Analysis
-
max time kernel
167s -
max time network
199s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23/11/2022, 15:44
Static task
static1
Behavioral task
behavioral1
Sample
92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe
Resource
win10v2004-20221111-en
General
-
Target
92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe
-
Size
786KB
-
MD5
f2ba6a3638618fe779291c758d5a420f
-
SHA1
4954b28960bce6e21c2fb32d14368d2c99b2e607
-
SHA256
92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3
-
SHA512
b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3
-
SSDEEP
12288:AOLaS+4AIns3ZMPUhUDmh/uD6I1U3MZeZ0XMmyS9pXWkSI0Uvnni9t:E8AFSPU2mmU3MIZtNWpmkb0mn4
Malware Config
Signatures
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 5 IoCs
pid Process 3616 detect.exe 2076 detect.exe 1908 Server.exe 4824 detect.exe 2168 detect.exe -
resource yara_rule behavioral2/memory/3884-151-0x0000000001610000-0x0000000001720000-memory.dmp upx behavioral2/memory/3884-153-0x0000000001610000-0x0000000001720000-memory.dmp upx behavioral2/memory/3884-152-0x0000000001610000-0x0000000001720000-memory.dmp upx behavioral2/memory/3884-155-0x0000000001610000-0x0000000001720000-memory.dmp upx behavioral2/memory/3884-157-0x0000000001610000-0x0000000001720000-memory.dmp upx behavioral2/memory/3884-158-0x0000000001610000-0x0000000001720000-memory.dmp upx behavioral2/memory/3884-159-0x0000000001610000-0x0000000001720000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation detect.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ID Detector.vbs 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" detect.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run detect.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" detect.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run detect.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" detect.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run detect.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" detect.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run detect.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3616 set thread context of 2076 3616 detect.exe 88 PID 4824 set thread context of 2168 4824 detect.exe 128 PID 2168 set thread context of 3884 2168 detect.exe 130 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\InstallDir\Server.exe detect.exe File created C:\Windows\InstallDir\Server.exe detect.exe File opened for modification C:\Windows\InstallDir\Server.exe detect.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom explorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3884 explorer.exe 3884 explorer.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 3616 detect.exe 3616 detect.exe 4824 detect.exe 4824 detect.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2076 detect.exe 3884 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2532 wrote to memory of 3616 2532 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe 83 PID 2532 wrote to memory of 3616 2532 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe 83 PID 2532 wrote to memory of 3616 2532 92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe 83 PID 3616 wrote to memory of 2076 3616 detect.exe 88 PID 3616 wrote to memory of 2076 3616 detect.exe 88 PID 3616 wrote to memory of 2076 3616 detect.exe 88 PID 2076 wrote to memory of 3168 2076 detect.exe 89 PID 2076 wrote to memory of 3168 2076 detect.exe 89 PID 2076 wrote to memory of 2508 2076 detect.exe 90 PID 2076 wrote to memory of 2508 2076 detect.exe 90 PID 2076 wrote to memory of 2508 2076 detect.exe 90 PID 2076 wrote to memory of 3632 2076 detect.exe 91 PID 2076 wrote to memory of 3632 2076 detect.exe 91 PID 2076 wrote to memory of 3352 2076 detect.exe 92 PID 2076 wrote to memory of 3352 2076 detect.exe 92 PID 2076 wrote to memory of 3352 2076 detect.exe 92 PID 2076 wrote to memory of 2644 2076 detect.exe 94 PID 2076 wrote to memory of 2644 2076 detect.exe 94 PID 2076 wrote to memory of 4584 2076 detect.exe 93 PID 2076 wrote to memory of 4584 2076 detect.exe 93 PID 2076 wrote to memory of 4584 2076 detect.exe 93 PID 2076 wrote to memory of 4404 2076 detect.exe 96 PID 2076 wrote to memory of 4404 2076 detect.exe 96 PID 2076 wrote to memory of 4368 2076 detect.exe 97 PID 2076 wrote to memory of 4368 2076 detect.exe 97 PID 2076 wrote to memory of 4368 2076 detect.exe 97 PID 2076 wrote to memory of 3780 2076 detect.exe 98 PID 2076 wrote to memory of 3780 2076 detect.exe 98 PID 2076 wrote to memory of 3500 2076 detect.exe 99 PID 2076 wrote to memory of 3500 2076 detect.exe 99 PID 2076 wrote to memory of 3500 2076 detect.exe 99 PID 2076 wrote to memory of 3880 2076 detect.exe 100 PID 2076 wrote to memory of 3880 2076 detect.exe 100 PID 2076 wrote to memory of 3368 2076 detect.exe 101 PID 2076 wrote to memory of 3368 2076 detect.exe 101 PID 2076 wrote to memory of 3368 2076 detect.exe 101 PID 2076 wrote to memory of 3832 2076 detect.exe 102 PID 2076 wrote to memory of 3832 2076 detect.exe 102 PID 2076 wrote to memory of 3784 2076 detect.exe 103 PID 2076 wrote to memory of 3784 2076 detect.exe 103 PID 2076 wrote to memory of 3784 2076 detect.exe 103 PID 2076 wrote to memory of 4080 2076 detect.exe 104 PID 2076 wrote to memory of 4080 2076 detect.exe 104 PID 2076 wrote to memory of 3444 2076 detect.exe 105 PID 2076 wrote to memory of 3444 2076 detect.exe 105 PID 2076 wrote to memory of 3444 2076 detect.exe 105 PID 2076 wrote to memory of 3064 2076 detect.exe 106 PID 2076 wrote to memory of 3064 2076 detect.exe 106 PID 2076 wrote to memory of 3068 2076 detect.exe 107 PID 2076 wrote to memory of 3068 2076 detect.exe 107 PID 2076 wrote to memory of 3068 2076 detect.exe 107 PID 2076 wrote to memory of 3412 2076 detect.exe 108 PID 2076 wrote to memory of 3412 2076 detect.exe 108 PID 2076 wrote to memory of 3096 2076 detect.exe 109 PID 2076 wrote to memory of 3096 2076 detect.exe 109 PID 2076 wrote to memory of 3096 2076 detect.exe 109 PID 2076 wrote to memory of 3636 2076 detect.exe 110 PID 2076 wrote to memory of 3636 2076 detect.exe 110 PID 2076 wrote to memory of 2456 2076 detect.exe 111 PID 2076 wrote to memory of 2456 2076 detect.exe 111 PID 2076 wrote to memory of 2456 2076 detect.exe 111 PID 2076 wrote to memory of 5056 2076 detect.exe 112 PID 2076 wrote to memory of 5056 2076 detect.exe 112 PID 2076 wrote to memory of 4152 2076 detect.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe"C:\Users\Admin\AppData\Local\Temp\92641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3.exe"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:3168
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:3632
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:3352
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:4584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:2644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:4404
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:4368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:3780
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:3500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:3880
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:3368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:3832
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:3784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:4080
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:3444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:3064
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:3068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:3412
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:3096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:3636
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:5056
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:4152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:1412
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:5024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:3896
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:4172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:5020
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:5052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:4888
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:2668
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2680
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"4⤵
- Executes dropped EXE
PID:1908 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4824 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2168 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:4176
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3884
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
786KB
MD5f2ba6a3638618fe779291c758d5a420f
SHA14954b28960bce6e21c2fb32d14368d2c99b2e607
SHA25692641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3
SHA512b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3
-
Filesize
786KB
MD5f2ba6a3638618fe779291c758d5a420f
SHA14954b28960bce6e21c2fb32d14368d2c99b2e607
SHA25692641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3
SHA512b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3
-
Filesize
786KB
MD5f2ba6a3638618fe779291c758d5a420f
SHA14954b28960bce6e21c2fb32d14368d2c99b2e607
SHA25692641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3
SHA512b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3
-
Filesize
786KB
MD5f2ba6a3638618fe779291c758d5a420f
SHA14954b28960bce6e21c2fb32d14368d2c99b2e607
SHA25692641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3
SHA512b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3
-
Filesize
786KB
MD5f2ba6a3638618fe779291c758d5a420f
SHA14954b28960bce6e21c2fb32d14368d2c99b2e607
SHA25692641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3
SHA512b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3
-
Filesize
2B
MD593e00066d099c0485cfffa1359246d26
SHA1bc69a773f37b2f2071e25f755a66d47b871e5d98
SHA2563b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde
SHA512d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02
-
Filesize
3KB
MD57e8d31bd5bbe6f9842518617837f405e
SHA140647a3d29156586a8b97d534af7c94b2ed06664
SHA25670681abf0e35fe3f85414f9236ea3407dc36d6fe9cc29bb4fda93f50a1b7b20f
SHA5125a85df64d4e14d222ab3816345d8a10cc17e82006cb076830de7538c43ab290ac8905db1334088fd62077435bd49ecbcd5dcf9fe798953f9275697bcee5db826
-
Filesize
3KB
MD57e8d31bd5bbe6f9842518617837f405e
SHA140647a3d29156586a8b97d534af7c94b2ed06664
SHA25670681abf0e35fe3f85414f9236ea3407dc36d6fe9cc29bb4fda93f50a1b7b20f
SHA5125a85df64d4e14d222ab3816345d8a10cc17e82006cb076830de7538c43ab290ac8905db1334088fd62077435bd49ecbcd5dcf9fe798953f9275697bcee5db826
-
Filesize
358KB
MD5ad69242f4bf9548496051bd95ac05e1e
SHA1913292f6b83adf41337fd50201ad341500abc8b0
SHA2562663fdfe0fe4c37532f919282d035579bf84a895be5971982437cffbd41bdb1b
SHA51209bed3adc8427e4aeec4e32dfd0640da71d2839b62973e4bae94f0965c5836028511295d99be878af388789fc020117972c3cf51d5a2ef1899aeb9d43c2fd94e
-
Filesize
786KB
MD5f2ba6a3638618fe779291c758d5a420f
SHA14954b28960bce6e21c2fb32d14368d2c99b2e607
SHA25692641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3
SHA512b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3
-
Filesize
786KB
MD5f2ba6a3638618fe779291c758d5a420f
SHA14954b28960bce6e21c2fb32d14368d2c99b2e607
SHA25692641a786645e7c451acc415138c387cea9ca1df85013356c148d635b25545a3
SHA512b569baac33c5f6383826e571b971e707377ec2b13543b8e86acba74dec50565751e597f9714592c8199cecb881b65d87a3a6d53cd09d2601abc466aaf9846fb3