Overview

overview

10

Static

static

8

CF AL CHEA...ap.dll

windows7_x64

1

CF AL CHEA...ap.dll

windows10-2004_x64

1

CF AL CHEA...TS.exe

windows7_x64

10

CF AL CHEA...TS.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    1800s
  • max time network
    1803s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    05-07-2022 04:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CF AL CHEATS 2K18/CF AL CHEATS.exe

  • Size

    33KB

  • MD5

    ff926ad152e49b12044bcf258012a95d

  • SHA1

    d7dc9a9f0ce32763dc654b1a8554246e0972c2cf

  • SHA256

    3a4707df311d1b499a8c78e7e1c33b4f235de01c55b631e7147a32bf4b3e3830

  • SHA512

    54980080ad22afd3a98d0f60d36314a9f65cc28b944d577cc3762437632c3c391762c2dad826a94a5e45bba11d608dca8529e2b12bba5575cd01ddc4f33d02d8

Score
10/10
xtremeratpersistenceratspywareupx

Malware Config

Signatures

  • Detect XtremeRAT Payload 8 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CF AL CHEATS 2K18\CF AL CHEATS.exe
    "C:\Users\Admin\AppData\Local\Temp\CF AL CHEATS 2K18\CF AL CHEATS.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      PID:1896
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      PID:956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Windows\Winlogon.exe
    Filesize

    33KB

    MD5

    ff926ad152e49b12044bcf258012a95d

    SHA1

    d7dc9a9f0ce32763dc654b1a8554246e0972c2cf

    SHA256

    3a4707df311d1b499a8c78e7e1c33b4f235de01c55b631e7147a32bf4b3e3830

    SHA512

    54980080ad22afd3a98d0f60d36314a9f65cc28b944d577cc3762437632c3c391762c2dad826a94a5e45bba11d608dca8529e2b12bba5575cd01ddc4f33d02d8

    Download Submit
  • memory/956-63-0x0000000000000000-mapping.dmp
    Download
  • memory/956-66-0x0000000010000000-0x000000001004D000-memory.dmp
    Filesize

    308KB

    Download
  • memory/956-69-0x0000000010000000-0x000000001004D000-memory.dmp
    Filesize

    308KB

    Download
  • memory/1684-54-0x00000000756E1000-0x00000000756E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1684-59-0x0000000010000000-0x000000001004D000-memory.dmp
    Filesize

    308KB

    Download
  • memory/1684-64-0x0000000010000000-0x000000001004D000-memory.dmp
    Filesize

    308KB

    Download
  • memory/1896-55-0x0000000010000000-0x000000001004D000-memory.dmp
    Filesize

    308KB

    Download
  • memory/1896-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1896-60-0x0000000010000000-0x000000001004D000-memory.dmp
    Filesize

    308KB

    Download
  • memory/1896-68-0x0000000010000000-0x000000001004D000-memory.dmp
    Filesize

    308KB

    Download