Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/11/2022, 19:26

General

  • Target

    67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe

  • Size

    46KB

  • MD5

    3ed737aa806679a8f967360abe8cdcfd

  • SHA1

    7ebd7c27d3b3de22e4717d6722f2092897942d52

  • SHA256

    67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209

  • SHA512

    c6f44e2bcea50eebd0052e6c0a978c2aad35aa22d8dd3ac17f81240557f4a3fac6d170a2b9ff7b9365d78a54e35004b50066a5e750f11ec852bf3e432b6dc0de

  • SSDEEP

    768:VIsF8HdbKjV8BX7Vy6K7eIVwn4kuY1n6ZVdBnJin:VIsF5CBX7VX9Iy446ZVD

Malware Config

Extracted

Family

xtremerat

C2

oudy.no-ip.biz

Signatures

  • Detect XtremeRAT payload 6 IoCs
  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • Adds policy Run key to start application 2 TTPs 8 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 16 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe
    "C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds policy Run key to start application
    • Modifies Installed Components in the registry
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:5004
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
      • Modifies WinLogon for persistence
      • Adds policy Run key to start application
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      PID:1308
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1412

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\WIN 7\HACKO.exe

          Filesize

          46KB

          MD5

          3ed737aa806679a8f967360abe8cdcfd

          SHA1

          7ebd7c27d3b3de22e4717d6722f2092897942d52

          SHA256

          67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209

          SHA512

          c6f44e2bcea50eebd0052e6c0a978c2aad35aa22d8dd3ac17f81240557f4a3fac6d170a2b9ff7b9365d78a54e35004b50066a5e750f11ec852bf3e432b6dc0de

        • memory/1308-136-0x0000000000C80000-0x0000000000CA5000-memory.dmp

          Filesize

          148KB

        • memory/1412-137-0x0000000000C80000-0x0000000000CA5000-memory.dmp

          Filesize

          148KB

        • memory/1412-139-0x0000000000C80000-0x0000000000CA5000-memory.dmp

          Filesize

          148KB

        • memory/5004-132-0x0000000000C80000-0x0000000000CA5000-memory.dmp

          Filesize

          148KB

        • memory/5004-138-0x0000000000C80000-0x0000000000CA5000-memory.dmp

          Filesize

          148KB