Analysis
-
max time kernel
1800s -
max time network
1803s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
05-07-2022 04:03
Static task
static1
Behavioral task
behavioral1
Sample
CF AL CHEATS 2K18/BugTrap.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
CF AL CHEATS 2K18/BugTrap.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
CF AL CHEATS 2K18/CF AL CHEATS.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
CF AL CHEATS 2K18/CF AL CHEATS.exe
Resource
win10v2004-20220414-en
General
-
Target
CF AL CHEATS 2K18/CF AL CHEATS.exe
-
Size
33KB
-
MD5
ff926ad152e49b12044bcf258012a95d
-
SHA1
d7dc9a9f0ce32763dc654b1a8554246e0972c2cf
-
SHA256
3a4707df311d1b499a8c78e7e1c33b4f235de01c55b631e7147a32bf4b3e3830
-
SHA512
54980080ad22afd3a98d0f60d36314a9f65cc28b944d577cc3762437632c3c391762c2dad826a94a5e45bba11d608dca8529e2b12bba5575cd01ddc4f33d02d8
Malware Config
Signatures
-
Detect XtremeRAT Payload 8 IoCs
Processes:
resource yara_rule behavioral3/memory/1896-57-0x0000000000000000-mapping.dmp family_xtremerat behavioral3/memory/1684-59-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral3/memory/1896-60-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral3/memory/956-63-0x0000000000000000-mapping.dmp family_xtremerat behavioral3/memory/1684-64-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral3/memory/956-66-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral3/memory/1896-68-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral3/memory/956-69-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
svchost.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{26I03V08-4S5J-1MHJ-LCHL-C545WL8R5B51} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26I03V08-4S5J-1MHJ-LCHL-C545WL8R5B51}\StubPath = "C:\\Windows\\system32\\Windows\\Winlogon.exe restart" svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{26I03V08-4S5J-1MHJ-LCHL-C545WL8R5B51} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26I03V08-4S5J-1MHJ-LCHL-C545WL8R5B51}\StubPath = "C:\\Windows\\system32\\Windows\\Winlogon.exe" svchost.exe -
Processes:
resource yara_rule behavioral3/memory/1684-59-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral3/memory/1896-60-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral3/memory/1684-64-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral3/memory/956-66-0x0000000010000000-0x000000001004D000-memory.dmp upx C:\Windows\SysWOW64\Windows\Winlogon.exe upx behavioral3/memory/1896-68-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral3/memory/956-69-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
svchost.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Atualizar = "C:\\Windows\\system32\\Windows\\Winlogon.exe" svchost.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Windows\\system32\\Windows\\Winlogon.exe" svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Atualizar = "C:\\Windows\\system32\\Windows\\Winlogon.exe" svchost.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Windows\\system32\\Windows\\Winlogon.exe" svchost.exe -
Drops file in System32 directory 3 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Windows\Winlogon.exe svchost.exe File created C:\Windows\SysWOW64\Windows\Winlogon.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Windows\ svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 956 svchost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
CF AL CHEATS.exedescription pid process target process PID 1684 wrote to memory of 1896 1684 CF AL CHEATS.exe svchost.exe PID 1684 wrote to memory of 1896 1684 CF AL CHEATS.exe svchost.exe PID 1684 wrote to memory of 1896 1684 CF AL CHEATS.exe svchost.exe PID 1684 wrote to memory of 1896 1684 CF AL CHEATS.exe svchost.exe PID 1684 wrote to memory of 1896 1684 CF AL CHEATS.exe svchost.exe PID 1684 wrote to memory of 956 1684 CF AL CHEATS.exe svchost.exe PID 1684 wrote to memory of 956 1684 CF AL CHEATS.exe svchost.exe PID 1684 wrote to memory of 956 1684 CF AL CHEATS.exe svchost.exe PID 1684 wrote to memory of 956 1684 CF AL CHEATS.exe svchost.exe PID 1684 wrote to memory of 956 1684 CF AL CHEATS.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CF AL CHEATS 2K18\CF AL CHEATS.exe"C:\Users\Admin\AppData\Local\Temp\CF AL CHEATS 2K18\CF AL CHEATS.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\Windows\Winlogon.exeFilesize
33KB
MD5ff926ad152e49b12044bcf258012a95d
SHA1d7dc9a9f0ce32763dc654b1a8554246e0972c2cf
SHA2563a4707df311d1b499a8c78e7e1c33b4f235de01c55b631e7147a32bf4b3e3830
SHA51254980080ad22afd3a98d0f60d36314a9f65cc28b944d577cc3762437632c3c391762c2dad826a94a5e45bba11d608dca8529e2b12bba5575cd01ddc4f33d02d8
-
memory/956-63-0x0000000000000000-mapping.dmp
-
memory/956-66-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB
-
memory/956-69-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB
-
memory/1684-54-0x00000000756E1000-0x00000000756E3000-memory.dmpFilesize
8KB
-
memory/1684-59-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB
-
memory/1684-64-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB
-
memory/1896-55-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB
-
memory/1896-57-0x0000000000000000-mapping.dmp
-
memory/1896-60-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB
-
memory/1896-68-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB