Overview

overview

10

Static

static

e429ae45e4...15.exe

windows7-x64

10

e429ae45e4...15.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 17:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe

  • Size

    984KB

  • MD5

    bf5bc2b418ce9347038646c817dc6be0

  • SHA1

    15cd243faf6636668c0354a452b070d12e2989c8

  • SHA256

    e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615

  • SHA512

    9af6545064bb960750db4db2d3b72134c9b6d02111ff9db6d674bdb7167e84a3ad173d3a6de333e95062a472580079457088072255b43aa526f33cfbe7d435d5

  • SSDEEP

    24576:Ylq1xySqbsm8H9d734MyZx0gyaestguOqST:maySXm8HjW1yajOFT

Score
10/10
xtremeratevasionpersistenceratspyware

Malware Config

Signatures

  • Detect XtremeRAT payload 5 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe
    "C:\Users\Admin\AppData\Local\Temp\e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4960
    • C:\Windows\SysWOW64\cmd.exe
      /c net stop MpsSvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5028
      • C:\Windows\SysWOW64\net.exe
        net stop MpsSvc
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3968
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop MpsSvc
          4⤵
            PID:4584
      • C:\Users\Admin\AppData\Local\Temp\e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe
        C:\Users\Admin\AppData\Local\Temp\e429ae45e4b0e8825a4b6a7c74edddbda64f76509ffa19513aebeaf631331615.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4980
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
          3⤵
            PID:4380

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Virtualization/Sandbox Evasion

      2
      T1497

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      Virtualization/Sandbox Evasion

      2
      T1497

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3968-144-0x0000000000000000-mapping.dmp
        Download
      • memory/4584-145-0x0000000000000000-mapping.dmp
        Download
      • memory/4960-141-0x0000000077160000-0x0000000077303000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4960-132-0x0000000000400000-0x00000000005D8000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/4960-133-0x0000000077160000-0x0000000077303000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4960-134-0x0000000000400000-0x00000000005D8000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/4960-135-0x0000000002430000-0x0000000002434000-memory.dmp
        Filesize

        16KB

        Download
      • memory/4960-140-0x0000000000400000-0x00000000005D8000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/4980-138-0x0000000010000000-0x000000001004A000-memory.dmp
        Filesize

        296KB

        Download
      • memory/4980-139-0x0000000010000000-0x000000001004A000-memory.dmp
        Filesize

        296KB

        Download
      • memory/4980-142-0x0000000000400000-0x00000000005D8000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/4980-143-0x0000000010000000-0x000000001004A000-memory.dmp
        Filesize

        296KB

        Download
      • memory/4980-137-0x0000000000000000-mapping.dmp
        Download
      • memory/4980-146-0x0000000010000000-0x000000001004A000-memory.dmp
        Filesize

        296KB

        Download
      • memory/4980-147-0x0000000010000000-0x000000001004A000-memory.dmp
        Filesize

        296KB

        Download
      • memory/5028-136-0x0000000000000000-mapping.dmp
        Download