Analysis
-
max time kernel
150s -
max time network
90s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
07/11/2022, 05:35
General
-
Target
33398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9.exe
-
Size
712KB
-
MD5
0d6542d9d1dadd5fddf51a0302231258
-
SHA1
9aae90db2ac05caf13a835c288850653cbf36584
-
SHA256
33398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9
-
SHA512
bbef96545cae9b67816d101026f94db5b26066010cabf658e68ecdabd148cbdf11e71827ce3fbb9c7465d1636a64d6aa0e3bbcc1c24c0459187c5f9a8c18ff66
-
SSDEEP
12288:bOqBSPmJ7uD4vqQOqCg/0+cdEuH8uitp4xieV31K93u:yCSCOTRdEuUpJGl3
Malware Config
Extracted
xtremerat
imaistroextr.zapto.org
Signatures
-
Detect XtremeRAT payload 20 IoCs
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 14 IoCs
-
Loads dropped DLL 7 IoCs
-
Adds Run key to start application 2 TTPs 28 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of SetThreadContext 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\33398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9.exe"C:\Users\Admin\AppData\Local\Temp\33398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\33398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9.exeC:\Users\Admin\AppData\Local\Temp\33398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9.exe2⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
-
-
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe5⤵
- Executes dropped EXE
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bddd08860f9dea1df326658e811e2d6e
SHA1258ef149b546f983178d0e960a0f1dde5ced915b
SHA25668efeff41da9d29383ba362ce32d01052c238eaba08129f5148fd448a071fd30
SHA5125a7cc7a4a2bbd24ef6e198dd89fc0b3720385f70089887da025fe5560cad8c98e70090cfd7afb773fcfe9b7852a096cea2779f67c43354986dd5e39a0bc060a0
-
Filesize
1KB
MD5bddd08860f9dea1df326658e811e2d6e
SHA1258ef149b546f983178d0e960a0f1dde5ced915b
SHA25668efeff41da9d29383ba362ce32d01052c238eaba08129f5148fd448a071fd30
SHA5125a7cc7a4a2bbd24ef6e198dd89fc0b3720385f70089887da025fe5560cad8c98e70090cfd7afb773fcfe9b7852a096cea2779f67c43354986dd5e39a0bc060a0
-
Filesize
1KB
MD5bddd08860f9dea1df326658e811e2d6e
SHA1258ef149b546f983178d0e960a0f1dde5ced915b
SHA25668efeff41da9d29383ba362ce32d01052c238eaba08129f5148fd448a071fd30
SHA5125a7cc7a4a2bbd24ef6e198dd89fc0b3720385f70089887da025fe5560cad8c98e70090cfd7afb773fcfe9b7852a096cea2779f67c43354986dd5e39a0bc060a0
-
Filesize
1KB
MD5bddd08860f9dea1df326658e811e2d6e
SHA1258ef149b546f983178d0e960a0f1dde5ced915b
SHA25668efeff41da9d29383ba362ce32d01052c238eaba08129f5148fd448a071fd30
SHA5125a7cc7a4a2bbd24ef6e198dd89fc0b3720385f70089887da025fe5560cad8c98e70090cfd7afb773fcfe9b7852a096cea2779f67c43354986dd5e39a0bc060a0
-
Filesize
1KB
MD5bddd08860f9dea1df326658e811e2d6e
SHA1258ef149b546f983178d0e960a0f1dde5ced915b
SHA25668efeff41da9d29383ba362ce32d01052c238eaba08129f5148fd448a071fd30
SHA5125a7cc7a4a2bbd24ef6e198dd89fc0b3720385f70089887da025fe5560cad8c98e70090cfd7afb773fcfe9b7852a096cea2779f67c43354986dd5e39a0bc060a0
-
Filesize
2B
MD584cad01fdb44ae58dbe6c3973dcd87f5
SHA14700b42849fb35be323774820bf1bc8019d26c80
SHA2568b1f194be530240c18bf0b1ee0d038e750fab8b24c6bd25c864297e5ebb41fa6
SHA5126e10d3ec4724c1aca9ff3f6a26292ba80065d18e8e9395f1474c0a298008f25e312e2f7024e7d10aab3264764e69a25553cc20afd23090f83921d20e42b989ab
-
Filesize
343KB
MD56426d400c96fb9ffef4eaa54f6647f4c
SHA170a37871aff432790b6adf7d3fc4eb929476e082
SHA25698bba0cf4c57ecd35b227f45e4aa6dd50ef7cfb1160235cc14687c96eb09fa3c
SHA5122c8b4d3ab066cbfca6cf0c8d89d5044152b5e3d7100249cbedd1c816e3a4a94efc8bc6b79c1dab4bdf96e3ce476d6caccf625cfbe0aff3bf5e7a29dfcfa948c5
-
Filesize
712KB
MD50d6542d9d1dadd5fddf51a0302231258
SHA19aae90db2ac05caf13a835c288850653cbf36584
SHA25633398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9
SHA512bbef96545cae9b67816d101026f94db5b26066010cabf658e68ecdabd148cbdf11e71827ce3fbb9c7465d1636a64d6aa0e3bbcc1c24c0459187c5f9a8c18ff66
-
Filesize
712KB
MD50d6542d9d1dadd5fddf51a0302231258
SHA19aae90db2ac05caf13a835c288850653cbf36584
SHA25633398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9
SHA512bbef96545cae9b67816d101026f94db5b26066010cabf658e68ecdabd148cbdf11e71827ce3fbb9c7465d1636a64d6aa0e3bbcc1c24c0459187c5f9a8c18ff66
-
Filesize
712KB
MD50d6542d9d1dadd5fddf51a0302231258
SHA19aae90db2ac05caf13a835c288850653cbf36584
SHA25633398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9
SHA512bbef96545cae9b67816d101026f94db5b26066010cabf658e68ecdabd148cbdf11e71827ce3fbb9c7465d1636a64d6aa0e3bbcc1c24c0459187c5f9a8c18ff66
-
Filesize
712KB
MD50d6542d9d1dadd5fddf51a0302231258
SHA19aae90db2ac05caf13a835c288850653cbf36584
SHA25633398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9
SHA512bbef96545cae9b67816d101026f94db5b26066010cabf658e68ecdabd148cbdf11e71827ce3fbb9c7465d1636a64d6aa0e3bbcc1c24c0459187c5f9a8c18ff66
-
Filesize
712KB
MD50d6542d9d1dadd5fddf51a0302231258
SHA19aae90db2ac05caf13a835c288850653cbf36584
SHA25633398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9
SHA512bbef96545cae9b67816d101026f94db5b26066010cabf658e68ecdabd148cbdf11e71827ce3fbb9c7465d1636a64d6aa0e3bbcc1c24c0459187c5f9a8c18ff66
-
Filesize
712KB
MD50d6542d9d1dadd5fddf51a0302231258
SHA19aae90db2ac05caf13a835c288850653cbf36584
SHA25633398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9
SHA512bbef96545cae9b67816d101026f94db5b26066010cabf658e68ecdabd148cbdf11e71827ce3fbb9c7465d1636a64d6aa0e3bbcc1c24c0459187c5f9a8c18ff66
-
Filesize
712KB
MD50d6542d9d1dadd5fddf51a0302231258
SHA19aae90db2ac05caf13a835c288850653cbf36584
SHA25633398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9
SHA512bbef96545cae9b67816d101026f94db5b26066010cabf658e68ecdabd148cbdf11e71827ce3fbb9c7465d1636a64d6aa0e3bbcc1c24c0459187c5f9a8c18ff66
-
Filesize
712KB
MD50d6542d9d1dadd5fddf51a0302231258
SHA19aae90db2ac05caf13a835c288850653cbf36584
SHA25633398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9
SHA512bbef96545cae9b67816d101026f94db5b26066010cabf658e68ecdabd148cbdf11e71827ce3fbb9c7465d1636a64d6aa0e3bbcc1c24c0459187c5f9a8c18ff66
-
Filesize
712KB
MD50d6542d9d1dadd5fddf51a0302231258
SHA19aae90db2ac05caf13a835c288850653cbf36584
SHA25633398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9
SHA512bbef96545cae9b67816d101026f94db5b26066010cabf658e68ecdabd148cbdf11e71827ce3fbb9c7465d1636a64d6aa0e3bbcc1c24c0459187c5f9a8c18ff66
-
Filesize
712KB
MD50d6542d9d1dadd5fddf51a0302231258
SHA19aae90db2ac05caf13a835c288850653cbf36584
SHA25633398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9
SHA512bbef96545cae9b67816d101026f94db5b26066010cabf658e68ecdabd148cbdf11e71827ce3fbb9c7465d1636a64d6aa0e3bbcc1c24c0459187c5f9a8c18ff66
