Analysis
-
max time kernel
211s -
max time network
282s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23/11/2022, 20:23
Static task
static1
Behavioral task
behavioral1
Sample
7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe
Resource
win10v2004-20221111-en
General
-
Target
7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe
-
Size
995KB
-
MD5
f4d85e8ae9790fcdffc84f92923bda36
-
SHA1
9e2f582ddf24aaa9ce972593d1ce301fd0f50222
-
SHA256
7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922
-
SHA512
7b3bd2487aed3585c401e058a24cf80b0f0b402e9f984afc19b875348e88351bc77c6bb68c17485953f65a044b7e10eba8455c18825dc8cfe6dd7a5798b3e966
-
SSDEEP
24576:0G3nqqGvzQK3126Uuvo+x78kOg7uzIvKb8Cj:06k3cOvoUKb8Cj
Malware Config
Extracted
xtremerat
yocymusic.zapto.org
Signatures
-
Detect XtremeRAT payload 8 IoCs
resource yara_rule behavioral1/memory/896-61-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral1/memory/896-63-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral1/memory/1356-66-0x0000000000000000-mapping.dmp family_xtremerat behavioral1/memory/1356-68-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral1/memory/1448-72-0x0000000000000000-mapping.dmp family_xtremerat behavioral1/memory/1448-74-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral1/memory/896-75-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral1/memory/1448-76-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 1 IoCs
pid Process 896 taskgen.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0VX3O085-5WIK-A1Q4-ALGM-730EJ4851YA0} taskgen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0VX3O085-5WIK-A1Q4-ALGM-730EJ4851YA0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" taskgen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0VX3O085-5WIK-A1Q4-ALGM-730EJ4851YA0} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0VX3O085-5WIK-A1Q4-ALGM-730EJ4851YA0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" svchost.exe -
resource yara_rule behavioral1/files/0x000a000000012324-58.dat upx behavioral1/memory/896-61-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/files/0x000a000000012324-62.dat upx behavioral1/memory/896-63-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/files/0x0008000000012355-69.dat upx behavioral1/memory/1356-68-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/1448-74-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/896-75-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/1448-76-0x0000000000C80000-0x0000000000C96000-memory.dmp upx -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" taskgen.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run taskgen.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" taskgen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run taskgen.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\InstallDir\Server.exe taskgen.exe File created C:\Windows\InstallDir\Server.exe taskgen.exe File opened for modification C:\Windows\InstallDir\ taskgen.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1448 svchost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1276 wrote to memory of 896 1276 7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe 28 PID 1276 wrote to memory of 896 1276 7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe 28 PID 1276 wrote to memory of 896 1276 7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe 28 PID 1276 wrote to memory of 896 1276 7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe 28 PID 896 wrote to memory of 1356 896 taskgen.exe 29 PID 896 wrote to memory of 1356 896 taskgen.exe 29 PID 896 wrote to memory of 1356 896 taskgen.exe 29 PID 896 wrote to memory of 1356 896 taskgen.exe 29 PID 896 wrote to memory of 1356 896 taskgen.exe 29 PID 896 wrote to memory of 1448 896 taskgen.exe 30 PID 896 wrote to memory of 1448 896 taskgen.exe 30 PID 896 wrote to memory of 1448 896 taskgen.exe 30 PID 896 wrote to memory of 1448 896 taskgen.exe 30 PID 896 wrote to memory of 1448 896 taskgen.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe"C:\Users\Admin\AppData\Local\Temp\7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\taskgen.exe"C:\Users\Admin\AppData\Local\Temp\taskgen.exe"2⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:1356
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Suspicious use of SetWindowsHookEx
PID:1448
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD5ff53c2e05032c76a8457f2cde3ba1d3a
SHA115acfd27138b871a866f7aa5ffdfc6357d865cc1
SHA256d2eaf2bda7a45563939d7ead777666263d1f9fcb94c5d3cf970aa90bad498c88
SHA512c2bd5bb00fd3a1da735e1e598e2a7b1e7d1fe73e3911fa3cfa53f27d55d49df5ad947e37a7497eff252803c138b5d4c5471b48bf930a8b69e283ef222b2393fe
-
Filesize
21KB
MD5ff53c2e05032c76a8457f2cde3ba1d3a
SHA115acfd27138b871a866f7aa5ffdfc6357d865cc1
SHA256d2eaf2bda7a45563939d7ead777666263d1f9fcb94c5d3cf970aa90bad498c88
SHA512c2bd5bb00fd3a1da735e1e598e2a7b1e7d1fe73e3911fa3cfa53f27d55d49df5ad947e37a7497eff252803c138b5d4c5471b48bf930a8b69e283ef222b2393fe
-
Filesize
21KB
MD5ff53c2e05032c76a8457f2cde3ba1d3a
SHA115acfd27138b871a866f7aa5ffdfc6357d865cc1
SHA256d2eaf2bda7a45563939d7ead777666263d1f9fcb94c5d3cf970aa90bad498c88
SHA512c2bd5bb00fd3a1da735e1e598e2a7b1e7d1fe73e3911fa3cfa53f27d55d49df5ad947e37a7497eff252803c138b5d4c5471b48bf930a8b69e283ef222b2393fe