Analysis
-
max time kernel
129s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 23:38
Static task
static1
Behavioral task
behavioral1
Sample
76656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
76656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2.exe
Resource
win10v2004-20220812-en
General
-
Target
76656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2.exe
-
Size
881KB
-
MD5
0e2799a3e9f835c79364929ebd42f5d0
-
SHA1
bf5b89513999a41be64b0c1cf4062d918d931bd7
-
SHA256
76656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2
-
SHA512
8f73efd382a91312db15483f4251816ce47750f21c714af67bfd3faba11b8493c412c9326e48a68a7d52c4ecf125bf8837dfbc4615d56ef03378a923f1f3fc93
-
SSDEEP
12288:CpRZPGFMuMnXRME1YOyGJBtquBWVbYmcCNT6bKiS9FT6Jwds/:MZPGN8hMZFuynY7CUbu9FWwd6
Malware Config
Signatures
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 5 IoCs
Processes:
detect.exedetect.exeServer.exedetect.exedetect.exepid process 832 detect.exe 1316 detect.exe 1692 Server.exe 1276 detect.exe 1208 detect.exe -
Processes:
resource yara_rule behavioral1/memory/432-81-0x0000000001610000-0x0000000001720000-memory.dmp upx behavioral1/memory/432-84-0x0000000001610000-0x0000000001720000-memory.dmp upx behavioral1/memory/432-87-0x0000000001610000-0x0000000001720000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
76656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ID Detector.vbs 76656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2.exe -
Loads dropped DLL 2 IoCs
Processes:
76656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2.exedetect.exepid process 1676 76656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2.exe 1316 detect.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
detect.exedetect.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run detect.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" detect.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run detect.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" detect.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run detect.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" detect.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run detect.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" detect.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
detect.exedetect.exedetect.exedescription pid process target process PID 832 set thread context of 1316 832 detect.exe detect.exe PID 1276 set thread context of 1208 1276 detect.exe detect.exe PID 1208 set thread context of 432 1208 detect.exe explorer.exe -
Drops file in Windows directory 3 IoCs
Processes:
detect.exedetect.exedescription ioc process File opened for modification C:\Windows\InstallDir\Server.exe detect.exe File created C:\Windows\InstallDir\Server.exe detect.exe File opened for modification C:\Windows\InstallDir\Server.exe detect.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
detect.exedetect.exepid process 832 detect.exe 832 detect.exe 1276 detect.exe 1276 detect.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
detect.exepid process 1316 detect.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
explorer.exepid process 432 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
76656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2.exedetect.exedetect.exedescription pid process target process PID 1676 wrote to memory of 832 1676 76656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2.exe detect.exe PID 1676 wrote to memory of 832 1676 76656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2.exe detect.exe PID 1676 wrote to memory of 832 1676 76656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2.exe detect.exe PID 1676 wrote to memory of 832 1676 76656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2.exe detect.exe PID 832 wrote to memory of 1316 832 detect.exe detect.exe PID 832 wrote to memory of 1316 832 detect.exe detect.exe PID 832 wrote to memory of 1316 832 detect.exe detect.exe PID 832 wrote to memory of 1316 832 detect.exe detect.exe PID 1316 wrote to memory of 584 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 584 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 