Analysis

  • max time kernel
    187s
  • max time network
    191s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23/11/2022, 17:40

General

  • Target

    3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe

  • Size

    189KB

  • MD5

    534d5a0c103284c313852614b0bd358f

  • SHA1

    0fb8b671ca38b2e27d28e3e883ad0b8dfbfca8a7

  • SHA256

    3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a

  • SHA512

    72d0ff731e3fe797438fcc4ba966fac88d1fcfd30fda4af65efaf1c70e3153ad9a63ea05a46c4dff862c778918ccae437ee43e5842c36edbd902fa0bb167f47e

  • SSDEEP

    3072:0/uSnUuEgbB3cTlji/6bKMTBHiirUtQ3/AAc5acBZ7p:0bB3j/6tCirUQZDSz

Malware Config

Extracted

Family

xtremerat

C2

simpleman.hopto.org

simpleman.sytes.net

Signatures

  • Detect XtremeRAT payload 8 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe
    "C:\Users\Admin\AppData\Local\Temp\3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Executes dropped EXE
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
        • Modifies Installed Components in the registry
        • Adds Run key to start application
        PID:580

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\InstallDir\Server.exe

          Filesize

          65KB

          MD5

          a6eb00d2534d342a6cd44c7f0fa6551c

          SHA1

          09d0fd72407f8cff56185b28ab65a828bdf5259e

          SHA256

          28a2c796a0cd5e60126cdae63dd0fbda4c2a0ee16b0c6b57326f49e4bbf031c2

          SHA512

          a649ab5805654a896a05953e34c07f7ac959c6334c50243b34f89e09b82fe23875cc38aa6a7f5d0e3979e6f0ed3c030bd3e057488ff31f751539c9c49680ba72

        • C:\Windows\SysWOW64\HelpMe.exe

          Filesize

          65KB

          MD5

          a6eb00d2534d342a6cd44c7f0fa6551c

          SHA1

          09d0fd72407f8cff56185b28ab65a828bdf5259e

          SHA256

          28a2c796a0cd5e60126cdae63dd0fbda4c2a0ee16b0c6b57326f49e4bbf031c2

          SHA512

          a649ab5805654a896a05953e34c07f7ac959c6334c50243b34f89e09b82fe23875cc38aa6a7f5d0e3979e6f0ed3c030bd3e057488ff31f751539c9c49680ba72

        • C:\Windows\SysWOW64\HelpMe.exe

          Filesize

          65KB

          MD5

          a6eb00d2534d342a6cd44c7f0fa6551c

          SHA1

          09d0fd72407f8cff56185b28ab65a828bdf5259e

          SHA256

          28a2c796a0cd5e60126cdae63dd0fbda4c2a0ee16b0c6b57326f49e4bbf031c2

          SHA512

          a649ab5805654a896a05953e34c07f7ac959c6334c50243b34f89e09b82fe23875cc38aa6a7f5d0e3979e6f0ed3c030bd3e057488ff31f751539c9c49680ba72

        • \Windows\SysWOW64\HelpMe.exe

          Filesize

          65KB

          MD5

          a6eb00d2534d342a6cd44c7f0fa6551c

          SHA1

          09d0fd72407f8cff56185b28ab65a828bdf5259e

          SHA256

          28a2c796a0cd5e60126cdae63dd0fbda4c2a0ee16b0c6b57326f49e4bbf031c2

          SHA512

          a649ab5805654a896a05953e34c07f7ac959c6334c50243b34f89e09b82fe23875cc38aa6a7f5d0e3979e6f0ed3c030bd3e057488ff31f751539c9c49680ba72

        • \Windows\SysWOW64\HelpMe.exe

          Filesize

          65KB

          MD5

          a6eb00d2534d342a6cd44c7f0fa6551c

          SHA1

          09d0fd72407f8cff56185b28ab65a828bdf5259e

          SHA256

          28a2c796a0cd5e60126cdae63dd0fbda4c2a0ee16b0c6b57326f49e4bbf031c2

          SHA512

          a649ab5805654a896a05953e34c07f7ac959c6334c50243b34f89e09b82fe23875cc38aa6a7f5d0e3979e6f0ed3c030bd3e057488ff31f751539c9c49680ba72

        • memory/580-61-0x0000000010000000-0x000000001004A000-memory.dmp

          Filesize

          296KB

        • memory/580-66-0x0000000010000000-0x000000001004A000-memory.dmp

          Filesize

          296KB

        • memory/580-68-0x0000000010000000-0x000000001004A000-memory.dmp

          Filesize

          296KB

        • memory/1800-60-0x0000000076041000-0x0000000076043000-memory.dmp

          Filesize

          8KB