Overview

overview

10

Static

static

1920d2d779...1a.exe

windows7-x64

10

1920d2d779...1a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 04:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe

  • Size

    1004KB

  • MD5

    ac9f763e91e7a45b541cc5d46947e9db

  • SHA1

    ea043d1326925faf827e529ccb304281b9137914

  • SHA256

    1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a

  • SHA512

    e3ab77da18869d9a5908aeec2acd49809c3062c5617f09d06d74228ba5d37be8741dcdfbbcbc549c99ad5ac03fb4fceceade7cf32a1733f2af4561d184ea17a4

  • SSDEEP

    24576:Yb9mF2c+YdlItkGOinouiRYm1I1y4sIfDTSoUA+stJXVmaip9wV:g46YnEkgoim8s0est11V

Score
10/10
xtremeratevasionpersistenceratspyware

Malware Config

Signatures

  • Detect XtremeRAT payload 4 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe
    "C:\Users\Admin\AppData\Local\Temp\1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3564
    • C:\Windows\SysWOW64\cmd.exe
      /c net stop MpsSvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\SysWOW64\net.exe
        net stop MpsSvc
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4588
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop MpsSvc
          4⤵
            PID:1768
      • C:\Users\Admin\AppData\Local\Temp\1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe
        C:\Users\Admin\AppData\Local\Temp\1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:356
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
          3⤵
            PID:1824

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Virtualization/Sandbox Evasion

      2
      T1497

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      Virtualization/Sandbox Evasion

      2
      T1497

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/356-138-0x0000000010000000-0x000000001004A000-memory.dmp
        Filesize

        296KB

        Download
      • memory/356-134-0x0000000000000000-mapping.dmp
        Download
      • memory/356-135-0x0000000010000000-0x000000001004A000-memory.dmp
        Filesize

        296KB

        Download
      • memory/356-136-0x0000000010000000-0x000000001004A000-memory.dmp
        Filesize

        296KB

        Download
      • memory/356-141-0x0000000000400000-0x00000000005E1000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/356-144-0x0000000010000000-0x000000001004A000-memory.dmp
        Filesize

        296KB

        Download
      • memory/1768-143-0x0000000000000000-mapping.dmp
        Download
      • memory/2780-133-0x0000000000000000-mapping.dmp
        Download
      • memory/3564-137-0x0000000000400000-0x00000000005E1000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/3564-132-0x0000000000400000-0x00000000005E1000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/3564-140-0x0000000004550000-0x0000000004554000-memory.dmp
        Filesize

        16KB

        Download
      • memory/3564-139-0x0000000077560000-0x0000000077703000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4588-142-0x0000000000000000-mapping.dmp
        Download