Analysis

  • max time kernel
    91s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/11/2022, 14:03

General

  • Target

    6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe

  • Size

    520KB

  • MD5

    2e1b2aaeaef46f92436616cf7912f931

  • SHA1

    db8e74884c960d1bc297a6ae15f1aa30d958e3ce

  • SHA256

    6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964

  • SHA512

    0290bd2b250b3c626b38648d83dad74b0f7fc124da63d58cf5fde1f0be86843bccec3ee94237b8b0d775eccdb32334e05a8ad9e93c8274468e0fbc9551546ea1

  • SSDEEP

    12288:RWXClV2A9GguHZ3+IuuD+nij6XENkjHMmQR79DaU:RZIHh/sij6XENkyR79WU

Malware Config

Signatures

  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
    "C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4252
    • C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
      "C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe"
      2⤵
        PID:4336
      • C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe
        "C:\Users\Admin\AppData\Local\Temp\6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964.exe"
        2⤵
        • Checks computer location settings
        • Adds Run key to start application
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3968
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
          3⤵
            PID:3656
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            3⤵
              PID:3128
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
              3⤵
                PID:2996
              • C:\Windows\SysWOW64\explorer.exe
                explorer.exe
                3⤵
                  PID:3524
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                  3⤵
                    PID:4468
                  • C:\Windows\SysWOW64\explorer.exe
                    explorer.exe
                    3⤵
                      PID:1352
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                      3⤵
                        PID:3740
                      • C:\Windows\SysWOW64\explorer.exe
                        explorer.exe
                        3⤵
                          PID:4048
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                          3⤵
                            PID:4456
                          • C:\Windows\SysWOW64\explorer.exe
                            explorer.exe
                            3⤵
                              PID:3792
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                              3⤵
                                PID:2600
                              • C:\Windows\SysWOW64\explorer.exe
                                explorer.exe
                                3⤵
                                  PID:3676
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                  3⤵
                                    PID:4348
                                  • C:\Windows\SysWOW64\explorer.exe
                                    explorer.exe
                                    3⤵
                                      PID:3264
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                      3⤵
                                        PID:2840
                                      • C:\Windows\SysWOW64\explorer.exe
                                        explorer.exe
                                        3⤵
                                          PID:3784
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                          3⤵
                                            PID:2848
                                          • C:\Windows\SysWOW64\explorer.exe
                                            explorer.exe
                                            3⤵
                                              PID:5032
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                              3⤵
                                                PID:5024
                                              • C:\Windows\SysWOW64\explorer.exe
                                                explorer.exe
                                                3⤵
                                                  PID:4052
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                  3⤵
                                                    PID:2788
                                                  • C:\Windows\SysWOW64\explorer.exe
                                                    explorer.exe
                                                    3⤵
                                                      PID:4084
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                      3⤵
                                                        PID:2816
                                                      • C:\Windows\SysWOW64\explorer.exe
                                                        explorer.exe
                                                        3⤵
                                                          PID:4884
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                          3⤵
                                                            PID:3620
                                                          • C:\Windows\SysWOW64\explorer.exe
                                                            explorer.exe
                                                            3⤵
                                                              PID:4812
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                              3⤵
                                                                PID:972
                                                              • C:\Windows\SysWOW64\explorer.exe
                                                                explorer.exe
                                                                3⤵
                                                                  PID:3316
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                  3⤵
                                                                    PID:2224
                                                                  • C:\Windows\SysWOW64\explorer.exe
                                                                    explorer.exe
                                                                    3⤵
                                                                      PID:1848
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                      3⤵
                                                                        PID:1144
                                                                      • C:\Windows\SysWOW64\explorer.exe
                                                                        explorer.exe
                                                                        3⤵
                                                                          PID:2420
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                          3⤵
                                                                            PID:432
                                                                          • C:\Windows\SysWOW64\explorer.exe
                                                                            explorer.exe
                                                                            3⤵
                                                                              PID:848
                                                                            • C:\Windows\{9043-8547-9771-90}\appinit.exe
                                                                              "C:\Windows\{9043-8547-9771-90}\appinit.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetThreadContext
                                                                              PID:5004
                                                                              • C:\Windows\{9043-8547-9771-90}\appinit.exe
                                                                                "C:\Windows\{9043-8547-9771-90}\appinit.exe"
                                                                                4⤵
                                                                                • Executes dropped EXE
                                                                                PID:1032
                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 12
                                                                                  5⤵
                                                                                  • Program crash
                                                                                  PID:4188
                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 56
                                                                                  5⤵
                                                                                  • Program crash
                                                                                  PID:3816
                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1032 -ip 1032
                                                                          1⤵
                                                                            PID:3724
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1032 -ip 1032
                                                                            1⤵
                                                                              PID:3696

                                                                            Network

                                                                                  MITRE ATT&CK Enterprise v6

                                                                                  Replay Monitor

                                                                                  Loading Replay Monitor...

                                                                                  Downloads

                                                                                  • C:\Windows\{9043-8547-9771-90}\appinit.exe

                                                                                    Filesize

                                                                                    520KB

                                                                                    MD5

                                                                                    2e1b2aaeaef46f92436616cf7912f931

                                                                                    SHA1

                                                                                    db8e74884c960d1bc297a6ae15f1aa30d958e3ce

                                                                                    SHA256

                                                                                    6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964

                                                                                    SHA512

                                                                                    0290bd2b250b3c626b38648d83dad74b0f7fc124da63d58cf5fde1f0be86843bccec3ee94237b8b0d775eccdb32334e05a8ad9e93c8274468e0fbc9551546ea1

                                                                                  • C:\Windows\{9043-8547-9771-90}\appinit.exe

                                                                                    Filesize

                                                                                    520KB

                                                                                    MD5

                                                                                    2e1b2aaeaef46f92436616cf7912f931

                                                                                    SHA1

                                                                                    db8e74884c960d1bc297a6ae15f1aa30d958e3ce

                                                                                    SHA256

                                                                                    6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964

                                                                                    SHA512

                                                                                    0290bd2b250b3c626b38648d83dad74b0f7fc124da63d58cf5fde1f0be86843bccec3ee94237b8b0d775eccdb32334e05a8ad9e93c8274468e0fbc9551546ea1

                                                                                  • C:\Windows\{9043-8547-9771-90}\appinit.exe

                                                                                    Filesize

                                                                                    520KB

                                                                                    MD5

                                                                                    2e1b2aaeaef46f92436616cf7912f931

                                                                                    SHA1

                                                                                    db8e74884c960d1bc297a6ae15f1aa30d958e3ce

                                                                                    SHA256

                                                                                    6c33c0c03e2ed173fcf13e78c5bf6c6b4330fe1e2d4d0ed0a3e08bd7e85df964

                                                                                    SHA512

                                                                                    0290bd2b250b3c626b38648d83dad74b0f7fc124da63d58cf5fde1f0be86843bccec3ee94237b8b0d775eccdb32334e05a8ad9e93c8274468e0fbc9551546ea1

                                                                                  • memory/3968-135-0x0000000000400000-0x000000000046F000-memory.dmp

                                                                                    Filesize

                                                                                    444KB

                                                                                  • memory/3968-137-0x0000000000400000-0x000000000046F000-memory.dmp

                                                                                    Filesize

                                                                                    444KB

                                                                                  • memory/3968-138-0x0000000000400000-0x000000000046F000-memory.dmp

                                                                                    Filesize

                                                                                    444KB

                                                                                  • memory/3968-134-0x0000000000400000-0x000000000046F000-memory.dmp

                                                                                    Filesize

                                                                                    444KB

                                                                                  • memory/3968-145-0x0000000000400000-0x000000000046F000-memory.dmp

                                                                                    Filesize

                                                                                    444KB

                                                                                  • memory/4252-136-0x0000000074F10000-0x00000000754C1000-memory.dmp

                                                                                    Filesize

                                                                                    5.7MB

                                                                                  • memory/4252-132-0x0000000074F10000-0x00000000754C1000-memory.dmp

                                                                                    Filesize

                                                                                    5.7MB

                                                                                  • memory/5004-144-0x00000000732A0000-0x0000000073851000-memory.dmp

                                                                                    Filesize

                                                                                    5.7MB