Analysis
-
max time kernel
150s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
23-05-2022 18:18
Static task
static1
Behavioral task
behavioral1
Sample
01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe
Resource
win10v2004-20220414-en
General
-
Target
01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe
-
Size
366KB
-
MD5
58ab608bd203846607e6fe52381dad9d
-
SHA1
e861165ddc44b91b5697dbebdabfea0db3c4aa0e
-
SHA256
01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216
-
SHA512
1f28e5d8c396f60aed3a4c087776db7d6c1d23578c70deb3edd19a044ee498e4fee54d59d6232b0362a5cef9a6209122fb1c5065cc1c80f87cede2e96a28c853
Malware Config
Signatures
-
Detect XtremeRAT Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1480-63-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/1480-66-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/1660-69-0x0000000000000000-mapping.dmp family_xtremerat behavioral1/memory/1660-71-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\fck1833.tmp acprotect C:\Users\Admin\AppData\Local\Temp\fck1833.tmp acprotect \Users\Admin\AppData\Local\Temp\fck1833.tmp acprotect -
Processes:
resource yara_rule behavioral1/memory/1480-58-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/1480-62-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/1480-63-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/1480-66-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/1660-71-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exepid process 632 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe 1480 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exedescription ioc process File opened for modification \??\PhysicalDrive0 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exedescription pid process target process PID 632 set thread context of 1480 632 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 3 IoCs
Processes:
01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exepid process 632 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe 632 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe 632 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exedescription pid process target process PID 632 wrote to memory of 1480 632 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe PID 632 wrote to memory of 1480 632 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe PID 632 wrote to memory of 1480 632 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe PID 632 wrote to memory of 1480 632 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe PID 632 wrote to memory of 1480 632 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe PID 632 wrote to memory of 1480 632 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe PID 632 wrote to memory of 1480 632 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe PID 632 wrote to memory of 1480 632 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe PID 632 wrote to memory of 1480 632 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe PID 1480 wrote to memory of 1660 1480 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe svchost.exe PID 1480 wrote to memory of 1660 1480 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe svchost.exe PID 1480 wrote to memory of 1660 1480 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe svchost.exe PID 1480 wrote to memory of 1660 1480 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe svchost.exe PID 1480 wrote to memory of 1660 1480 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe svchost.exe PID 1480 wrote to memory of 1620 1480 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe iexplore.exe PID 1480 wrote to memory of 1620 1480 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe iexplore.exe PID 1480 wrote to memory of 1620 1480 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe iexplore.exe PID 1480 wrote to memory of 1620 1480 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe iexplore.exe PID 1480 wrote to memory of 1620 1480 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe"C:\Users\Admin\AppData\Local\Temp\01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe"C:\Users\Admin\AppData\Local\Temp\01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fck1833.tmpFilesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
\Users\Admin\AppData\Local\Temp\fck1833.tmpFilesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
\Users\Admin\AppData\Local\Temp\fck1833.tmpFilesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
memory/632-54-0x0000000075391000-0x0000000075393000-memory.dmpFilesize
8KB
-
memory/1480-58-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB
-
memory/1480-59-0x000000001004B900-mapping.dmp
-
memory/1480-62-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB
-
memory/1480-63-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB
-
memory/1480-66-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB
-
memory/1660-67-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB
-
memory/1660-69-0x0000000000000000-mapping.dmp
-
memory/1660-71-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB