Analysis
-
max time kernel
185s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23/11/2022, 17:40
Static task
static1
Behavioral task
behavioral1
Sample
3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe
Resource
win10v2004-20221111-en
General
-
Target
3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe
-
Size
189KB
-
MD5
534d5a0c103284c313852614b0bd358f
-
SHA1
0fb8b671ca38b2e27d28e3e883ad0b8dfbfca8a7
-
SHA256
3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a
-
SHA512
72d0ff731e3fe797438fcc4ba966fac88d1fcfd30fda4af65efaf1c70e3153ad9a63ea05a46c4dff862c778918ccae437ee43e5842c36edbd902fa0bb167f47e
-
SSDEEP
3072:0/uSnUuEgbB3cTlji/6bKMTBHiirUtQ3/AAc5acBZ7p:0bB3j/6tCirUQZDSz
Malware Config
Extracted
xtremerat
simpleman.hopto.org
simpleman.sytes.net
Signatures
-
Detect XtremeRAT payload 4 IoCs
resource yara_rule behavioral2/files/0x0008000000022e48-135.dat family_xtremerat behavioral2/files/0x0008000000022e48-136.dat family_xtremerat behavioral2/memory/3372-137-0x0000000000000000-mapping.dmp family_xtremerat behavioral2/memory/3372-138-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 1 IoCs
pid Process 1276 HelpMe.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2MNWQVSM-3W43-7G62-7SS8-WU1O6J0X5PWA}\StubPath = "C:\\InstallDir\\Server.exe restart" HelpMe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2MNWQVSM-3W43-7G62-7SS8-WU1O6J0X5PWA} HelpMe.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run HelpMe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\InstallDir\\Server.exe" HelpMe.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run HelpMe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\InstallDir\\Server.exe" HelpMe.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\HelpMe.exe 3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2776 3372 WerFault.exe 82 2340 3372 WerFault.exe 82 -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4632 3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe 1276 HelpMe.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4632 wrote to memory of 1276 4632 3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe 81 PID 4632 wrote to memory of 1276 4632 3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe 81 PID 4632 wrote to memory of 1276 4632 3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe 81 PID 1276 wrote to memory of 3372 1276 HelpMe.exe 82 PID 1276 wrote to memory of 3372 1276 HelpMe.exe 82 PID 1276 wrote to memory of 3372 1276 HelpMe.exe 82 PID 1276 wrote to memory of 3372 1276 HelpMe.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe"C:\Users\Admin\AppData\Local\Temp\3d628f605c88715175be5f8e1f6174b9885294edde42f5db1bb0105600bc1f0a.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:3372
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 4804⤵
- Program crash
PID:2776
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 4884⤵
- Program crash
PID:2340
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3372 -ip 33721⤵PID:2840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3372 -ip 33721⤵PID:2788
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5a6eb00d2534d342a6cd44c7f0fa6551c
SHA109d0fd72407f8cff56185b28ab65a828bdf5259e
SHA25628a2c796a0cd5e60126cdae63dd0fbda4c2a0ee16b0c6b57326f49e4bbf031c2
SHA512a649ab5805654a896a05953e34c07f7ac959c6334c50243b34f89e09b82fe23875cc38aa6a7f5d0e3979e6f0ed3c030bd3e057488ff31f751539c9c49680ba72
-
Filesize
65KB
MD5a6eb00d2534d342a6cd44c7f0fa6551c
SHA109d0fd72407f8cff56185b28ab65a828bdf5259e
SHA25628a2c796a0cd5e60126cdae63dd0fbda4c2a0ee16b0c6b57326f49e4bbf031c2
SHA512a649ab5805654a896a05953e34c07f7ac959c6334c50243b34f89e09b82fe23875cc38aa6a7f5d0e3979e6f0ed3c030bd3e057488ff31f751539c9c49680ba72