584 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 584 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 664 1316 detect.exe explorer.exe PID 1316 wrote to memory of 664 1316 detect.exe explorer.exe PID 1316 wrote to memory of 664 1316 detect.exe explorer.exe PID 1316 wrote to memory of 664 1316 detect.exe explorer.exe PID 1316 wrote to memory of 472 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 472 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 472 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 472 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 564 1316 detect.exe explorer.exe PID 1316 wrote to memory of 564 1316 detect.exe explorer.exe PID 1316 wrote to memory of 564 1316 detect.exe explorer.exe PID 1316 wrote to memory of 564 1316 detect.exe explorer.exe PID 1316 wrote to memory of 856 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 856 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 856 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 856 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 760 1316 detect.exe explorer.exe PID 1316 wrote to memory of 760 1316 detect.exe explorer.exe PID 1316 wrote to memory of 760 1316 detect.exe explorer.exe PID 1316 wrote to memory of 760 1316 detect.exe explorer.exe PID 1316 wrote to memory of 1860 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 1860 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 1860 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 1860 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 1416 1316 detect.exe explorer.exe PID 1316 wrote to memory of 1416 1316 detect.exe explorer.exe PID 1316 wrote to memory of 1416 1316 detect.exe explorer.exe PID 1316 wrote to memory of 1416 1316 detect.exe explorer.exe PID 1316 wrote to memory of 676 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 676 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 676 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 676 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 1948 1316 detect.exe explorer.exe PID 1316 wrote to memory of 1948 1316 detect.exe explorer.exe PID 1316 wrote to memory of 1948 1316 detect.exe explorer.exe PID 1316 wrote to memory of 1948 1316 detect.exe explorer.exe PID 1316 wrote to memory of 692 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 692 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 692 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 692 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 1328 1316 detect.exe explorer.exe PID 1316 wrote to memory of 1328 1316 detect.exe explorer.exe PID 1316 wrote to memory of 1328 1316 detect.exe explorer.exe PID 1316 wrote to memory of 1328 1316 detect.exe explorer.exe PID 1316 wrote to memory of 1800 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 1800 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 1800 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 1800 1316 detect.exe iexplore.exe PID 1316 wrote to memory of 1884 1316 detect.exe explorer.exe PID 1316 wrote to memory of 1884 1316 detect.exe explorer.exe PID 1316 wrote to memory of 1884 1316 detect.exe explorer.exe PID 1316 wrote to memory of 1884 1316 detect.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\76656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2.exe"C:\Users\Admin\AppData\Local\Temp\76656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Windows\InstallDir\Server.exe"C:\Windows\InstallDir\Server.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exeFilesize
881KB
MD50e2799a3e9f835c79364929ebd42f5d0
SHA1bf5b89513999a41be64b0c1cf4062d918d931bd7
SHA25676656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2
SHA5128f73efd382a91312db15483f4251816ce47750f21c714af67bfd3faba11b8493c412c9326e48a68a7d52c4ecf125bf8837dfbc4615d56ef03378a923f1f3fc93
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exeFilesize
881KB
MD50e2799a3e9f835c79364929ebd42f5d0
SHA1bf5b89513999a41be64b0c1cf4062d918d931bd7
SHA25676656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2
SHA5128f73efd382a91312db15483f4251816ce47750f21c714af67bfd3faba11b8493c412c9326e48a68a7d52c4ecf125bf8837dfbc4615d56ef03378a923f1f3fc93
