Analysis
-
max time kernel
101s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23/11/2022, 15:44
Static task
static1
Behavioral task
behavioral1
Sample
92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe
Resource
win10v2004-20221111-en
General
-
Target
92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe
-
Size
786KB
-
MD5
f2ba6a3638618fe779291c758d5a420f
-
SHA1
4954b28960bce6e21c2fb32d14368d2c99b2e607
-
SHA256
92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3
-
SHA512
b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3
-
SSDEEP
12288:AOLaS+4AIns3ZMPUhUDmh/uD6I1U3MZeZ0XMmyS9pXWkSI0Uvnni9t:E8AFSPU2mmU3MIZtNWpmkb0mn4
Malware Config
Signatures
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 5 IoCs
pid Process 2040 detect.exe 1724 detect.exe 552 Server.exe 1256 detect.exe 1668 detect.exe -
resource yara_rule behavioral1/memory/1056-81-0x0000000001610000-0x0000000001720000-memory.dmp upx behavioral1/memory/1056-84-0x0000000001610000-0x0000000001720000-memory.dmp upx behavioral1/memory/1056-87-0x0000000001610000-0x0000000001720000-memory.dmp upx behavioral1/memory/1056-90-0x0000000001610000-0x0000000001720000-memory.dmp upx behavioral1/memory/1056-92-0x0000000001610000-0x0000000001720000-memory.dmp upx behavioral1/memory/1056-93-0x0000000001610000-0x0000000001720000-memory.dmp upx behavioral1/memory/1056-94-0x0000000001610000-0x0000000001720000-memory.dmp upx -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ID Detector.vbs 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe -
Loads dropped DLL 2 IoCs
pid Process 1908 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe 1724 detect.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" detect.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run detect.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" detect.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run detect.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" detect.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run detect.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" detect.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run detect.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2040 set thread context of 1724 2040 detect.exe 29 PID 1256 set thread context of 1668 1256 detect.exe 66 PID 1668 set thread context of 1056 1668 detect.exe 68 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\InstallDir\Server.exe detect.exe File opened for modification C:\Windows\InstallDir\Server.exe detect.exe File opened for modification C:\Windows\InstallDir\Server.exe detect.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1056 explorer.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 2040 detect.exe 2040 detect.exe 1256 detect.exe 1256 detect.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1724 detect.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1908 wrote to memory of 2040 1908 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe 28 PID 1908 wrote to memory of 2040 1908 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe 28 PID 1908 wrote to memory of 2040 1908 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe 28 PID 1908 wrote to memory of 2040 1908 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe 28 PID 2040 wrote to memory of 1724 2040 detect.exe 29 PID 2040 wrote to memory of 1724 2040 detect.exe 29 PID 2040 wrote to memory of 1724 2040 detect.exe 29 PID 2040 wrote to memory of 1724 2040 detect.exe 29 PID 1724 wrote to memory of 1920 1724 detect.exe 31 PID 1724 wrote to memory of 1920 1724 detect.exe 31 PID 1724 wrote to memory of 1920 1724 detect.exe 31 PID 1724 wrote to memory of 1920 1724 detect.exe 31 PID 1724 wrote to memory of 1496 1724 detect.exe 30 PID 1724 wrote to memory of 1496 1724 detect.exe 30 PID 1724 wrote to memory of 1496 1724 detect.exe 30 PID 1724 wrote to memory of 1496 1724 detect.exe 30 PID 1724 wrote to memory of 1136 1724 detect.exe 32 PID 1724 wrote to memory of 1136 1724 detect.exe 32 PID 1724 wrote to memory of 1136 1724 detect.exe 32 PID 1724 wrote to memory of 1136 1724 detect.exe 32 PID 1724 wrote to memory of 852 1724 detect.exe 33 PID 1724 wrote to memory of 852 1724 detect.exe 33 PID 1724 wrote to memory of 852 1724 detect.exe 33 PID 1724 wrote to memory of 852 1724 detect.exe 33 PID 1724 wrote to memory of 1616 1724 detect.exe 34 PID 1724 wrote to memory of 1616 1724 detect.exe 34 PID 1724 wrote to memory of 1616 1724 detect.exe 34 PID 1724 wrote to memory of 1616 1724 detect.exe 34 PID 1724 wrote to memory of 956 1724 detect.exe 35 PID 1724 wrote to memory of 956 1724 detect.exe 35 PID 1724 wrote to memory of 956 1724 detect.exe 35 PID 1724 wrote to memory of 956 1724 detect.exe 35 PID 1724 wrote to memory of 928 1724 detect.exe 36 PID 1724 wrote to memory of 928 1724 detect.exe 36 PID 1724 wrote to memory of 928 1724 detect.exe 36 PID 1724 wrote to memory of 928 1724 detect.exe 36 PID 1724 wrote to memory of 924 1724 detect.exe 37 PID 1724 wrote to memory of 924 1724 detect.exe 37 PID 1724 wrote to memory of 924 1724 detect.exe 37 PID 1724 wrote to memory of 924 1724 detect.exe 37 PID 1724 wrote to memory of 1276 1724 detect.exe 38 PID 1724 wrote to memory of 1276 1724 detect.exe 38 PID 1724 wrote to memory of 1276 1724 detect.exe 38 PID 1724 wrote to memory of 1276 1724 detect.exe 38 PID 1724 wrote to memory of 1108 1724 detect.exe 39 PID 1724 wrote to memory of 1108 1724 detect.exe 39 PID 1724 wrote to memory of 1108 1724 detect.exe 39 PID 1724 wrote to memory of 1108 1724 detect.exe 39 PID 1724 wrote to memory of 544 1724 detect.exe 40 PID 1724 wrote to memory of 544 1724 detect.exe 40 PID 1724 wrote to memory of 544 1724 detect.exe 40 PID 1724 wrote to memory of 544 1724 detect.exe 40 PID 1724 wrote to memory of 1904 1724 detect.exe 41 PID 1724 wrote to memory of 1904 1724 detect.exe 41 PID 1724 wrote to memory of 1904 1724 detect.exe 41 PID 1724 wrote to memory of 1904 1724 detect.exe 41 PID 1724 wrote to memory of 1280 1724 detect.exe 42 PID 1724 wrote to memory of 1280 1724 detect.exe 42 PID 1724 wrote to memory of 1280 1724 detect.exe 42 PID 1724 wrote to memory of 1280 1724 detect.exe 42 PID 1724 wrote to memory of 1712 1724 detect.exe 43 PID 1724 wrote to memory of 1712 1724 detect.exe 43 PID 1724 wrote to memory of 1712 1724 detect.exe 43 PID 1724 wrote to memory of 1712 1724 detect.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe"C:\Users\Admin\AppData\Local\Temp\92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1496
