Analysis
-
max time kernel
194s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 17:12
Static task
static1
Behavioral task
behavioral1
Sample
f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
Resource
win10v2004-20221111-en
General
-
Target
f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
-
Size
996KB
-
MD5
376830294e3248b64e3cc045379d866f
-
SHA1
da7c94266ae4703e1533b0bf55223c317b1e8dd4
-
SHA256
f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e
-
SHA512
b9b7d2f6cf171140cd0cb9c33f35be13ab2028ea852f52a16c3e361d65ccce5fb42dde74f4f53bfa6f536e9384d6709b80e3fed80c181dc0f7c48c110c90ca87
-
SSDEEP
24576:Ynp5kzfilDo0Vu5CZzTmgF9RS+gzEJeoGJ7ohnWepS3iG:QDaiDo0RzTbFgLoWD3z
Malware Config
Signatures
-
Detect XtremeRAT payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/3688-136-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/3688-137-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/3688-141-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/3688-144-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/3688-145-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Wine f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exepid process 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exedescription pid process target process PID 3276 set thread context of 3688 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exepid process 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exepid process 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.execmd.exenet.exef02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exedescription pid process target process PID 3276 wrote to memory of 2056 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe cmd.exe PID 3276 wrote to memory of 2056 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe cmd.exe PID 3276 wrote to memory of 2056 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe cmd.exe PID 3276 wrote to memory of 3688 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe PID 3276 wrote to memory of 3688 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe PID 3276 wrote to memory of 3688 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe PID 3276 wrote to memory of 3688 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe PID 3276 wrote to memory of 3688 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe PID 3276 wrote to memory of 3688 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe PID 3276 wrote to memory of 3688 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe PID 3276 wrote to memory of 3688 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe PID 3276 wrote to memory of 3688 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe PID 3276 wrote to memory of 3688 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe PID 3276 wrote to memory of 3688 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe PID 3276 wrote to memory of 3688 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe PID 3276 wrote to memory of 3688 3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe PID 2056 wrote to memory of 4292 2056 cmd.exe net.exe PID 2056 wrote to memory of 4292 2056 cmd.exe net.exe PID 2056 wrote to memory of 4292 2056 cmd.exe net.exe PID 4292 wrote to memory of 2024 4292 net.exe net1.exe PID 4292 wrote to memory of 2024 4292 net.exe net1.exe PID 4292 wrote to memory of 2024 4292 net.exe net1.exe PID 3688 wrote to memory of 1908 3688 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe msedge.exe PID 3688 wrote to memory of 1908 3688 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe msedge.exe PID 3688 wrote to memory of 1908 3688 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe"C:\Users\Admin\AppData\Local\Temp\f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
C:\Users\Admin\AppData\Local\Temp\f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exeC:\Users\Admin\AppData\Local\Temp\f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2024-143-0x0000000000000000-mapping.dmp
-
memory/2056-134-0x0000000000000000-mapping.dmp
-
memory/3276-139-0x0000000077390000-0x0000000077533000-memory.dmpFilesize
1.6MB
-
memory/3276-133-0x0000000077390000-0x0000000077533000-memory.dmpFilesize
1.6MB
-
memory/3276-132-0x0000000000400000-0x00000000005DE000-memory.dmpFilesize
1.9MB
-
memory/3276-140-0x0000000004660000-0x0000000004664000-memory.dmpFilesize
16KB
-
memory/3276-138-0x0000000000400000-0x00000000005DE000-memory.dmpFilesize
1.9MB
-
memory/3688-135-0x0000000000000000-mapping.dmp
-
memory/3688-137-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/3688-141-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/3688-136-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/3688-144-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/3688-145-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/4292-142-0x0000000000000000-mapping.dmp