Overview

overview

10

Static

static

cfc440d88a...59.exe

windows7-x64

10

cfc440d88a...59.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    31s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 18:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cfc440d88a6d4f34035e9a9b2cbe63e5628f01f0e893370cd66cdd9c9725e359.exe

  • Size

    980KB

  • MD5

    409a8d80d84aa23fedb10b49160051d9

  • SHA1

    4aa47235e60cfc78040360e9840c2f9a55f0d67a

  • SHA256

    cfc440d88a6d4f34035e9a9b2cbe63e5628f01f0e893370cd66cdd9c9725e359

  • SHA512

    2ebcba46759db8efff11490d2771057e9119ca6273fbc38f5a53b13916639d01532672620d9d27f2d9e5f221c48c2b45869fb8362a93d849eef7b18404dcab3a

  • SSDEEP

    24576:YTLHLXccWMukmi4AQ7CsVbqQr/kV8u69fUg:QLMBRuQus/4V8uib

Score
10/10
xtremeratevasionpersistenceratspyware

Malware Config

Signatures

  • Detect XtremeRAT payload 11 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cfc440d88a6d4f34035e9a9b2cbe63e5628f01f0e893370cd66cdd9c9725e359.exe
    "C:\Users\Admin\AppData\Local\Temp\cfc440d88a6d4f34035e9a9b2cbe63e5628f01f0e893370cd66cdd9c9725e359.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Windows\SysWOW64\cmd.exe
      /c net stop MpsSvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Windows\SysWOW64\net.exe
        net stop MpsSvc
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1764
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop MpsSvc
          4⤵
            PID:896
      • C:\Users\Admin\AppData\Local\Temp\cfc440d88a6d4f34035e9a9b2cbe63e5628f01f0e893370cd66cdd9c9725e359.exe
        C:\Users\Admin\AppData\Local\Temp\cfc440d88a6d4f34035e9a9b2cbe63e5628f01f0e893370cd66cdd9c9725e359.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:968
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:1208

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/896-76-0x0000000000000000-mapping.dmp

        Download

      • memory/968-65-0x0000000010000000-0x000000001004A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/968-63-0x0000000010000000-0x000000001004A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/968-68-0x000000001000D0F4-mapping.dmp

        Download

      • memory/968-59-0x0000000010000000-0x000000001004A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/968-61-0x0000000010000000-0x000000001004A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/968-58-0x0000000010000000-0x000000001004A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/968-62-0x0000000010000000-0x000000001004A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/968-72-0x0000000010000000-0x000000001004A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/968-69-0x0000000010000000-0x000000001004A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/968-67-0x0000000010000000-0x000000001004A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/968-79-0x0000000010000000-0x000000001004A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/968-78-0x0000000000400000-0x00000000005D7000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/968-64-0x0000000010000000-0x000000001004A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/968-77-0x0000000010000000-0x000000001004A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/1676-74-0x0000000077600000-0x0000000077780000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/1676-56-0x00000000764D1000-0x00000000764D3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1676-75-0x00000000003F0000-0x00000000003F4000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1676-55-0x0000000077600000-0x0000000077780000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/1676-70-0x0000000000400000-0x00000000005D7000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/1676-54-0x0000000000400000-0x00000000005D7000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/1740-57-0x0000000000000000-mapping.dmp

        Download

      • memory/1764-73-0x0000000000000000-mapping.dmp

        Download