sd3b4e0wNZtsqXNKd5AvDJW4S+I/tZ6X1bpF6mIJ88:6GZYwAZHMCDJ8/u5pAmIe8

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

dns.stipamana.com

Mutex

Xeno_rat_nd8912d

Attributes

delay
12000
install_path
appdata
port
4567
startup_name
mrec

Signatures

Detect XenoRat Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2020-64-0x0000000000400000-0x0000000000412000-memory.dmp	family_xenorat
behavioral1/memory/2020-66-0x0000000000400000-0x0000000000412000-memory.dmp	family_xenorat
behavioral1/memory/2020-70-0x0000000000400000-0x0000000000412000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat
Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
2900	KKSTV.exe
1956	KKSTV.exe
2020	KKSTV.exe
2880	KKSTV.exe
2872	KKSTV.exe
1876	KKSTV.exe
1580	KKSTV.exe
1368	KKSTV.exe

Loads dropped DLL 5 IoCs

pid	Process
2556	WINWORD.EXE
2556	WINWORD.EXE
2556	WINWORD.EXE
2556	WINWORD.EXE
2020	KKSTV.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2900 set thread context of 1956	2900	KKSTV.exe	34
PID 2900 set thread context of 2020	2900	KKSTV.exe	35
PID 2900 set thread context of 2880	2900	KKSTV.exe	36
PID 2872 set thread context of 1876	2872	KKSTV.exe	38
PID 2872 set thread context of 1580	2872	KKSTV.exe	39
PID 2872 set thread context of 1368	2872	KKSTV.exe	40

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KKSTV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KKSTV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KKSTV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KKSTV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KKSTV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1736	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2556	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	KKSTV.exe
Token: SeDebugPrivilege	2872	KKSTV.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2556	WINWORD.EXE
2556	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2900	2556	WINWORD.EXE	32
PID 2556 wrote to memory of 2900	2556	WINWORD.EXE	32
PID 2556 wrote to memory of 2900	2556	WINWORD.EXE	32
PID 2556 wrote to memory of 2900	2556	WINWORD.EXE	32
PID 2900 wrote to memory of 1956	2900	KKSTV.exe	34
PID 2900 wrote to memory of 1956	2900	KKSTV.exe	34
PID 2900 wrote to memory of 1956	2900	KKSTV.exe	34
PID 2900 wrote to memory of 1956	2900	KKSTV.exe	34
PID 2900 wrote to memory of 1956	2900	KKSTV.exe	34
PID 2900 wrote to memory of 1956	2900	KKSTV.exe	34
PID 2900 wrote to memory of 1956	2900	KKSTV.exe	34
PID 2900 wrote to memory of 1956	2900	KKSTV.exe	34
PID 2900 wrote to memory of 1956	2900	KKSTV.exe	34
PID 2900 wrote to memory of 2020	2900	KKSTV.exe	35
PID 2900 wrote to memory of 2020	2900	KKSTV.exe	35
PID 2900 wrote to memory of 2020	2900	KKSTV.exe	35
PID 2900 wrote to memory of 2020	2900	KKSTV.exe	35
PID 2900 wrote to memory of 2020	2900	KKSTV.exe	35
PID 2900 wrote to memory of 2020	2900	KKSTV.exe	35
PID 2900 wrote to memory of 2020	2900	KKSTV.exe	35
PID 2900 wrote to memory of 2020	2900	KKSTV.exe	35
PID 2900 wrote to memory of 2020	2900	KKSTV.exe	35
PID 2900 wrote to memory of 2880	2900	KKSTV.exe	36
PID 2900 wrote to memory of 2880	2900	KKSTV.exe	36
PID 2900 wrote to memory of 2880	2900	KKSTV.exe	36
PID 2900 wrote to memory of 2880	2900	KKSTV.exe	36
PID 2900 wrote to memory of 2880	2900	KKSTV.exe	36
PID 2900 wrote to memory of 2880	2900	KKSTV.exe	36
PID 2900 wrote to memory of 2880	2900	KKSTV.exe	36
PID 2900 wrote to memory of 2880	2900	KKSTV.exe	36
PID 2900 wrote to memory of 2880	2900	KKSTV.exe	36
PID 2020 wrote to memory of 2872	2020	KKSTV.exe	37
PID 2020 wrote to memory of 2872	2020	KKSTV.exe	37
PID 2020 wrote to memory of 2872	2020	KKSTV.exe	37
PID 2020 wrote to memory of 2872	2020	KKSTV.exe	37
PID 2872 wrote to memory of 1876	2872	KKSTV.exe	38
PID 2872 wrote to memory of 1876	2872	KKSTV.exe	38
PID 2872 wrote to memory of 1876	2872	KKSTV.exe	38
PID 2872 wrote to memory of 1876	2872	KKSTV.exe	38
PID 2872 wrote to memory of 1876	2872	KKSTV.exe	38
PID 2872 wrote to memory of 1876	2872	KKSTV.exe	38
PID 2872 wrote to memory of 1876	2872	KKSTV.exe	38
PID 2872 wrote to memory of 1876	2872	KKSTV.exe	38
PID 2872 wrote to memory of 1876	2872	KKSTV.exe	38
PID 2872 wrote to memory of 1580	2872	KKSTV.exe	39
PID 2872 wrote to memory of 1580	2872	KKSTV.exe	39
PID 2872 wrote to memory of 1580	2872	KKSTV.exe	39
PID 2872 wrote to memory of 1580	2872	KKSTV.exe	39
PID 2872 wrote to memory of 1580	2872	KKSTV.exe	39
PID 2872 wrote to memory of 1580	2872	KKSTV.exe	39
PID 2872 wrote to memory of 1580	2872	KKSTV.exe	39
PID 2872 wrote to memory of 1580	2872	KKSTV.exe	39
PID 2872 wrote to memory of 1580	2872	KKSTV.exe	39
PID 2872 wrote to memory of 1368	2872	KKSTV.exe	40
PID 2872 wrote to memory of 1368	2872	KKSTV.exe	40
PID 2872 wrote to memory of 1368	2872	KKSTV.exe	40
PID 2872 wrote to memory of 1368	2872	KKSTV.exe	40
PID 2872 wrote to memory of 1368	2872	KKSTV.exe	40
PID 2872 wrote to memory of 1368	2872	KKSTV.exe	40
PID 2872 wrote to memory of 1368	2872	KKSTV.exe	40
PID 2872 wrote to memory of 1368	2872	KKSTV.exe	40
PID 2872 wrote to memory of 1368	2872	KKSTV.exe	40
PID 2556 wrote to memory of 2972	2556	WINWORD.EXE	41
PID 2556 wrote to memory of 2972	2556	WINWORD.EXE	41

