Analysis Overview
SHA256
d26e6d73f021fc4dcaca055faef2568279e2ed78e49f87b17bffa997afd93653
Threat Level: Known bad
The file d26e6d73f021fc4dcaca055faef2568279e2ed78e49f87b17bffa997afd93653 was found to be: Known bad.
Malicious Activity Summary
Detect XtremeRAT payload
XtremeRAT
Suspicious use of SetThreadContext
Program crash
Suspicious use of UnmapMainImage
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-11-23 22:00
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-23 22:00
Reported
2022-11-24 01:20
Platform
win7-20221111-en
Max time kernel
4s
Max time network
35s
Command Line
Signatures
Detect XtremeRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XtremeRAT
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 956 set thread context of 736 | N/A | C:\Users\Admin\AppData\Local\Temp\d26e6d73f021fc4dcaca055faef2568279e2ed78e49f87b17bffa997afd93653.exe | C:\Users\Admin\AppData\Local\Temp\d26e6d73f021fc4dcaca055faef2568279e2ed78e49f87b17bffa997afd93653.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d26e6d73f021fc4dcaca055faef2568279e2ed78e49f87b17bffa997afd93653.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d26e6d73f021fc4dcaca055faef2568279e2ed78e49f87b17bffa997afd93653.exe
"C:\Users\Admin\AppData\Local\Temp\d26e6d73f021fc4dcaca055faef2568279e2ed78e49f87b17bffa997afd93653.exe"
C:\Users\Admin\AppData\Local\Temp\d26e6d73f021fc4dcaca055faef2568279e2ed78e49f87b17bffa997afd93653.exe
C:\Users\Admin\AppData\Local\Temp\d26e6d73f021fc4dcaca055faef2568279e2ed78e49f87b17bffa997afd93653.exe
Network
Files
memory/956-54-0x0000000075B61000-0x0000000075B63000-memory.dmp
memory/956-55-0x0000000074510000-0x0000000074ABB000-memory.dmp
memory/736-56-0x0000000010000000-0x000000001004A000-memory.dmp
memory/736-57-0x0000000010000000-0x000000001004A000-memory.dmp
memory/736-59-0x0000000010000000-0x000000001004A000-memory.dmp
memory/736-60-0x0000000010000000-0x000000001004A000-memory.dmp
memory/736-61-0x0000000010000000-0x000000001004A000-memory.dmp
memory/736-62-0x0000000010000000-0x000000001004A000-memory.dmp
memory/736-63-0x0000000010000000-0x000000001004A000-memory.dmp
memory/736-66-0x000000001000D0F4-mapping.dmp
memory/736-65-0x0000000010000000-0x000000001004A000-memory.dmp
memory/956-67-0x0000000074510000-0x0000000074ABB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-23 22:00
Reported
2022-11-24 01:20
Platform
win10v2004-20221111-en
Max time kernel
188s
Max time network
214s
Command Line
Signatures
Detect XtremeRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XtremeRAT
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4420 set thread context of 648 | N/A | C:\Users\Admin\AppData\Local\Temp\d26e6d73f021fc4dcaca055faef2568279e2ed78e49f87b17bffa997afd93653.exe | C:\Users\Admin\AppData\Local\Temp\d26e6d73f021fc4dcaca055faef2568279e2ed78e49f87b17bffa997afd93653.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\d26e6d73f021fc4dcaca055faef2568279e2ed78e49f87b17bffa997afd93653.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d26e6d73f021fc4dcaca055faef2568279e2ed78e49f87b17bffa997afd93653.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d26e6d73f021fc4dcaca055faef2568279e2ed78e49f87b17bffa997afd93653.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d26e6d73f021fc4dcaca055faef2568279e2ed78e49f87b17bffa997afd93653.exe
"C:\Users\Admin\AppData\Local\Temp\d26e6d73f021fc4dcaca055faef2568279e2ed78e49f87b17bffa997afd93653.exe"
C:\Users\Admin\AppData\Local\Temp\d26e6d73f021fc4dcaca055faef2568279e2ed78e49f87b17bffa997afd93653.exe
C:\Users\Admin\AppData\Local\Temp\d26e6d73f021fc4dcaca055faef2568279e2ed78e49f87b17bffa997afd93653.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 648 -ip 648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 12
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | 14.110.152.52.in-addr.arpa | udp |
| N/A | 104.208.16.90:443 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 67.26.111.254:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 108.156.60.123:80 | tcp | |
| N/A | 108.156.61.115:80 | tcp |
Files
memory/4420-132-0x00000000751A0000-0x0000000075751000-memory.dmp
memory/648-133-0x0000000000000000-mapping.dmp
memory/648-134-0x0000000010000000-0x000000001004A000-memory.dmp
memory/4420-135-0x00000000751A0000-0x0000000075751000-memory.dmp