Analysis
-
max time kernel
145s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 21:58
Static task
static1
Behavioral task
behavioral1
Sample
96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
Resource
win10v2004-20220812-en
General
-
Target
96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
-
Size
984KB
-
MD5
6edee3f6a9eee3733d27991a3a6d5608
-
SHA1
47eb27c4e6f1e86e45eedd63f744aa7c426b3918
-
SHA256
96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84
-
SHA512
ae4e927c5d808292359b34eacf44ebc0d0ecf107c60e209555afaf596ff17d19acced2195229c8eca214dc4320739ef68cf9087182f89dd65a31e248f84255de
-
SSDEEP
24576:YN74AuHCuqcpjN0Va63ViVIOqccf5RTNRXkdOGObsOm:mMAICuqcv0wNIvVN9kdOGObZm
Malware Config
Signatures
-
Detect XtremeRAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1912-136-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/1912-135-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/1912-138-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/1912-143-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Wine 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exepid process 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exedescription pid process target process PID 2212 set thread context of 1912 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exepid process 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exepid process 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.execmd.exenet.exe96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exedescription pid process target process PID 2212 wrote to memory of 3324 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe cmd.exe PID 2212 wrote to memory of 3324 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe cmd.exe PID 2212 wrote to memory of 3324 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe cmd.exe PID 2212 wrote to memory of 1912 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe PID 2212 wrote to memory of 1912 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe PID 2212 wrote to memory of 1912 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe PID 2212 wrote to memory of 1912 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe PID 2212 wrote to memory of 1912 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe PID 2212 wrote to memory of 1912 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe PID 2212 wrote to memory of 1912 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe PID 2212 wrote to memory of 1912 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe PID 2212 wrote to memory of 1912 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe PID 2212 wrote to memory of 1912 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe PID 2212 wrote to memory of 1912 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe PID 2212 wrote to memory of 1912 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe PID 2212 wrote to memory of 1912 2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe PID 3324 wrote to memory of 4800 3324 cmd.exe net.exe PID 3324 wrote to memory of 4800 3324 cmd.exe net.exe PID 3324 wrote to memory of 4800 3324 cmd.exe net.exe PID 4800 wrote to memory of 4668 4800 net.exe net1.exe PID 4800 wrote to memory of 4668 4800 net.exe net1.exe PID 4800 wrote to memory of 4668 4800 net.exe net1.exe PID 1912 wrote to memory of 3760 1912 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe msedge.exe PID 1912 wrote to memory of 3760 1912 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe msedge.exe PID 1912 wrote to memory of 3760 1912 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe"C:\Users\Admin\AppData\Local\Temp\96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
C:\Users\Admin\AppData\Local\Temp\96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exeC:\Users\Admin\AppData\Local\Temp\96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1912-138-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/1912-144-0x0000000000400000-0x00000000005DA000-memory.dmpFilesize
1.9MB
-
memory/1912-134-0x0000000000000000-mapping.dmp
-
memory/1912-143-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/1912-136-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/1912-135-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/2212-137-0x0000000000400000-0x00000000005DA000-memory.dmpFilesize
1.9MB
-
memory/2212-140-0x0000000004520000-0x0000000004524000-memory.dmpFilesize
16KB
-
memory/2212-139-0x0000000077360000-0x0000000077503000-memory.dmpFilesize
1.6MB
-
memory/2212-132-0x0000000000400000-0x00000000005DA000-memory.dmpFilesize
1.9MB
-
memory/3324-133-0x0000000000000000-mapping.dmp
-
memory/4668-142-0x0000000000000000-mapping.dmp
-
memory/4800-141-0x0000000000000000-mapping.dmp