Analysis
-
max time kernel
129s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
24-11-2022 23:38
General
-
Target
76656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2.exe
-
Size
881KB
-
MD5
0e2799a3e9f835c79364929ebd42f5d0
-
SHA1
bf5b89513999a41be64b0c1cf4062d918d931bd7
-
SHA256
76656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2
-
SHA512
8f73efd382a91312db15483f4251816ce47750f21c714af67bfd3faba11b8493c412c9326e48a68a7d52c4ecf125bf8837dfbc4615d56ef03378a923f1f3fc93
-
SSDEEP
12288:CpRZPGFMuMnXRME1YOyGJBtquBWVbYmcCNT6bKiS9FT6Jwds/:MZPGN8hMZFuynY7CUbu9FWwd6
Malware Config
Signatures
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 5 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops startup file 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\76656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2.exe"C:\Users\Admin\AppData\Local\Temp\76656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exeFilesize
881KB
MD50e2799a3e9f835c79364929ebd42f5d0
SHA1bf5b89513999a41be64b0c1cf4062d918d931bd7
SHA25676656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2
SHA5128f73efd382a91312db15483f4251816ce47750f21c714af67bfd3faba11b8493c412c9326e48a68a7d52c4ecf125bf8837dfbc4615d56ef03378a923f1f3fc93
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exeFilesize
881KB
MD50e2799a3e9f835c79364929ebd42f5d0
SHA1bf5b89513999a41be64b0c1cf4062d918d931bd7
SHA25676656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2
SHA5128f73efd382a91312db15483f4251816ce47750f21c714af67bfd3faba11b8493c412c9326e48a68a7d52c4ecf125bf8837dfbc4615d56ef03378a923f1f3fc93
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exeFilesize
881KB
MD50e2799a3e9f835c79364929ebd42f5d0
SHA1bf5b89513999a41be64b0c1cf4062d918d931bd7
SHA25676656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2
SHA5128f73efd382a91312db15483f4251816ce47750f21c714af67bfd3faba11b8493c412c9326e48a68a7d52c4ecf125bf8837dfbc4615d56ef03378a923f1f3fc93
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exeFilesize
881KB
MD50e2799a3e9f835c79364929ebd42f5d0
SHA1bf5b89513999a41be64b0c1cf4062d918d931bd7
SHA25676656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2
SHA5128f73efd382a91312db15483f4251816ce47750f21c714af67bfd3faba11b8493c412c9326e48a68a7d52c4ecf125bf8837dfbc4615d56ef03378a923f1f3fc93
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exeFilesize
881KB
MD50e2799a3e9f835c79364929ebd42f5d0
SHA1bf5b89513999a41be64b0c1cf4062d918d931bd7
SHA25676656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2
SHA5128f73efd382a91312db15483f4251816ce47750f21c714af67bfd3faba11b8493c412c9326e48a68a7d52c4ecf125bf8837dfbc4615d56ef03378a923f1f3fc93
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2PA4XYQNg\2PA4XYQNg.nfoFilesize
3KB
MD5b20dd04fbdbdf8fe3bd6290121d977ec
SHA15af25dbbbc52776c00f27a0efe702c87100246a0
SHA25623af4519c2a7141113adf94929373c1962e2d88ec2331648c38873848a0a03cb
SHA512881df6307bf2b0047b31c84d1f1b116ef675f083941cf3171535706c925d90f124991d729af9cf8481870ded439bdeac786a0036d67df62976f312eee5252785
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2PA4XYQNg\2PA4XYQNg.svrFilesize
358KB
MD5ad69242f4bf9548496051bd95ac05e1e
SHA1913292f6b83adf41337fd50201ad341500abc8b0
SHA2562663fdfe0fe4c37532f919282d035579bf84a895be5971982437cffbd41bdb1b
SHA51209bed3adc8427e4aeec4e32dfd0640da71d2839b62973e4bae94f0965c5836028511295d99be878af388789fc020117972c3cf51d5a2ef1899aeb9d43c2fd94e
-
C:\Windows\InstallDir\Server.exeFilesize
881KB
MD50e2799a3e9f835c79364929ebd42f5d0
SHA1bf5b89513999a41be64b0c1cf4062d918d931bd7
SHA25676656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2
SHA5128f73efd382a91312db15483f4251816ce47750f21c714af67bfd3faba11b8493c412c9326e48a68a7d52c4ecf125bf8837dfbc4615d56ef03378a923f1f3fc93
-
C:\Windows\InstallDir\Server.exeFilesize
881KB
MD50e2799a3e9f835c79364929ebd42f5d0
SHA1bf5b89513999a41be64b0c1cf4062d918d931bd7
SHA25676656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2
SHA5128f73efd382a91312db15483f4251816ce47750f21c714af67bfd3faba11b8493c412c9326e48a68a7d52c4ecf125bf8837dfbc4615d56ef03378a923f1f3fc93
-
\Users\Admin\AppData\Roaming\ID Detector\detect.exeFilesize
881KB
MD50e2799a3e9f835c79364929ebd42f5d0
SHA1bf5b89513999a41be64b0c1cf4062d918d931bd7
SHA25676656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2
SHA5128f73efd382a91312db15483f4251816ce47750f21c714af67bfd3faba11b8493c412c9326e48a68a7d52c4ecf125bf8837dfbc4615d56ef03378a923f1f3fc93
-
\Windows\InstallDir\Server.exeFilesize
881KB
MD50e2799a3e9f835c79364929ebd42f5d0
SHA1bf5b89513999a41be64b0c1cf4062d918d931bd7
SHA25676656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2
SHA5128f73efd382a91312db15483f4251816ce47750f21c714af67bfd3faba11b8493c412c9326e48a68a7d52c4ecf125bf8837dfbc4615d56ef03378a923f1f3fc93
-
memory/432-84-0x0000000001610000-0x0000000001720000-memory.dmpFilesize
1.1MB
-
memory/432-81-0x0000000001610000-0x0000000001720000-memory.dmpFilesize
1.1MB
-
memory/432-80-0x0000000001610000-0x0000000001720000-memory.dmpFilesize
1.1MB
-
memory/432-87-0x0000000001610000-0x0000000001720000-memory.dmpFilesize
1.1MB
-
memory/432-89-0x000000000171D0D0-mapping.dmp
-
memory/832-56-0x0000000000000000-mapping.dmp
-
memory/1208-73-0x0000000000408600-mapping.dmp
-
memory/1208-76-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/1208-90-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/1276-70-0x0000000000000000-mapping.dmp
-
memory/1316-62-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/1316-69-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/1316-64-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/1316-59-0x0000000000408600-mapping.dmp
-
memory/1676-54-0x0000000075C81000-0x0000000075C83000-memory.dmpFilesize
8KB
-
memory/1692-66-0x0000000000000000-mapping.dmp