Analysis
-
max time kernel
152s -
max time network
166s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
23/11/2022, 16:40
Static task
static1
Behavioral task
behavioral1
Sample
LIF3 Muaway.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
LIF3 Muaway.exe
Resource
win10v2004-20221111-en
General
-
Target
LIF3 Muaway.exe
-
Size
2.0MB
-
MD5
18ec82e6803a882e6409399d5fefb810
-
SHA1
b1a9b23927bc033f7df59a93349fce0416ad3f5a
-
SHA256
f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471
-
SHA512
f9b29cb3a4a9412322b5e19939372d74578c1764288a2caf439340feabc3f74dc248d728722c10739db860cfb1e35d0064a25ce294474e0e7cb044b443b3a0d6
-
SSDEEP
49152:rHFaaHayaoaaaoaGhF3Ow3yaBafimXnhsi:rHFamfBvxnhF3OwiGhe2i
Malware Config
Extracted
xtremerat
muawayhue2.no-ip.org
᪸᳴ਲ਼蠀Sites qmuawayhue2.no-ip.org
Signatures
-
Detect XtremeRAT payload 17 IoCs
resource yara_rule behavioral1/memory/1860-59-0x0000000010000000-0x0000000010065000-memory.dmp family_xtremerat behavioral1/memory/1860-60-0x0000000010000000-0x0000000010065000-memory.dmp family_xtremerat behavioral1/memory/1860-61-0x0000000010000000-0x0000000010065000-memory.dmp family_xtremerat behavioral1/memory/1860-63-0x0000000010000000-0x0000000010065000-memory.dmp family_xtremerat behavioral1/memory/1860-62-0x0000000010000000-0x0000000010065000-memory.dmp family_xtremerat behavioral1/memory/1860-66-0x000000001000D0F4-mapping.dmp family_xtremerat behavioral1/memory/1860-65-0x0000000010000000-0x0000000010065000-memory.dmp family_xtremerat behavioral1/memory/1860-69-0x0000000010000000-0x0000000010065000-memory.dmp family_xtremerat behavioral1/memory/1860-67-0x0000000010000000-0x0000000010065000-memory.dmp family_xtremerat behavioral1/memory/1860-70-0x0000000010000000-0x0000000010065000-memory.dmp family_xtremerat behavioral1/memory/276-73-0x0000000000000000-mapping.dmp family_xtremerat behavioral1/memory/360-77-0x0000000000000000-mapping.dmp family_xtremerat behavioral1/memory/1860-82-0x0000000010000000-0x0000000010065000-memory.dmp family_xtremerat behavioral1/memory/360-84-0x0000000010000000-0x0000000010065000-memory.dmp family_xtremerat behavioral1/memory/276-85-0x0000000010000000-0x0000000010065000-memory.dmp family_xtremerat behavioral1/memory/360-90-0x0000000010000000-0x0000000010065000-memory.dmp family_xtremerat behavioral1/memory/276-91-0x0000000010000000-0x0000000010065000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 1 IoCs
pid Process 1036 722lif3 muaway 2014³.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0074FVOW-61BJ-0354-VGS5-6T5UGR12XOYX} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0074FVOW-61BJ-0354-VGS5-6T5UGR12XOYX}\StubPath = "C:\\Windows\\svchost\\svchost.exe restart" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0074FVOW-61BJ-0354-VGS5-6T5UGR12XOYX} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0074FVOW-61BJ-0354-VGS5-6T5UGR12XOYX}\StubPath = "C:\\Windows\\svchost\\svchost.exe" svchost.exe -
Adds Run key to start application 2 TTPs 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Windows\\svchost\\svchost.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\svchost\\svchost.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Windows\\svchost\\svchost.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Windows\\svchost\\svchost.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\svchost\\svchost.exe" svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1760 set thread context of 1860 1760 LIF3 Muaway.exe 27 -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\722lif3 muaway 2014³.exe.exe LIF3 Muaway.exe File created C:\Windows\722lif3 muaway 2014³.exe LIF3 Muaway.exe File opened for modification C:\Windows\svchost\svchost.exe explorer.exe File created C:\Windows\svchost\svchost.exe explorer.exe File opened for modification C:\Windows\svchost\ explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1760 LIF3 Muaway.exe 360 explorer.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1760 wrote to memory of 1860 1760 LIF3 Muaway.exe 27 PID 1760 wrote to memory of 1860 1760 LIF3 Muaway.exe 27 PID 1760 wrote to memory of 1860 1760 LIF3 Muaway.exe 27 PID 1760 wrote to memory of 1860 1760 LIF3 Muaway.exe 27 PID 1760 wrote to memory of 1860 1760 LIF3 Muaway.exe 27 PID 1760 wrote to memory of 1860 1760 LIF3 Muaway.exe 27 PID 1760 wrote to memory of 1860 1760 LIF3 Muaway.exe 27 PID 1760 wrote to memory of 1860 1760 LIF3 Muaway.exe 27 PID 1760 wrote to memory of 1860 1760 LIF3 Muaway.exe 27 PID 1760 wrote to memory of 1860 1760 LIF3 Muaway.exe 27 PID 1760 wrote to memory of 1860 1760 LIF3 Muaway.exe 27 PID 1760 wrote to memory of 1860 1760 LIF3 Muaway.exe 27 PID 1860 wrote to memory of 276 1860 LIF3 Muaway.exe 28 PID 1860 wrote to memory of 276 1860 LIF3 Muaway.exe 28 PID 1860 wrote to memory of 276 1860 LIF3 Muaway.exe 28 PID 1860 wrote to memory of 276 1860 LIF3 Muaway.exe 28 PID 1860 wrote to memory of 276 1860 LIF3 Muaway.exe 28 PID 1860 wrote to memory of 360 1860 LIF3 Muaway.exe 29 PID 1860 wrote to memory of 360 1860 LIF3 Muaway.exe 29 PID 1860 wrote to memory of 360 1860 LIF3 Muaway.exe 29 PID 1860 wrote to memory of 360 1860 LIF3 Muaway.exe 29 PID 1860 wrote to memory of 360 1860 LIF3 Muaway.exe 29 PID 1860 wrote to memory of 1036 1860 LIF3 Muaway.exe 30 PID 1860 wrote to memory of 1036 1860 LIF3 Muaway.exe 30 PID 1860 wrote to memory of 1036 1860 LIF3 Muaway.exe 30 PID 1860 wrote to memory of 1036 1860 LIF3 Muaway.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe"C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe"C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:276
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:360
-
-
C:\Windows\722lif3 muaway 2014³.exe"C:\Windows\722lif3 muaway 2014³.exe"3⤵
- Executes dropped EXE
PID:1036
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105KB
MD537060ad5f5fa42f17c9171c74d85a11c
SHA169a548f7a1f222efbb5883b88b07d165dee5b5a7
SHA256c2799c3284ef8e00b407fd3b36395f12709434e1f09dddb0b246218f733aaa44
SHA512b895a14a405c685ada82e5eeee993d0992edad75aa6051abca8b982466a1ac80c85d68f13a52e43a257235d46a23fb02e65aab4d96022d38ed58bd036932e77b
-
Filesize
105KB
MD537060ad5f5fa42f17c9171c74d85a11c
SHA169a548f7a1f222efbb5883b88b07d165dee5b5a7
SHA256c2799c3284ef8e00b407fd3b36395f12709434e1f09dddb0b246218f733aaa44
SHA512b895a14a405c685ada82e5eeee993d0992edad75aa6051abca8b982466a1ac80c85d68f13a52e43a257235d46a23fb02e65aab4d96022d38ed58bd036932e77b
-
Filesize
2.0MB
MD518ec82e6803a882e6409399d5fefb810
SHA1b1a9b23927bc033f7df59a93349fce0416ad3f5a
SHA256f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471
SHA512f9b29cb3a4a9412322b5e19939372d74578c1764288a2caf439340feabc3f74dc248d728722c10739db860cfb1e35d0064a25ce294474e0e7cb044b443b3a0d6