Analysis
-
max time kernel
112s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 17:50
Static task
static1
Behavioral task
behavioral1
Sample
e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe
Resource
win10v2004-20220812-en
General
-
Target
e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe
-
Size
984KB
-
MD5
bf5bc2b418ce9347038646c817dc6be0
-
SHA1
15cd243faf6636668c0354a452b070d12e2989c8
-
SHA256
e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615
-
SHA512
9af6545064bb960750db4db2d3b72134c9b6d02111ff9db6d674bdb7167e84a3ad173d3a6de333e95062a472580079457088072255b43aa526f33cfbe7d435d5
-
SSDEEP
24576:Ylq1xySqbsm8H9d734MyZx0gyaestguOqST:maySXm8HjW1yajOFT
Malware Config
Signatures
-
Detect XtremeRAT payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4980-138-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/4980-139-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/4980-143-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/4980-146-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/4980-147-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Wine e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exepid process 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exedescription pid process target process PID 4960 set thread context of 4980 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exepid process 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exepid process 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.execmd.exenet.exee429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exedescription pid process target process PID 4960 wrote to memory of 5028 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe cmd.exe PID 4960 wrote to memory of 5028 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe cmd.exe PID 4960 wrote to memory of 5028 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe cmd.exe PID 4960 wrote to memory of 4980 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe PID 4960 wrote to memory of 4980 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe PID 4960 wrote to memory of 4980 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe PID 4960 wrote to memory of 4980 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe PID 4960 wrote to memory of 4980 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe PID 4960 wrote to memory of 4980 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe PID 4960 wrote to memory of 4980 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe PID 4960 wrote to memory of 4980 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe PID 4960 wrote to memory of 4980 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe PID 4960 wrote to memory of 4980 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe PID 4960 wrote to memory of 4980 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe PID 4960 wrote to memory of 4980 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe PID 4960 wrote to memory of 4980 4960 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe PID 5028 wrote to memory of 3968 5028 cmd.exe net.exe PID 5028 wrote to memory of 3968 5028 cmd.exe net.exe PID 5028 wrote to memory of 3968 5028 cmd.exe net.exe PID 3968 wrote to memory of 4584 3968 net.exe net1.exe PID 3968 wrote to memory of 4584 3968 net.exe net1.exe PID 3968 wrote to memory of 4584 3968 net.exe net1.exe PID 4980 wrote to memory of 4380 4980 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe msedge.exe PID 4980 wrote to memory of 4380 4980 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe msedge.exe PID 4980 wrote to memory of 4380 4980 e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe"C:\Users\Admin\AppData\Local\Temp\e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
C:\Users\Admin\AppData\Local\Temp\e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exeC:\Users\Admin\AppData\Local\Temp\e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3968-144-0x0000000000000000-mapping.dmp
-
memory/4584-145-0x0000000000000000-mapping.dmp
-
memory/4960-141-0x0000000077160000-0x0000000077303000-memory.dmpFilesize
1.6MB
-
memory/4960-132-0x0000000000400000-0x00000000005D8000-memory.dmpFilesize
1.8MB
-
memory/4960-133-0x0000000077160000-0x0000000077303000-memory.dmpFilesize
1.6MB
-
memory/4960-134-0x0000000000400000-0x00000000005D8000-memory.dmpFilesize
1.8MB
-
memory/4960-135-0x0000000002430000-0x0000000002434000-memory.dmpFilesize
16KB
-
memory/4960-140-0x0000000000400000-0x00000000005D8000-memory.dmpFilesize
1.8MB
-
memory/4980-138-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/4980-139-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/4980-142-0x0000000000400000-0x00000000005D8000-memory.dmpFilesize
1.8MB
-
memory/4980-143-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/4980-137-0x0000000000000000-mapping.dmp
-
memory/4980-146-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/4980-147-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/5028-136-0x0000000000000000-mapping.dmp