Analysis
-
max time kernel
112s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 04:26
Static task
static1
Behavioral task
behavioral1
Sample
1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe
Resource
win10v2004-20220901-en
General
-
Target
1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe
-
Size
1004KB
-
MD5
ac9f763e91e7a45b541cc5d46947e9db
-
SHA1
ea043d1326925faf827e529ccb304281b9137914
-
SHA256
1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a
-
SHA512
e3ab77da18869d9a5908aeec2acd49809c3062c5617f09d06d74228ba5d37be8741dcdfbbcbc549c99ad5ac03fb4fceceade7cf32a1733f2af4561d184ea17a4
-
SSDEEP
24576:Yb9mF2c+YdlItkGOinouiRYm1I1y4sIfDTSoUA+stJXVmaip9wV:g46YnEkgoim8s0est11V
Malware Config
Signatures
-
Detect XtremeRAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/356-135-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/356-136-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/356-138-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/356-144-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Wine 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exepid process 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exedescription pid process target process PID 3564 set thread context of 356 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exepid process 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exepid process 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.execmd.exenet.exe1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exedescription pid process target process PID 3564 wrote to memory of 2780 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe cmd.exe PID 3564 wrote to memory of 2780 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe cmd.exe PID 3564 wrote to memory of 2780 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe cmd.exe PID 3564 wrote to memory of 356 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe PID 3564 wrote to memory of 356 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe PID 3564 wrote to memory of 356 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe PID 3564 wrote to memory of 356 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe PID 3564 wrote to memory of 356 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe PID 3564 wrote to memory of 356 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe PID 3564 wrote to memory of 356 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe PID 3564 wrote to memory of 356 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe PID 3564 wrote to memory of 356 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe PID 3564 wrote to memory of 356 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe PID 3564 wrote to memory of 356 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe PID 3564 wrote to memory of 356 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe PID 3564 wrote to memory of 356 3564 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe PID 2780 wrote to memory of 4588 2780 cmd.exe net.exe PID 2780 wrote to memory of 4588 2780 cmd.exe net.exe PID 2780 wrote to memory of 4588 2780 cmd.exe net.exe PID 4588 wrote to memory of 1768 4588 net.exe net1.exe PID 4588 wrote to memory of 1768 4588 net.exe net1.exe PID 4588 wrote to memory of 1768 4588 net.exe net1.exe PID 356 wrote to memory of 1824 356 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe msedge.exe PID 356 wrote to memory of 1824 356 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe msedge.exe PID 356 wrote to memory of 1824 356 1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe"C:\Users\Admin\AppData\Local\Temp\1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
C:\Users\Admin\AppData\Local\Temp\1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exeC:\Users\Admin\AppData\Local\Temp\1920d2d779f35775563fab909cb58a89e1befee4cc91ba4c6eb636917a805a1a.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/356-138-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/356-134-0x0000000000000000-mapping.dmp
-
memory/356-135-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/356-136-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/356-141-0x0000000000400000-0x00000000005E1000-memory.dmpFilesize
1.9MB
-
memory/356-144-0x0000000010000000-0x000000001004A000-memory.dmpFilesize
296KB
-
memory/1768-143-0x0000000000000000-mapping.dmp
-
memory/2780-133-0x0000000000000000-mapping.dmp
-
memory/3564-137-0x0000000000400000-0x00000000005E1000-memory.dmpFilesize
1.9MB
-
memory/3564-132-0x0000000000400000-0x00000000005E1000-memory.dmpFilesize
1.9MB
-
memory/3564-140-0x0000000004550000-0x0000000004554000-memory.dmpFilesize
16KB
-
memory/3564-139-0x0000000077560000-0x0000000077703000-memory.dmpFilesize
1.6MB
-
memory/4588-142-0x0000000000000000-mapping.dmp