Analysis
-
max time kernel
185s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23/11/2022, 20:18
Static task
static1
Behavioral task
behavioral1
Sample
90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe
Resource
win10v2004-20221111-en
General
-
Target
90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe
-
Size
1.2MB
-
MD5
eede44f9fff359762f09d0d819c97e0f
-
SHA1
17cc6ca62f6542ac183a7530335f5ba478a71e21
-
SHA256
90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a
-
SHA512
cf41c3e6b9c586b31190813aa7c00c750bb00e9fb03ed3f21e4e686da6b22fe0686eb4de83e52c7dd6a80642fd9b09561ab62179147ae23beff1916fecad1424
-
SSDEEP
24576:Ft24ot2EiSDXv8WN7ZXJVrTtjxak7WehQe5Zee1yR3:RYZiSbkE5rTtjXXBZ/1s
Malware Config
Extracted
xtremerat
goodday.zapto.org
Šꮨ妘tvnew.otzo.com
Signatures
-
Detect XtremeRAT payload 10 IoCs
resource yara_rule behavioral2/memory/1820-153-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/1820-154-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/1736-156-0x0000000000000000-mapping.dmp family_xtremerat behavioral2/memory/5104-157-0x0000000000000000-mapping.dmp family_xtremerat behavioral2/memory/1736-159-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/732-160-0x0000000000000000-mapping.dmp family_xtremerat behavioral2/memory/732-161-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/5104-162-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/1820-163-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/5104-166-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 2 IoCs
pid Process 2344 Skpe.exe 1820 Skpe.exe -
resource yara_rule behavioral2/memory/1820-147-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/1820-152-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/1820-153-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/1820-154-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/1736-159-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/732-161-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/5104-162-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/1820-163-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/5104-166-0x0000000000C80000-0x0000000000C96000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Skpe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Skpe.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .lnk 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: Skpe.exe File opened (read-only) \??\G: Skpe.exe File opened (read-only) \??\O: Skpe.exe File opened (read-only) \??\P: Skpe.exe File opened (read-only) \??\V: Skpe.exe File opened (read-only) \??\H: Skpe.exe File opened (read-only) \??\I: Skpe.exe File opened (read-only) \??\S: Skpe.exe File opened (read-only) \??\U: Skpe.exe File opened (read-only) \??\X: Skpe.exe File opened (read-only) \??\Z: Skpe.exe File opened (read-only) \??\A: Skpe.exe File opened (read-only) \??\F: Skpe.exe File opened (read-only) \??\J: Skpe.exe File opened (read-only) \??\L: Skpe.exe File opened (read-only) \??\N: Skpe.exe File opened (read-only) \??\Q: Skpe.exe File opened (read-only) \??\Y: Skpe.exe File opened (read-only) \??\B: Skpe.exe File opened (read-only) \??\K: Skpe.exe File opened (read-only) \??\M: Skpe.exe File opened (read-only) \??\R: Skpe.exe File opened (read-only) \??\T: Skpe.exe File opened (read-only) \??\W: Skpe.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2344 set thread context of 1820 2344 Skpe.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Skpe.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wy2026978013e.esf Skpe.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\wy2026978013e.esf\ = 2d7f3fc274e4f95aef6a08c829f4914d Skpe.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5100 WINWORD.EXE 5100 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2344 Skpe.exe 2344 Skpe.exe 2344 Skpe.exe 2344 Skpe.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 2344 Skpe.exe Token: SeCreatePagefilePrivilege 2344 Skpe.