Overview

overview

10

Static

static

8

CF AL CHEA...ap.dll

windows7_x64

1

CF AL CHEA...ap.dll

windows10-2004_x64

1

CF AL CHEA...TS.exe

windows7_x64

10

CF AL CHEA...TS.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    1790s
  • max time network
    1608s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    05-07-2022 04:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CF AL CHEATS 2K18/CF AL CHEATS.exe

  • Size

    33KB

  • MD5

    ff926ad152e49b12044bcf258012a95d

  • SHA1

    d7dc9a9f0ce32763dc654b1a8554246e0972c2cf

  • SHA256

    3a4707df311d1b499a8c78e7e1c33b4f235de01c55b631e7147a32bf4b3e3830

  • SHA512

    54980080ad22afd3a98d0f60d36314a9f65cc28b944d577cc3762437632c3c391762c2dad826a94a5e45bba11d608dca8529e2b12bba5575cd01ddc4f33d02d8

Score
10/10
xtremeratpersistenceratspywareupx

Malware Config

Signatures

  • Detect XtremeRAT Payload 5 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CF AL CHEATS 2K18\CF AL CHEATS.exe
    "C:\Users\Admin\AppData\Local\Temp\CF AL CHEATS 2K18\CF AL CHEATS.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4060
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
        PID:4328
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 480
          3⤵
          • Program crash
          PID:1120
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 488
          3⤵
          • Program crash
          PID:3372
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        2⤵
        • Modifies Installed Components in the registry
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious use of SetWindowsHookEx
        PID:4656
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 988
          3⤵
          • Program crash
          PID:3968
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 996
          3⤵
          • Program crash
          PID:4736
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4328 -ip 4328
      1⤵
        PID:4932
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4656 -ip 4656
        1⤵
          PID:1384
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4656 -ip 4656
          1⤵
            PID:3436
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4328 -ip 4328
            1⤵
              PID:4976

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Registry Run Keys / Startup Folder

            2
            T1060

            Privilege Escalation

            Defense Evasion

            Modify Registry

            2
            T1112

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/4060-130-0x0000000010000000-0x000000001004D000-memory.dmp
              Filesize

              308KB

              Download
            • memory/4060-133-0x0000000010000000-0x000000001004D000-memory.dmp
              Filesize

              308KB

              Download
            • memory/4328-131-0x0000000000000000-mapping.dmp
              Download
            • memory/4328-134-0x0000000010000000-0x000000001004D000-memory.dmp
              Filesize

              308KB

              Download
            • memory/4656-132-0x0000000000000000-mapping.dmp
              Download
            • memory/4656-135-0x0000000010000000-0x000000001004D000-memory.dmp
              Filesize

              308KB

              Download