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1920
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1136
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:852
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1616
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:956
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:928
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:924
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1276
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1108
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:544
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1904
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1280
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1712
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1684
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1700
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1960
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1020
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:436
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1492
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:824
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1764
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1548
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:396
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1092
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1672
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:880
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1796
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1516
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:976
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:520
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:624
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1744
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:1924
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"4⤵
- Executes dropped EXE
PID:552 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1256 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1668 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2008
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1056
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
786KB
MD5f2ba6a3638618fe779291c758d5a420f
SHA14954b28960bce6e21c2fb32d14368d2c99b2e607
SHA25692641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3
SHA512b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3
-
Filesize
786KB
MD5f2ba6a3638618fe779291c758d5a420f
SHA14954b28960bce6e21c2fb32d14368d2c99b2e607
SHA25692641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3
SHA512b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3
-
Filesize
786KB
MD5f2ba6a3638618fe779291c758d5a420f
SHA14954b28960bce6e21c2fb32d14368d2c99b2e607
SHA25692641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3
SHA512b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3
-
Filesize
786KB
MD5f2ba6a3638618fe779291c758d5a420f
SHA14954b28960bce6e21c2fb32d14368d2c99b2e607
SHA25692641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3
SHA512b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3
-
Filesize
786KB
MD5f2ba6a3638618fe779291c758d5a420f
SHA14954b28960bce6e21c2fb32d14368d2c99b2e607
SHA25692641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3
SHA512b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3
-
Filesize
3KB
MD57e8d31bd5bbe6f9842518617837f405e
SHA140647a3d29156586a8b97d534af7c94b2ed06664
SHA25670681abf0e35fe3f85414f9236ea3407dc36d6fe9cc29bb4fda93f50a1b7b20f
SHA5125a85df64d4e14d222ab3816345d8a10cc17e82006cb076830de7538c43ab290ac8905db1334088fd62077435bd49ecbcd5dcf9fe798953f9275697bcee5db826
-
Filesize
358KB
MD5ad69242f4bf9548496051bd95ac05e1e
SHA1913292f6b83adf41337fd50201ad341500abc8b0
SHA2562663fdfe0fe4c37532f919282d035579bf84a895be5971982437cffbd41bdb1b
SHA51209bed3adc8427e4aeec4e32dfd0640da71d2839b62973e4bae94f0965c5836028511295d99be878af388789fc020117972c3cf51d5a2ef1899aeb9d43c2fd94e
-
Filesize
786KB
MD5f2ba6a3638618fe779291c758d5a420f
SHA14954b28960bce6e21c2fb32d14368d2c99b2e607
SHA25692641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3
SHA512b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3
-
Filesize
786KB
MD52482e898d35d6a86b27d386072ead320
SHA1d041fbae66e5bf6f72952e8159fcbaf8a9a00ca1
SHA256658112fdc646c70c7153f4bd089bf3010231171c4ee8e3a03713e1d8379bd389
SHA512d14558abfd6dfc2cc019abca99c6e0fa4c6ea82762c8dbf9c0b00aada19a823fa0eacec28601fe457552e30b7446dc5a9e4828e714bec3c3026c108966dd8f1f
-
Filesize
786KB
MD5f2ba6a3638618fe779291c758d5a420f
SHA14954b28960bce6e21c2fb32d14368d2c99b2e607
SHA25692641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3
SHA512b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3
-
Filesize
786KB
MD5f2ba6a3638618fe779291c758d5a420f
SHA14954b28960bce6e21c2fb32d14368d2c99b2e607
SHA25692641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3
SHA512b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3