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3106e90067456404a9f3e768ce3b60de6ae91fa2be664255ad6fe86c3f87e67d.doc"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\KKSTV.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\KKSTV.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\KKSTV.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\KKSTV.exe
    3⤵
    - Executes dropped EXE
    PID:1956
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\KKSTV.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\KKSTV.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Users\Admin\AppData\Roaming\UpdateManager\KKSTV.exe
      "C:\Users\Admin\AppData\Roaming\UpdateManager\KKSTV.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Users\Admin\AppData\Roaming\UpdateManager\KKSTV.exe
        
        C:\Users\Admin\AppData\Roaming\UpdateManager\KKSTV.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1876
    - - C:\Users\Admin\AppData\Roaming\UpdateManager\KKSTV.exe
        
        C:\Users\Admin\AppData\Roaming\UpdateManager\KKSTV.exe
        5⤵
        Executes dropped EXE
        
        PID:1580
    - - C:\Users\Admin\AppData\Roaming\UpdateManager\KKSTV.exe
        
        C:\Users\Admin\AppData\Roaming\UpdateManager\KKSTV.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1368
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\Admin\AppData\Local\Temp\tmp19C8.tmp" /F
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1736
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\KKSTV.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\KKSTV.exe
    3⤵
    - Executes dropped EXE
    PID:2880
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp19C8.tmp

Filesize
1KB

MD5
4ac989e31b6bccbe2e32754eaa42a23c

SHA1
a7dc7d8883e22446f21e939f1e71c8d7a865cb91

SHA256
3162349c6d4e77f26e99004bd9dca67e026609c8ab04ec20b0bac1e306b2eaef

SHA512
08f45a0b40101f4d8294a1d264f754936e0dc7e7903b547ab2321d9719ef92201dfd01084d7a432d6840f497c0e951c55ef3e38fa26e991d4cc3e3b9219a98df

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\KKSTV.exe

Filesize
134KB

MD5
2e3fc79ea196be1dca52ad4349a9852e

SHA1
5faa13216b842a2bcfe69f0e957bf66f9754a642

SHA256
16dc85a46055c7a29c128797f13a87eab1891e85ccfe07a5e5f4bf5f11de7908

SHA512
cdb52fe05047cc1508412a5676f87b93506a18e346ddc029427f98006fb1f65d1748a7ddd57624f9f5ea9e4ad4209081d8246df2b4c6fd0b8b39e17d973da7e2

Download Submit
memory/2020-70-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2020-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2020-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2556-22-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-28-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-6-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-10-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-11-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-13-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-19-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-20-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-18-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-17-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-16-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-15-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-14-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-12-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-5-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-0-0x000000002FDD1000-0x000000002FDD2000-memory.dmp

Filesize
4KB

Download
memory/2556-29-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-8-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-27-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-26-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-25-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-24-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-23-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-21-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-9-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2556-91-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-7-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-4-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-2-0x000000007116D000-0x0000000071178000-memory.dmp

Filesize
44KB

Download
memory/2556-90-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/2556-89-0x000000007116D000-0x0000000071178000-memory.dmp

Filesize
44KB

Download
memory/2872-78-0x00000000009B0000-0x00000000009D6000-memory.dmp

Filesize
152KB

Download
memory/2900-61-0x0000000000530000-0x000000000055A000-memory.dmp

Filesize
168KB

Download
memory/2900-60-0x00000000002C0000-0x00000000002E6000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads