Analysis
-
max time kernel
43s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
24-11-2022 17:50
General
-
Target
e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe
-
Size
984KB
-
MD5
bf5bc2b418ce9347038646c817dc6be0
-
SHA1
15cd243faf6636668c0354a452b070d12e2989c8
-
SHA256
e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615
-
SHA512
9af6545064bb960750db4db2d3b72134c9b6d02111ff9db6d674bdb7167e84a3ad173d3a6de333e95062a472580079457088072255b43aa526f33cfbe7d435d5
-
SSDEEP
24576:Ylq1xySqbsm8H9d734MyZx0gyaestguOqST:maySXm8HjW1yajOFT
Score
10/10
Malware Config
Signatures
-
Detect XtremeRAT payload 11 IoCs
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe"C:\Users\Admin\AppData\Local\Temp\e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
C:\Users\Admin\AppData\Local\Temp\e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exeC:\Users\Admin\AppData\Local\Temp\e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/692-77-0x0000000000000000-mapping.dmp
-
memory/1500-56-0x0000000000000000-mapping.dmp
-
memory/1708-54-0x0000000000400000-0x00000000005D8000-memory.dmpFilesize
1.8MB
-
memory/1708-55-0x0000000075111000-0x0000000075113000-memory.dmpFilesize
8KB
-
memory/1708-76-0x0000000076FB0000-0x0000000077130000-memory.dmpFilesize
1.5MB
-
memory/1708-73-0x0000000005130000-0x0000000005308000-memory.dmpFilesize
1.8MB
-
memory/1708-71-0x0000000000910000-0x0000000000914000-memory.dmpFilesize
16KB
-
memory/1708-69-0x0000000000400000-0x00000000005D8000-memory.dmpFilesize
1.8MB
-
memory/1708-67-0x0000000076FB0000-0x0000000077130000-memory.dmpFilesize
1.5MB
-
memory/1860-65-0x0000000000000000-mapping.dmp
-
memory/1928-63-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/1928-64-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/1928-62-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/1928-61-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/1928-70-0x000000001000D0F4-mapping.dmp
-
memory/1928-68-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/1928-60-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/1928-75-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/1928-72-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/1928-58-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/1928-57-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/1928-78-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/1928-79-0x0000000000400000-0x00000000005D8000-memory.dmpFilesize
1.8MB