Analysis
-
max time kernel
187s -
max time network
191s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23/11/2022, 17:40
Static task
static1
Behavioral task
behavioral1
Sample
3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe
Resource
win10v2004-20221111-en
General
-
Target
3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe
-
Size
189KB
-
MD5
534d5a0c103284c313852614b0bd358f
-
SHA1
0fb8b671ca38b2e27d28e3e883ad0b8dfbfca8a7
-
SHA256
3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a
-
SHA512
72d0ff731e3fe797438fcc4ba966fac88d1fcfd30fda4af65efaf1c70e3153ad9a63ea05a46c4dff862c778918ccae437ee43e5842c36edbd902fa0bb167f47e
-
SSDEEP
3072:0/uSnUuEgbB3cTlji/6bKMTBHiirUtQ3/AAc5acBZ7p:0bB3j/6tCirUQZDSz
Malware Config
Extracted
xtremerat
simpleman.hopto.org
simpleman.sytes.net
Signatures
-
Detect XtremeRAT payload 8 IoCs
resource yara_rule behavioral1/files/0x000b0000000122f9-56.dat family_xtremerat behavioral1/files/0x000b0000000122f9-57.dat family_xtremerat behavioral1/files/0x000b0000000122f9-59.dat family_xtremerat behavioral1/memory/580-63-0x0000000000000000-mapping.dmp family_xtremerat behavioral1/files/0x000b0000000122f9-65.dat family_xtremerat behavioral1/memory/580-66-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/files/0x0008000000012300-67.dat family_xtremerat behavioral1/memory/580-68-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 1 IoCs
pid Process 1800 HelpMe.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2MNWQVSM-3W43-7G62-7SS8-WU1O6J0X5PWA} HelpMe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2MNWQVSM-3W43-7G62-7SS8-WU1O6J0X5PWA}\StubPath = "C:\\InstallDir\\Server.exe restart" HelpMe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2MNWQVSM-3W43-7G62-7SS8-WU1O6J0X5PWA} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2MNWQVSM-3W43-7G62-7SS8-WU1O6J0X5PWA}\StubPath = "C:\\InstallDir\\Server.exe" svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 840 3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe 840 3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\InstallDir\\Server.exe" svchost.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\InstallDir\\Server.exe" svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run HelpMe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\InstallDir\\Server.exe" HelpMe.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run HelpMe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\InstallDir\\Server.exe" HelpMe.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\HelpMe.exe 3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 840 3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe 1800 HelpMe.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 840 wrote to memory of 1800 840 3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe 28 PID 840 wrote to memory of 1800 840 3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe 28 PID 840 wrote to memory of 1800 840 3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe 28 PID 840 wrote to memory of 1800 840 3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe 28 PID 1800 wrote to memory of 580 1800 HelpMe.exe 29 PID 1800 wrote to memory of 580 1800 HelpMe.exe 29 PID 1800 wrote to memory of 580 1800 HelpMe.exe 29 PID 1800 wrote to memory of 580 1800 HelpMe.exe 29 PID 1800 wrote to memory of 580 1800 HelpMe.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe"C:\Users\Admin\AppData\Local\Temp\3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:580
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5a6eb00d2534d342a6cd44c7f0fa6551c
SHA109d0fd72407f8cff56185b28ab65a828bdf5259e
SHA25628a2c796a0cd5e60126cdae63dd0fbda4c2a0ee16b0c6b57326f49e4bbf031c2
SHA512a649ab5805654a896a05953e34c07f7ac959c6334c50243b34f89e09b82fe23875cc38aa6a7f5d0e3979e6f0ed3c030bd3e057488ff31f751539c9c49680ba72
-
Filesize
65KB
MD5a6eb00d2534d342a6cd44c7f0fa6551c
SHA109d0fd72407f8cff56185b28ab65a828bdf5259e
SHA25628a2c796a0cd5e60126cdae63dd0fbda4c2a0ee16b0c6b57326f49e4bbf031c2
SHA512a649ab5805654a896a05953e34c07f7ac959c6334c50243b34f89e09b82fe23875cc38aa6a7f5d0e3979e6f0ed3c030bd3e057488ff31f751539c9c49680ba72
-
Filesize
65KB
MD5a6eb00d2534d342a6cd44c7f0fa6551c
SHA109d0fd72407f8cff56185b28ab65a828bdf5259e
SHA25628a2c796a0cd5e60126cdae63dd0fbda4c2a0ee16b0c6b57326f49e4bbf031c2
SHA512a649ab5805654a896a05953e34c07f7ac959c6334c50243b34f89e09b82fe23875cc38aa6a7f5d0e3979e6f0ed3c030bd3e057488ff31f751539c9c49680ba72
-
Filesize
65KB
MD5a6eb00d2534d342a6cd44c7f0fa6551c
SHA109d0fd72407f8cff56185b28ab65a828bdf5259e
SHA25628a2c796a0cd5e60126cdae63dd0fbda4c2a0ee16b0c6b57326f49e4bbf031c2
SHA512a649ab5805654a896a05953e34c07f7ac959c6334c50243b34f89e09b82fe23875cc38aa6a7f5d0e3979e6f0ed3c030bd3e057488ff31f751539c9c49680ba72
-
Filesize
65KB
MD5a6eb00d2534d342a6cd44c7f0fa6551c
SHA109d0fd72407f8cff56185b28ab65a828bdf5259e
SHA25628a2c796a0cd5e60126cdae63dd0fbda4c2a0ee16b0c6b57326f49e4bbf031c2
SHA512a649ab5805654a896a05953e34c07f7ac959c6334c50243b34f89e09b82fe23875cc38aa6a7f5d0e3979e6f0ed3c030bd3e057488ff31f751539c9c49680ba72