Analysis
-
max time kernel
174s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23/11/2022, 20:23
Static task
static1
Behavioral task
behavioral1
Sample
7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe
Resource
win10v2004-20221111-en
General
-
Target
7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe
-
Size
995KB
-
MD5
f4d85e8ae9790fcdffc84f92923bda36
-
SHA1
9e2f582ddf24aaa9ce972593d1ce301fd0f50222
-
SHA256
7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922
-
SHA512
7b3bd2487aed3585c401e058a24cf80b0f0b402e9f984afc19b875348e88351bc77c6bb68c17485953f65a044b7e10eba8455c18825dc8cfe6dd7a5798b3e966
-
SSDEEP
24576:0G3nqqGvzQK3126Uuvo+x78kOg7uzIvKb8Cj:06k3cOvoUKb8Cj
Malware Config
Extracted
xtremerat
yocymusic.zapto.org
Signatures
-
Detect XtremeRAT payload 5 IoCs
resource yara_rule behavioral2/memory/4756-143-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/2472-148-0x0000000000000000-mapping.dmp family_xtremerat behavioral2/memory/2472-149-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/4756-150-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/2472-151-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 1 IoCs
pid Process 4756 taskgen.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0VX3O085-5WIK-A1Q4-ALGM-730EJ4851YA0} taskgen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0VX3O085-5WIK-A1Q4-ALGM-730EJ4851YA0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" taskgen.exe -
resource yara_rule behavioral2/files/0x0008000000022dd8-141.dat upx behavioral2/files/0x0008000000022dd8-142.dat upx behavioral2/memory/4756-143-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/2472-149-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/4756-150-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/2472-151-0x0000000000C80000-0x0000000000C96000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation 7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" taskgen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run taskgen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" taskgen.exe Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run taskgen.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini 7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe File opened for modification C:\Windows\assembly\Desktop.ini 7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\InstallDir\Server.exe taskgen.exe File created C:\Windows\InstallDir\Server.exe taskgen.exe File opened for modification C:\Windows\InstallDir\ taskgen.exe File opened for modification C:\Windows\assembly 7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe File created C:\Windows\assembly\Desktop.ini 7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe File opened for modification C:\Windows\assembly\Desktop.ini 7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2472 svchost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1504 wrote to memory of 4756 1504 7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe 87 PID 1504 wrote to memory of 4756 1504 7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe 87 PID 1504 wrote to memory of 4756 1504 7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe 87 PID 4756 wrote to memory of 2952 4756 taskgen.exe 88 PID 4756 wrote to memory of 2952 4756 taskgen.exe 88 PID 4756 wrote to memory of 2952 4756 taskgen.exe 88 PID 4756 wrote to memory of 2472 4756 taskgen.exe 89 PID 4756 wrote to memory of 2472 4756 taskgen.exe 89 PID 4756 wrote to memory of 2472 4756 taskgen.exe 89 PID 4756 wrote to memory of 2472 4756 taskgen.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe"C:\Users\Admin\AppData\Local\Temp\7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\taskgen.exe"C:\Users\Admin\AppData\Local\Temp\taskgen.exe"2⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:2952
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Suspicious use of SetWindowsHookEx
PID:2472
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD5ff53c2e05032c76a8457f2cde3ba1d3a
SHA115acfd27138b871a866f7aa5ffdfc6357d865cc1
SHA256d2eaf2bda7a45563939d7ead777666263d1f9fcb94c5d3cf970aa90bad498c88
SHA512c2bd5bb00fd3a1da735e1e598e2a7b1e7d1fe73e3911fa3cfa53f27d55d49df5ad947e37a7497eff252803c138b5d4c5471b48bf930a8b69e283ef222b2393fe
-
Filesize
21KB
MD5ff53c2e05032c76a8457f2cde3ba1d3a
SHA115acfd27138b871a866f7aa5ffdfc6357d865cc1
SHA256d2eaf2bda7a45563939d7ead777666263d1f9fcb94c5d3cf970aa90bad498c88
SHA512c2bd5bb00fd3a1da735e1e598e2a7b1e7d1fe73e3911fa3cfa53f27d55d49df5ad947e37a7497eff252803c138b5d4c5471b48bf930a8b69e283ef222b2393fe