Overview

overview

10

Static

static

8

ec6627e48b...31.doc

windows7-x64

10

ec6627e48b...31.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2024 09:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec6627e48bb4c56abbb2a4563072e631.doc

  • Size

    191KB

  • MD5

    ec6627e48bb4c56abbb2a4563072e631

  • SHA1

    9e237643473c67940eb359bba09825114c7bc726

  • SHA256

    548212f42d5dc4965db354d6ce075422dcb3331a213fb0b5b662e08e59234829

  • SHA512

    4fb47dcf9e0fe13e038a88cc8c9e06ff1dde996d69281c505a07c3d4cc591e32770c1df8dac3da8d031f4868073ebde8202a7173dfd369b016aa2c69af2385a3

  • SSDEEP

    3072:Q877VGZ5Sd3b4e0wNZtsqXNKd5AvDJW4S+I/tZ6X1bpF6m+3b:9GZYwAZHMCDJ8/u5pAm0b

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

dns.stipamana.com

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    12000

  • install_path

    appdata

  • port

    4567

  • startup_name

    mrec

Signatures

  • Detect XenoRat Payload 1 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ec6627e48bb4c56abbb2a4563072e631.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1560
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RUSYZH.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RUSYZH.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RUSYZH.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RUSYZH.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4120
        • C:\Users\Admin\AppData\Roaming\UpdateManager\RUSYZH.exe
          "C:\Users\Admin\AppData\Roaming\UpdateManager\RUSYZH.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1160
          • C:\Users\Admin\AppData\Roaming\UpdateManager\RUSYZH.exe
            C:\Users\Admin\AppData\Roaming\UpdateManager\RUSYZH.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3068
          • C:\Users\Admin\AppData\Roaming\UpdateManager\RUSYZH.exe
            C:\Users\Admin\AppData\Roaming\UpdateManager\RUSYZH.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4548
          • C:\Users\Admin\AppData\Roaming\UpdateManager\RUSYZH.exe
            C:\Users\Admin\AppData\Roaming\UpdateManager\RUSYZH.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1808
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RUSYZH.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RUSYZH.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1672
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCC49.tmp" /F
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:3276
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RUSYZH.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RUSYZH.exe
        3⤵
        • Executes dropped EXE
        PID:5100
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 80
          4⤵
          • Program crash
          PID:1496
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5100 -ip 5100
    1⤵
      PID:4508

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RUSYZH.exe.log
      Filesize

      706B

      MD5

      d95c58e609838928f0f49837cab7dfd2

      SHA1

      55e7139a1e3899195b92ed8771d1ca2c7d53c916

      SHA256

      0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

      SHA512

      405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TCDD597.tmp\iso690.xsl
      Filesize

      263KB

      MD5

      ff0e07eff1333cdf9fc2523d323dd654

      SHA1

      77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

      SHA256

      3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

      SHA512

      b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpCC49.tmp
      Filesize

      1KB

      MD5

      9d9df2517964d8e049d41515f0d287c3

      SHA1

      2cf5f49554bbf0b73930d06b07e2bf12638d60b7

      SHA256

      03cddeda34c46e3bc77be33a37ae97dea02f4a2d6a8e4c3d208ca2bfa5bf242f

      SHA512

      807e30b096381211eebc6399bf879ce6f6aca5e0659a458403d4207f845c42f6a5f40eae8d00d94ad99917d94e4384e407428cd2f1c6837f9e8b12918f85c031

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
      Filesize

      16B

      MD5

      d29962abc88624befc0135579ae485ec

      SHA1

      e40a6458296ec6a2427bcb280572d023a9862b31

      SHA256

      a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

      SHA512

      4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RUSYZH.exe
      Filesize

      134KB

      MD5

      c5782fb8a119d6092f4816b8b39b5fa0

      SHA1

      68f2f0c4884168f1d775a6fc0f550150176ec402

      SHA256

      963bb7cbfda00f3033cfed5058521b0a4a42f797cc0e7473b0008ac1416e30e8

      SHA512

      d0809b3e54024cf08af7548525732d642a7ca00b0e8d30310377b4c9e74cc302c3ab926688da7776beabc055ed5bd5ef56d25e82e19e2ea3b6be08ffee214fe3

      Download Submit

    • memory/1560-15-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1560-6-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1560-9-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1560-10-0x00007FFA0B1F0000-0x00007FFA0B200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1560-4-0x00007FFA0D250000-0x00007FFA0D260000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1560-2-0x00007FFA0D250000-0x00007FFA0D260000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1560-12-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1560-13-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1560-14-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1560-17-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1560-18-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1560-19-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1560-16-0x00007FFA0B1F0000-0x00007FFA0B200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1560-1-0x00007FFA0D250000-0x00007FFA0D260000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1560-11-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1560-47-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1560-8-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1560-0-0x00007FFA0D250000-0x00007FFA0D260000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1560-3-0x00007FFA4D26D000-0x00007FFA4D26E000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1560-134-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1560-128-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1560-127-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1560-7-0x00007FFA0D250000-0x00007FFA0D260000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1560-5-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1672-587-0x0000000005BA0000-0x0000000005C06000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2388-95-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2388-94-0x0000000007390000-0x0000000007422000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2388-93-0x0000000007940000-0x0000000007EE4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2388-92-0x00000000072F0000-0x000000000738C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2388-91-0x0000000004C70000-0x0000000004C9A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/2388-90-0x0000000000320000-0x0000000000346000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2388-89-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/4120-96-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download