Analysis Overview
SHA256
a9c8442965d5fda4de06075b0e306753341775fa0aa1450f8f4d71a68e358f3c
Threat Level: Known bad
The file a9c8442965d5fda4de06075b0e306753341775fa0aa1450f8f4d71a68e358f3c was found to be: Known bad.
Malicious Activity Summary
Detect XtremeRAT payload
XtremeRAT
UPX packed file
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-23 17:31
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-23 17:31
Reported
2022-11-23 19:34
Platform
win10v2004-20221111-en
Max time kernel
306s
Max time network
328s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 216 set thread context of 4212 | N/A | C:\Users\Admin\AppData\Local\Temp\a9c8442965d5fda4de06075b0e306753341775fa0aa1450f8f4d71a68e358f3c.exe | C:\Users\Admin\AppData\Local\Temp\a9c8442965d5fda4de06075b0e306753341775fa0aa1450f8f4d71a68e358f3c.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a9c8442965d5fda4de06075b0e306753341775fa0aa1450f8f4d71a68e358f3c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a9c8442965d5fda4de06075b0e306753341775fa0aa1450f8f4d71a68e358f3c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a9c8442965d5fda4de06075b0e306753341775fa0aa1450f8f4d71a68e358f3c.exe
"C:\Users\Admin\AppData\Local\Temp\a9c8442965d5fda4de06075b0e306753341775fa0aa1450f8f4d71a68e358f3c.exe"
C:\Users\Admin\AppData\Local\Temp\a9c8442965d5fda4de06075b0e306753341775fa0aa1450f8f4d71a68e358f3c.exe
"C:\Users\Admin\AppData\Local\Temp\a9c8442965d5fda4de06075b0e306753341775fa0aa1450f8f4d71a68e358f3c.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.248.99.254:80 | tcp | |
| N/A | 8.248.99.254:80 | tcp | |
| N/A | 52.242.97.97:443 | tcp | |
| N/A | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
Files
memory/216-132-0x0000000000400000-0x0000000000448000-memory.dmp
memory/4212-135-0x0000000000000000-mapping.dmp
memory/4212-136-0x0000000000400000-0x0000000000406000-memory.dmp
memory/216-140-0x0000000000400000-0x0000000000448000-memory.dmp
memory/4212-141-0x0000000000400000-0x0000000000406000-memory.dmp
memory/4212-142-0x0000000000400000-0x0000000000406000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-23 17:31
Reported
2022-11-23 19:32
Platform
win7-20221111-en
Max time kernel
12s
Max time network
30s
Command Line
Signatures
Detect XtremeRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XtremeRAT
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1420 set thread context of 276 | N/A | C:\Users\Admin\AppData\Local\Temp\a9c8442965d5fda4de06075b0e306753341775fa0aa1450f8f4d71a68e358f3c.exe | C:\Users\Admin\AppData\Local\Temp\a9c8442965d5fda4de06075b0e306753341775fa0aa1450f8f4d71a68e358f3c.exe |
| PID 276 set thread context of 272 | N/A | C:\Users\Admin\AppData\Local\Temp\a9c8442965d5fda4de06075b0e306753341775fa0aa1450f8f4d71a68e358f3c.exe | C:\Users\Admin\AppData\Local\Temp\a9c8442965d5fda4de06075b0e306753341775fa0aa1450f8f4d71a68e358f3c.exe |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a9c8442965d5fda4de06075b0e306753341775fa0aa1450f8f4d71a68e358f3c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a9c8442965d5fda4de06075b0e306753341775fa0aa1450f8f4d71a68e358f3c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a9c8442965d5fda4de06075b0e306753341775fa0aa1450f8f4d71a68e358f3c.exe
"C:\Users\Admin\AppData\Local\Temp\a9c8442965d5fda4de06075b0e306753341775fa0aa1450f8f4d71a68e358f3c.exe"
C:\Users\Admin\AppData\Local\Temp\a9c8442965d5fda4de06075b0e306753341775fa0aa1450f8f4d71a68e358f3c.exe
"C:\Users\Admin\AppData\Local\Temp\a9c8442965d5fda4de06075b0e306753341775fa0aa1450f8f4d71a68e358f3c.exe"
C:\Users\Admin\AppData\Local\Temp\a9c8442965d5fda4de06075b0e306753341775fa0aa1450f8f4d71a68e358f3c.exe
"C:\Users\Admin\AppData\Local\Temp\a9c8442965d5fda4de06075b0e306753341775fa0aa1450f8f4d71a68e358f3c.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
Network
Files
memory/276-56-0x0000000000400000-0x0000000000406000-memory.dmp
memory/276-57-0x00000000004010B0-mapping.dmp
memory/1420-59-0x0000000000400000-0x0000000000448000-memory.dmp
memory/272-62-0x0000000010000000-0x000000001004A000-memory.dmp
memory/272-63-0x0000000010000000-0x000000001004A000-memory.dmp
memory/272-65-0x0000000010000000-0x000000001004A000-memory.dmp
memory/272-66-0x0000000010000000-0x000000001004A000-memory.dmp
memory/272-68-0x0000000010000000-0x000000001004A000-memory.dmp
memory/272-69-0x0000000010000000-0x000000001004A000-memory.dmp
memory/272-67-0x0000000010000000-0x000000001004A000-memory.dmp
memory/272-71-0x0000000010000000-0x000000001004A000-memory.dmp
memory/272-72-0x000000001000D0F4-mapping.dmp
memory/276-73-0x0000000000400000-0x0000000000406000-memory.dmp
memory/272-74-0x0000000010000000-0x000000001004A000-memory.dmp
memory/272-75-0x0000000074D71000-0x0000000074D73000-memory.dmp
memory/272-76-0x0000000010000000-0x000000001004A000-memory.dmp
memory/272-77-0x0000000010000000-0x000000001004A000-memory.dmp
memory/272-78-0x0000000000400000-0x0000000000448000-memory.dmp
memory/272-79-0x0000000010000000-0x000000001004A000-memory.dmp