Overview

overview

10

Static

static

cfc440d88a...59.exe

windows7-x64

10

cfc440d88a...59.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 18:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cfc440d88a6d4f34035e9a9b2cbe63e5628f01f0e893370cd66cdd9c9725e359.exe

  • Size

    980KB

  • MD5

    409a8d80d84aa23fedb10b49160051d9

  • SHA1

    4aa47235e60cfc78040360e9840c2f9a55f0d67a

  • SHA256

    cfc440d88a6d4f34035e9a9b2cbe63e5628f01f0e893370cd66cdd9c9725e359

  • SHA512

    2ebcba46759db8efff11490d2771057e9119ca6273fbc38f5a53b13916639d01532672620d9d27f2d9e5f221c48c2b45869fb8362a93d849eef7b18404dcab3a

  • SSDEEP

    24576:YTLHLXccWMukmi4AQ7CsVbqQr/kV8u69fUg:QLMBRuQus/4V8uib

Score
10/10
xtremeratevasionpersistenceratspyware

Malware Config

Signatures

  • Detect XtremeRAT payload 5 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cfc440d88a6d4f34035e9a9b2cbe63e5628f01f0e893370cd66cdd9c9725e359.exe
    "C:\Users\Admin\AppData\Local\Temp\cfc440d88a6d4f34035e9a9b2cbe63e5628f01f0e893370cd66cdd9c9725e359.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5076
    • C:\Windows\SysWOW64\cmd.exe
      /c net stop MpsSvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3640
      • C:\Windows\SysWOW64\net.exe
        net stop MpsSvc
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop MpsSvc
          4⤵
            PID:2296
      • C:\Users\Admin\AppData\Local\Temp\cfc440d88a6d4f34035e9a9b2cbe63e5628f01f0e893370cd66cdd9c9725e359.exe
        C:\Users\Admin\AppData\Local\Temp\cfc440d88a6d4f34035e9a9b2cbe63e5628f01f0e893370cd66cdd9c9725e359.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3748
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
          3⤵
            PID:2488

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2296-144-0x0000000000000000-mapping.dmp

        Download

      • memory/2752-143-0x0000000000000000-mapping.dmp

        Download

      • memory/3640-135-0x0000000000000000-mapping.dmp

        Download

      • memory/3748-136-0x0000000000000000-mapping.dmp

        Download

      • memory/3748-137-0x0000000010000000-0x000000001004A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/3748-138-0x0000000010000000-0x000000001004A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/3748-139-0x0000000010000000-0x000000001004A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/3748-145-0x0000000010000000-0x000000001004A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/3748-146-0x0000000000400000-0x00000000005D7000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/3748-147-0x0000000010000000-0x000000001004A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/5076-132-0x0000000000400000-0x00000000005D7000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/5076-141-0x0000000077290000-0x0000000077433000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/5076-142-0x0000000004530000-0x0000000004534000-memory.dmp

        Filesize

        16KB

        Download

      • memory/5076-140-0x0000000000400000-0x00000000005D7000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/5076-134-0x0000000077290000-0x0000000077433000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/5076-133-0x0000000000400000-0x00000000005D7000-memory.dmp

        Filesize

        1.8MB

        Download