Analysis
-
max time kernel
192s -
max time network
197s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23/11/2022, 16:40
Static task
static1
Behavioral task
behavioral1
Sample
LIF3 Muaway.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
LIF3 Muaway.exe
Resource
win10v2004-20221111-en
General
-
Target
LIF3 Muaway.exe
-
Size
2.0MB
-
MD5
18ec82e6803a882e6409399d5fefb810
-
SHA1
b1a9b23927bc033f7df59a93349fce0416ad3f5a
-
SHA256
f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471
-
SHA512
f9b29cb3a4a9412322b5e19939372d74578c1764288a2caf439340feabc3f74dc248d728722c10739db860cfb1e35d0064a25ce294474e0e7cb044b443b3a0d6
-
SSDEEP
49152:rHFaaHayaoaaaoaGhF3Ow3yaBafimXnhsi:rHFamfBvxnhF3OwiGhe2i
Malware Config
Extracted
xtremerat
muawayhue2.no-ip.org
᪸᳴ਲ਼蠀Sites qmuawayhue2.no-ip.org
Signatures
-
Detect XtremeRAT payload 10 IoCs
resource yara_rule behavioral2/memory/2344-134-0x0000000000000000-mapping.dmp family_xtremerat behavioral2/memory/2344-135-0x0000000010000000-0x0000000010065000-memory.dmp family_xtremerat behavioral2/memory/2344-136-0x0000000010000000-0x0000000010065000-memory.dmp family_xtremerat behavioral2/memory/2344-137-0x0000000010000000-0x0000000010065000-memory.dmp family_xtremerat behavioral2/memory/3468-138-0x0000000000000000-mapping.dmp family_xtremerat behavioral2/memory/3628-139-0x0000000000000000-mapping.dmp family_xtremerat behavioral2/memory/2344-140-0x0000000010000000-0x0000000010065000-memory.dmp family_xtremerat behavioral2/memory/3468-141-0x0000000010000000-0x0000000010065000-memory.dmp family_xtremerat behavioral2/memory/2344-145-0x0000000010000000-0x0000000010065000-memory.dmp family_xtremerat behavioral2/memory/3628-148-0x0000000010000000-0x0000000010065000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 1 IoCs
pid Process 3264 722lif3 muaway 2014³.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0074FVOW-61BJ-0354-VGS5-6T5UGR12XOYX} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0074FVOW-61BJ-0354-VGS5-6T5UGR12XOYX}\StubPath = "C:\\Windows\\svchost\\svchost.exe restart" explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation LIF3 Muaway.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\svchost\\svchost.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Windows\\svchost\\svchost.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Windows\\svchost\\svchost.exe" explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2712 set thread context of 2344 2712 LIF3 Muaway.exe 85 -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\722lif3 muaway 2014³.exe.exe LIF3 Muaway.exe File created C:\Windows\722lif3 muaway 2014³.exe LIF3 Muaway.exe File opened for modification C:\Windows\svchost\svchost.exe explorer.exe File created C:\Windows\svchost\svchost.exe explorer.exe File opened for modification C:\Windows\svchost\ explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 1712 3468 WerFault.exe 86 1300 3468 WerFault.exe 86 -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2712 LIF3 Muaway.exe 3628 explorer.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2712 wrote to memory of 2344 2712 LIF3 Muaway.exe 85 PID 2712 wrote to memory of 2344 2712 LIF3 Muaway.exe 85 PID 2712 wrote to memory of 2344 2712 LIF3 Muaway.exe 85 PID 2712 wrote to memory of 2344 2712 LIF3 Muaway.exe 85 PID 2712 wrote to memory of 2344 2712 LIF3 Muaway.exe 85 PID 2712 wrote to memory of 2344 2712 LIF3 Muaway.exe 85 PID 2712 wrote to memory of 2344 2712 LIF3 Muaway.exe 85 PID 2712 wrote to memory of 2344 2712 LIF3 Muaway.exe 85 PID 2712 wrote to memory of 2344 2712 LIF3 Muaway.exe 85 PID 2712 wrote to memory of 2344 2712 LIF3 Muaway.exe 85 PID 2712 wrote to memory of 2344 2712 LIF3 Muaway.exe 85 PID 2712 wrote to memory of 2344 2712 LIF3 Muaway.exe 85 PID 2712 wrote to memory of 2344 2712 LIF3 Muaway.exe 85 PID 2344 wrote to memory of 3468 2344 LIF3 Muaway.exe 86 PID 2344 wrote to memory of 3468 2344 LIF3 Muaway.exe 86 PID 2344 wrote to memory of 3468 2344 LIF3 Muaway.exe 86 PID 2344 wrote to memory of 3468 2344 LIF3 Muaway.exe 86 PID 2344 wrote to memory of 3628 2344 LIF3 Muaway.exe 87 PID 2344 wrote to memory of 3628 2344 LIF3 Muaway.exe 87 PID 2344 wrote to memory of 3628 2344 LIF3 Muaway.exe 87 PID 2344 wrote to memory of 3628 2344 LIF3 Muaway.exe 87 PID 2344 wrote to memory of 3264 2344 LIF3 Muaway.exe 95 PID 2344 wrote to memory of 3264 2344 LIF3 Muaway.exe 95 PID 2344 wrote to memory of 3264 2344 LIF3 Muaway.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe"C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe"C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:3468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 4804⤵
- Program crash
PID:1712
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 4884⤵
- Program crash
PID:1300
-
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3628
-
-
C:\Windows\722lif3 muaway 2014³.exe"C:\Windows\722lif3 muaway 2014³.exe"3⤵
- Executes dropped EXE
PID:3264
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3468 -ip 34681⤵PID:3428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3468 -ip 34681⤵PID:2724
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105KB
MD537060ad5f5fa42f17c9171c74d85a11c
SHA169a548f7a1f222efbb5883b88b07d165dee5b5a7
SHA256c2799c3284ef8e00b407fd3b36395f12709434e1f09dddb0b246218f733aaa44
SHA512b895a14a405c685ada82e5eeee993d0992edad75aa6051abca8b982466a1ac80c85d68f13a52e43a257235d46a23fb02e65aab4d96022d38ed58bd036932e77b
-
Filesize
105KB
MD537060ad5f5fa42f17c9171c74d85a11c
SHA169a548f7a1f222efbb5883b88b07d165dee5b5a7
SHA256c2799c3284ef8e00b407fd3b36395f12709434e1f09dddb0b246218f733aaa44
SHA512b895a14a405c685ada82e5eeee993d0992edad75aa6051abca8b982466a1ac80c85d68f13a52e43a257235d46a23fb02e65aab4d96022d38ed58bd036932e77b