-
Filesize
712KB
MD50d6542d9d1dadd5fddf51a0302231258
SHA19aae90db2ac05caf13a835c288850653cbf36584
SHA25633398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9
SHA512bbef96545cae9b67816d101026f94db5b26066010cabf658e68ecdabd148cbdf11e71827ce3fbb9c7465d1636a64d6aa0e3bbcc1c24c0459187c5f9a8c18ff66
-
Filesize
712KB
MD50d6542d9d1dadd5fddf51a0302231258
SHA19aae90db2ac05caf13a835c288850653cbf36584
SHA25633398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9
SHA512bbef96545cae9b67816d101026f94db5b26066010cabf658e68ecdabd148cbdf11e71827ce3fbb9c7465d1636a64d6aa0e3bbcc1c24c0459187c5f9a8c18ff66
-
Filesize
712KB
MD50d6542d9d1dadd5fddf51a0302231258
SHA19aae90db2ac05caf13a835c288850653cbf36584
SHA25633398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9
SHA512bbef96545cae9b67816d101026f94db5b26066010cabf658e68ecdabd148cbdf11e71827ce3fbb9c7465d1636a64d6aa0e3bbcc1c24c0459187c5f9a8c18ff66
-
Filesize
712KB
MD50d6542d9d1dadd5fddf51a0302231258
SHA19aae90db2ac05caf13a835c288850653cbf36584
SHA25633398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9
SHA512bbef96545cae9b67816d101026f94db5b26066010cabf658e68ecdabd148cbdf11e71827ce3fbb9c7465d1636a64d6aa0e3bbcc1c24c0459187c5f9a8c18ff66
-
Filesize
712KB
MD50d6542d9d1dadd5fddf51a0302231258
SHA19aae90db2ac05caf13a835c288850653cbf36584
SHA25633398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9
SHA512bbef96545cae9b67816d101026f94db5b26066010cabf658e68ecdabd148cbdf11e71827ce3fbb9c7465d1636a64d6aa0e3bbcc1c24c0459187c5f9a8c18ff66
-
Filesize
712KB
MD50d6542d9d1dadd5fddf51a0302231258
SHA19aae90db2ac05caf13a835c288850653cbf36584
SHA25633398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9
SHA512bbef96545cae9b67816d101026f94db5b26066010cabf658e68ecdabd148cbdf11e71827ce3fbb9c7465d1636a64d6aa0e3bbcc1c24c0459187c5f9a8c18ff66
-
Filesize
712KB
MD50d6542d9d1dadd5fddf51a0302231258
SHA19aae90db2ac05caf13a835c288850653cbf36584
SHA25633398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9
SHA512bbef96545cae9b67816d101026f94db5b26066010cabf658e68ecdabd148cbdf11e71827ce3fbb9c7465d1636a64d6aa0e3bbcc1c24c0459187c5f9a8c18ff66
-
Filesize
712KB
MD50d6542d9d1dadd5fddf51a0302231258
SHA19aae90db2ac05caf13a835c288850653cbf36584
SHA25633398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9
SHA512bbef96545cae9b67816d101026f94db5b26066010cabf658e68ecdabd148cbdf11e71827ce3fbb9c7465d1636a64d6aa0e3bbcc1c24c0459187c5f9a8c18ff66
-
Filesize
712KB
MD50d6542d9d1dadd5fddf51a0302231258
SHA19aae90db2ac05caf13a835c288850653cbf36584
SHA25633398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9
SHA512bbef96545cae9b67816d101026f94db5b26066010cabf658e68ecdabd148cbdf11e71827ce3fbb9c7465d1636a64d6aa0e3bbcc1c24c0459187c5f9a8c18ff66
-
Filesize
712KB
MD50d6542d9d1dadd5fddf51a0302231258
SHA19aae90db2ac05caf13a835c288850653cbf36584
SHA25633398ed32c539bc45a33b394a03d054c13db10e32b294627ba3da04737dff3a9
SHA512bbef96545cae9b67816d101026f94db5b26066010cabf658e68ecdabd148cbdf11e71827ce3fbb9c7465d1636a64d6aa0e3bbcc1c24c0459187c5f9a8c18ff66
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
36KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
8KB
-
Filesize
680KB
-
Filesize
340KB
-
Filesize
340KB
-
Filesize
340KB
-
Filesize
8KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB