Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23/11/2022, 20:27
Static task
static1
Behavioral task
behavioral1
Sample
1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
Resource
win10v2004-20220812-en
General
-
Target
1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe
-
Size
712KB
-
MD5
5244590f29e5fdf4267f60fe2a06ea90
-
SHA1
00ea26b62e1962ccd9a64ddec59d0700accadb6e
-
SHA256
1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
-
SHA512
48f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885
-
SSDEEP
12288:tOqBSImJ7uD4vqQOqCg/0+cdEuH8uitp4xieV31K93V:kCSXOTRdEuUpJGls
Malware Config
Extracted
xtremerat
hussienashraf2020.zapto.org
Signatures
-
Detect XtremeRAT payload 13 IoCs
resource yara_rule behavioral2/memory/4752-133-0x0000000000C80000-0x0000000000CEE000-memory.dmp family_xtremerat behavioral2/memory/4752-134-0x0000000000C80000-0x0000000000CEE000-memory.dmp family_xtremerat behavioral2/memory/4752-136-0x0000000000C80000-0x0000000000CEE000-memory.dmp family_xtremerat behavioral2/memory/4752-138-0x0000000000C80000-0x0000000000CEE000-memory.dmp family_xtremerat behavioral2/memory/4752-139-0x0000000000C80000-0x0000000000CEE000-memory.dmp family_xtremerat behavioral2/memory/4752-140-0x0000000000C80000-0x0000000000CEE000-memory.dmp family_xtremerat behavioral2/memory/4752-142-0x0000000000C80000-0x0000000000CEE000-memory.dmp family_xtremerat behavioral2/memory/4632-143-0x0000000000000000-mapping.dmp family_xtremerat behavioral2/memory/4124-145-0x0000000000000000-mapping.dmp family_xtremerat behavioral2/memory/4752-146-0x0000000000C81000-0x0000000000C8A000-memory.dmp family_xtremerat behavioral2/memory/4632-147-0x0000000000C80000-0x0000000000CEE000-memory.dmp family_xtremerat behavioral2/memory/4124-148-0x0000000000C80000-0x0000000000CEE000-memory.dmp family_xtremerat behavioral2/memory/4124-149-0x0000000000C80000-0x0000000000CEE000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 8 IoCs
pid Process 2760 Server.exe 784 Server.exe 2152 Server.exe 3992 Server.exe 4176 Server.exe 748 Server.exe 1016 Server.exe 3344 Server.exe -
Modifies Installed Components in the registry 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6X05Y61Y-KU8F-VAM6-OEN2-1T0Q20C4EGNI} Server.exe -
resource yara_rule behavioral2/memory/1628-184-0x0000000001610000-0x0000000001712000-memory.dmp upx behavioral2/memory/1628-185-0x0000000001610000-0x0000000001712000-memory.dmp upx behavioral2/memory/1628-186-0x0000000001610000-0x0000000001712000-memory.dmp upx behavioral2/memory/1628-188-0x0000000001610000-0x0000000001712000-memory.dmp upx behavioral2/memory/1628-190-0x0000000001610000-0x0000000001712000-memory.dmp upx behavioral2/memory/1628-194-0x0000000001610000-0x0000000001712000-memory.dmp upx behavioral2/memory/1628-193-0x0000000001610000-0x0000000001712000-memory.dmp upx -
Adds Run key to start application 2 TTPs 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Server.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run Server.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run explorer.exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 4772 set thread context of 4752 4772 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe 81 PID 2760 set thread context of 3992 2760 Server.exe 89 PID 784 set thread context of 4176 784 Server.exe 92 PID 3992 set thread context of 1628 3992 Server.exe 90 PID 4176 set thread context of 4840 4176 Server.exe 94 PID 2152 set thread context of 1016 2152 Server.exe 96 PID 748 set thread context of 3344 748 Server.exe 97 -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\InstallDir\ Server.exe File opened for modification C:\Windows\InstallDir\Server.exe Server.exe File opened for modification C:\Windows\InstallDir\ Server.exe File opened for modification C:\Windows\InstallDir\Server.exe 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe File created C:\Windows\InstallDir\Server.exe 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe File opened for modification C:\Windows\InstallDir\ 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 16 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 explorer.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1628 explorer.exe 1628 explorer.exe 4840 explorer.exe 4840 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4124 explorer.exe 1628 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4772 wrote to memory of 4752 4772 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe 81 PID 4772 wrote to memory of 4752 4772 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe 81 PID 4772 wrote to memory of 4752 4772 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe 81 PID 4772 wrote to memory of 4752 4772 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe 81 PID 4772 wrote to memory of 4752 4772 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe 81 PID 4772 wrote to memory of 4752 4772 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe 81 PID 4772 wrote to memory of 4752 4772 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe 81 PID 4772 wrote to memory of 4752 4772 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe 81 PID 4772 wrote to memory of 4752 4772 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe 81 PID 4772 wrote to memory of 4752 4772 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe 81 PID 4772 wrote to memory of 4752 4772 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe 81 PID 4772 wrote to memory of 4752 4772 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe 81 PID 4772 wrote to memory of 4752 4772 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe 81 PID 4752 wrote to memory of 4632 4752 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe 82 PID 4752 wrote to memory of 4632 4752 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe 82 PID 4752 wrote to memory of 4632 4752 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe 82 PID 4752 wrote to memory of 4632 4752 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe 82 PID 4752 wrote to memory of 1640 4752 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe 83 PID 4752 wrote to memory of 1640 4752 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe 83 PID 4752 wrote to memory of 4124 4752 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe 84 PID 4752 wrote to memory of 4124 4752 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe 84 PID 4752 wrote to memory of 4124 4752 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe 84 PID 4752 wrote to memory of 4124 4752 1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe 84 PID 4124 wrote to memory of 784 4124 explorer.exe 86 PID 4632 wrote to memory of 2760 4632 svchost.exe 85 PID 4632 wrote to memory of 2760 4632 svchost.exe 85 PID 4632 wrote to memory of 2760 4632 svchost.exe 85 PID 4124 wrote to memory of 784 4124 explorer.exe 86 PID 4124 wrote to memory of 784 4124 explorer.exe 86 PID 4632 wrote to memory of 2152 4632 svchost.exe 88 PID 4632 wrote to memory of 2152 4632 svchost.exe 88 PID 4632 wrote to memory of 2152 4632 svchost.exe 88 PID 2760 wrote to memory of 3992 2760 Server.exe 89 PID 2760 wrote to memory of 3992 2760 Server.exe 89 PID 2760 wrote to memory of 3992 2760 Server.exe 89 PID 2760 wrote to memory of 3992 2760 Server.exe 89 PID 2760 wrote to memory of 3992 2760 Server.exe 89 PID 2760 wrote to memory of 3992 2760 Server.exe 89 PID 2760 wrote to memory of 3992 2760 Server.exe 89 PID 2760 wrote to memory of 3992 2760 Server.exe 89 PID 2760 wrote to memory of 3992 2760 Server.exe 89 PID 2760 wrote to memory of 3992 2760 Server.exe 89 PID 2760 wrote to memory of 3992 2760 Server.exe 89 PID 2760 wrote to memory of 3992 2760 Server.exe 89 PID 2760 wrote to memory of 3992 2760 Server.exe 89 PID 3992 wrote to memory of 3732 3992 Server.exe 91 PID 3992 wrote to memory of 3732 3992 Server.exe 91 PID 3992 wrote to memory of 1628 3992 Server.exe 90 PID 3992 wrote to memory of 1628 3992 Server.exe 90 PID 3992 wrote to memory of 1628 3992 Server.exe 90 PID 784 wrote to memory of 4176 784 Server.exe 92 PID 784 wrote to memory of 4176 784 Server.exe 92 PID 784 wrote to memory of 4176 784 Server.exe 92 PID 784 wrote to memory of 4176 784 Server.exe 92 PID 784 wrote to memory of 4176 784 Server.exe 92 PID 784 wrote to memory of 4176 784 Server.exe 92 PID 784 wrote to memory of 4176 784 Server.exe 92 PID 784 wrote to memory of 4176 784 Server.exe 92 PID 784 wrote to memory of 4176 784 Server.exe 92 PID 784 wrote to memory of 4176 784 Server.exe 92 PID 784 wrote to memory of 4176 784 Server.exe 92 PID 784 wrote to memory of 4176 784 Server.exe 92 PID 784 wrote to memory of 4176 784 Server.exe 92 PID 4176 wrote to memory of 3460 4176 Server.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe"C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exeC:\Users\Admin\AppData\Local\Temp\1aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4.exe2⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3732
-
-
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2152 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe5⤵
- Executes dropped EXE
PID:1016
-
-
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:748 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe5⤵
- Executes dropped EXE
PID:3344
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:1640
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\InstallDir\Server.exeC:\Windows\InstallDir\Server.exe5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3460
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:4840
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5892fb7ae7b1a8c59133b27f958ccb550
SHA113a80dff0481d5aee88c51d2130186a0a9194932
SHA2561678881e96078de557abfd5f5e5a18f468c625a255c2976bdc3251713ad7bfd8
SHA5128538ecca79bec6269159cacff826e05752650174e6963c78aa0d29071d9fafaf31f17523d7b1b7596dedca11a691fdfa4f28c35b4a4593ef6b13a5c04bd9f884
-
Filesize
1KB
MD5892fb7ae7b1a8c59133b27f958ccb550
SHA113a80dff0481d5aee88c51d2130186a0a9194932
SHA2561678881e96078de557abfd5f5e5a18f468c625a255c2976bdc3251713ad7bfd8
SHA5128538ecca79bec6269159cacff826e05752650174e6963c78aa0d29071d9fafaf31f17523d7b1b7596dedca11a691fdfa4f28c35b4a4593ef6b13a5c04bd9f884
-
Filesize
1KB
MD5892fb7ae7b1a8c59133b27f958ccb550
SHA113a80dff0481d5aee88c51d2130186a0a9194932
SHA2561678881e96078de557abfd5f5e5a18f468c625a255c2976bdc3251713ad7bfd8
SHA5128538ecca79bec6269159cacff826e05752650174e6963c78aa0d29071d9fafaf31f17523d7b1b7596dedca11a691fdfa4f28c35b4a4593ef6b13a5c04bd9f884
-
Filesize
1KB
MD5892fb7ae7b1a8c59133b27f958ccb550
SHA113a80dff0481d5aee88c51d2130186a0a9194932
SHA2561678881e96078de557abfd5f5e5a18f468c625a255c2976bdc3251713ad7bfd8
SHA5128538ecca79bec6269159cacff826e05752650174e6963c78aa0d29071d9fafaf31f17523d7b1b7596dedca11a691fdfa4f28c35b4a4593ef6b13a5c04bd9f884
-
Filesize
2B
MD584cad01fdb44ae58dbe6c3973dcd87f5
SHA14700b42849fb35be323774820bf1bc8019d26c80
SHA2568b1f194be530240c18bf0b1ee0d038e750fab8b24c6bd25c864297e5ebb41fa6
SHA5126e10d3ec4724c1aca9ff3f6a26292ba80065d18e8e9395f1474c0a298008f25e312e2f7024e7d10aab3264764e69a25553cc20afd23090f83921d20e42b989ab
-
Filesize
343KB
MD56426d400c96fb9ffef4eaa54f6647f4c
SHA170a37871aff432790b6adf7d3fc4eb929476e082
SHA25698bba0cf4c57ecd35b227f45e4aa6dd50ef7cfb1160235cc14687c96eb09fa3c
SHA5122c8b4d3ab066cbfca6cf0c8d89d5044152b5e3d7100249cbedd1c816e3a4a94efc8bc6b79c1dab4bdf96e3ce476d6caccf625cfbe0aff3bf5e7a29dfcfa948c5
-
Filesize
712KB
MD55244590f29e5fdf4267f60fe2a06ea90
SHA100ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA2561aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA51248f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885
-
Filesize
712KB
MD55244590f29e5fdf4267f60fe2a06ea90
SHA100ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA2561aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA51248f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885
-
Filesize
712KB
MD55244590f29e5fdf4267f60fe2a06ea90
SHA100ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA2561aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA51248f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885
-
Filesize
712KB
MD55244590f29e5fdf4267f60fe2a06ea90
SHA100ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA2561aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA51248f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885
-
Filesize
712KB
MD55244590f29e5fdf4267f60fe2a06ea90
SHA100ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA2561aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA51248f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885
-
Filesize
712KB
MD55244590f29e5fdf4267f60fe2a06ea90
SHA100ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA2561aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA51248f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885
-
Filesize
712KB
MD55244590f29e5fdf4267f60fe2a06ea90
SHA100ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA2561aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA51248f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885
-
Filesize
712KB
MD55244590f29e5fdf4267f60fe2a06ea90
SHA100ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA2561aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA51248f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885
-
Filesize
712KB
MD55244590f29e5fdf4267f60fe2a06ea90
SHA100ea26b62e1962ccd9a64ddec59d0700accadb6e
SHA2561aab225382e13f21383beacb5816af4cb6cca594012388e547a49fbacedb82f4
SHA51248f252a903222289520a594ee904fcf76ff7c3f70c2b733af02ef0f2bd430bca3f5934da4704de5c4d86d87e2e5a663aa0f80c9406d3dba7be077535af5bc885