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 2344 Skpe.exe 2344 Skpe.exe 5100 WINWORD.EXE 5104 sethc.exe 5100 WINWORD.EXE 5100 WINWORD.EXE 5100 WINWORD.EXE 5100 WINWORD.EXE 5100 WINWORD.EXE 5100 WINWORD.EXE 5100 WINWORD.EXE 5100 WINWORD.EXE 5100 WINWORD.EXE 5100 WINWORD.EXE -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2584 wrote to memory of 5100 2584 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe 85 PID 2584 wrote to memory of 5100 2584 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe 85 PID 2584 wrote to memory of 2344 2584 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe 87 PID 2584 wrote to memory of 2344 2584 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe 87 PID 2584 wrote to memory of 2344 2584 90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe 87 PID 2344 wrote to memory of 1820 2344 Skpe.exe 88 PID 2344 wrote to memory of 1820 2344 Skpe.exe 88 PID 2344 wrote to memory of 1820 2344 Skpe.exe 88 PID 2344 wrote to memory of 1820 2344 Skpe.exe 88 PID 2344 wrote to memory of 1820 2344 Skpe.exe 88 PID 2344 wrote to memory of 1820 2344 Skpe.exe 88 PID 2344 wrote to memory of 1820 2344 Skpe.exe 88 PID 2344 wrote to memory of 1820 2344 Skpe.exe 88 PID 1820 wrote to memory of 1404 1820 Skpe.exe 89 PID 1820 wrote to memory of 1404 1820 Skpe.exe 89 PID 1820 wrote to memory of 1404 1820 Skpe.exe 89 PID 1820 wrote to memory of 2136 1820 Skpe.exe 90 PID 1820 wrote to memory of 2136 1820 Skpe.exe 90 PID 1820 wrote to memory of 2136 1820 Skpe.exe 90 PID 1820 wrote to memory of 1736 1820 Skpe.exe 91 PID 1820 wrote to memory of 1736 1820 Skpe.exe 91 PID 1820 wrote to memory of 1736 1820 Skpe.exe 91 PID 1820 wrote to memory of 1736 1820 Skpe.exe 91 PID 1820 wrote to memory of 5104 1820 Skpe.exe 92 PID 1820 wrote to memory of 5104 1820 Skpe.exe 92 PID 1820 wrote to memory of 5104 1820 Skpe.exe 92 PID 1820 wrote to memory of 5104 1820 Skpe.exe 92 PID 1820 wrote to memory of 732 1820 Skpe.exe 93 PID 1820 wrote to memory of 732 1820 Skpe.exe 93 PID 1820 wrote to memory of 732 1820 Skpe.exe 93 PID 1820 wrote to memory of 732 1820 Skpe.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe"C:\Users\Admin\AppData\Local\Temp\90c70ced614e55e04cfa71b77dcfea8272317f496bb406849eb719f70cccd71a.exe"1⤵
- Checks computer location settings
- Drops startup file
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\doc.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5100
-
-
C:\Users\Admin\AppData\Local\Temp\Skpe.exe"C:\Users\Admin\AppData\Local\Temp\Skpe.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\Skpe.exeC:\Users\Admin\AppData\Local\Temp\Skpe.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\sethc.exesethc.exe4⤵PID:1404
-
-
C:\Windows\SysWOW64\sethc.exesethc.exe4⤵PID:2136
-
-
C:\Windows\SysWOW64\sethc.exesethc.exe4⤵PID:1736
-
-
C:\Windows\SysWOW64\sethc.exesethc.exe4⤵
- Suspicious use of SetWindowsHookEx
PID:5104
-
-
C:\Windows\SysWOW64\sethc.exesethc.exe4⤵PID:732
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD50946f59f7a3718e24ca16f089f7974f6
SHA1143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA5120e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842
-
Filesize
1.5MB
MD50946f59f7a3718e24ca16f089f7974f6
SHA1143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA5120e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842
-
Filesize
1.5MB
MD50946f59f7a3718e24ca16f089f7974f6
SHA1143e879d7bb1b0322844c288a5c8c0aa88d78a29
SHA256d357ab68c3253d5b235ea42fb65633e3d1993ee12b9135125e8b8c360566deec
SHA5120e4ead1184a474c98bb2deb4f7450246559f3b713541a75a7084f861ee4239303796f3ab8ea16e02b4c0cda76437676bce7c58cf470e0adaf775a71fc51a5842
-
Filesize
28KB
MD52dc148f5161f0914a2ca0136b088ed44
SHA1cb47e69bb0fce98c6a16b687e05bba97143822bf
SHA25684730b81737bf67aa69383aa304a89b5b4da29190d8d6268f80b6e4df90d9463
SHA512e5a951481ca01eccc3c77069642256ca6822e837240c9b9cee78305570fd05998a98d9dae0e80e71811d7a4953df54d1b2fd732d35fb5e8729dfbfd773cfff21