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exeFilesize
881KB
MD50e2799a3e9f835c79364929ebd42f5d0
SHA1bf5b89513999a41be64b0c1cf4062d918d931bd7
SHA25676656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2
SHA5128f73efd382a91312db15483f4251816ce47750f21c714af67bfd3faba11b8493c412c9326e48a68a7d52c4ecf125bf8837dfbc4615d56ef03378a923f1f3fc93
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exeFilesize
881KB
MD50e2799a3e9f835c79364929ebd42f5d0
SHA1bf5b89513999a41be64b0c1cf4062d918d931bd7
SHA25676656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2
SHA5128f73efd382a91312db15483f4251816ce47750f21c714af67bfd3faba11b8493c412c9326e48a68a7d52c4ecf125bf8837dfbc4615d56ef03378a923f1f3fc93
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exeFilesize
881KB
MD50e2799a3e9f835c79364929ebd42f5d0
SHA1bf5b89513999a41be64b0c1cf4062d918d931bd7
SHA25676656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2
SHA5128f73efd382a91312db15483f4251816ce47750f21c714af67bfd3faba11b8493c412c9326e48a68a7d52c4ecf125bf8837dfbc4615d56ef03378a923f1f3fc93
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2PA4XYQNg\2PA4XYQNg.nfoFilesize
3KB
MD5b20dd04fbdbdf8fe3bd6290121d977ec
SHA15af25dbbbc52776c00f27a0efe702c87100246a0
SHA25623af4519c2a7141113adf94929373c1962e2d88ec2331648c38873848a0a03cb
SHA512881df6307bf2b0047b31c84d1f1b116ef675f083941cf3171535706c925d90f124991d729af9cf8481870ded439bdeac786a0036d67df62976f312eee5252785
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2PA4XYQNg\2PA4XYQNg.svrFilesize
358KB
MD5ad69242f4bf9548496051bd95ac05e1e
SHA1913292f6b83adf41337fd50201ad341500abc8b0
SHA2562663fdfe0fe4c37532f919282d035579bf84a895be5971982437cffbd41bdb1b
SHA51209bed3adc8427e4aeec4e32dfd0640da71d2839b62973e4bae94f0965c5836028511295d99be878af388789fc020117972c3cf51d5a2ef1899aeb9d43c2fd94e
-
C:\Windows\InstallDir\Server.exeFilesize
881KB
MD50e2799a3e9f835c79364929ebd42f5d0
SHA1bf5b89513999a41be64b0c1cf4062d918d931bd7
SHA25676656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2
SHA5128f73efd382a91312db15483f4251816ce47750f21c714af67bfd3faba11b8493c412c9326e48a68a7d52c4ecf125bf8837dfbc4615d56ef03378a923f1f3fc93
-
C:\Windows\InstallDir\Server.exeFilesize
881KB
MD50e2799a3e9f835c79364929ebd42f5d0
SHA1bf5b89513999a41be64b0c1cf4062d918d931bd7
SHA25676656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2
SHA5128f73efd382a91312db15483f4251816ce47750f21c714af67bfd3faba11b8493c412c9326e48a68a7d52c4ecf125bf8837dfbc4615d56ef03378a923f1f3fc93
-
\Users\Admin\AppData\Roaming\ID Detector\detect.exeFilesize
881KB
MD50e2799a3e9f835c79364929ebd42f5d0
SHA1bf5b89513999a41be64b0c1cf4062d918d931bd7
SHA25676656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2
SHA5128f73efd382a91312db15483f4251816ce47750f21c714af67bfd3faba11b8493c412c9326e48a68a7d52c4ecf125bf8837dfbc4615d56ef03378a923f1f3fc93
-
\Windows\InstallDir\Server.exeFilesize
881KB
MD50e2799a3e9f835c79364929ebd42f5d0
SHA1bf5b89513999a41be64b0c1cf4062d918d931bd7
SHA25676656de28ec734c397c1d50f7bd61f1fd0f73f08b73af0f87c2a7bb2013cb5c2
SHA5128f73efd382a91312db15483f4251816ce47750f21c714af67bfd3faba11b8493c412c9326e48a68a7d52c4ecf125bf8837dfbc4615d56ef03378a923f1f3fc93
-
memory/432-84-0x0000000001610000-0x0000000001720000-memory.dmpFilesize
1.1MB
-
memory/432-81-0x0000000001610000-0x0000000001720000-memory.dmpFilesize
1.1MB
-
memory/432-80-0x0000000001610000-0x0000000001720000-memory.dmpFilesize
1.1MB
-
memory/432-87-0x0000000001610000-0x0000000001720000-memory.dmpFilesize
1.1MB
-
memory/432-89-0x000000000171D0D0-mapping.dmp
-
memory/832-56-0x0000000000000000-mapping.dmp
-
memory/1208-73-0x0000000000408600-mapping.dmp
-
memory/1208-76-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/1208-90-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/1276-70-0x0000000000000000-mapping.dmp
-
memory/1316-62-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/1316-69-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/1316-64-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/1316-59-0x0000000000408600-mapping.dmp
-
memory/1676-54-0x0000000075C81000-0x0000000075C83000-memory.dmpFilesize
8KB
-
memory/1692-66-0x0000000000000000-mapping.dmp