Analysis
-
max time kernel
135s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
25-11-2022 15:33
General
-
Target
c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe
-
Size
526KB
-
MD5
5109339d6fbcf467a9d50cd9e092c480
-
SHA1
819f1177d29584624eb9b1b9c219f550b068125b
-
SHA256
c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7
-
SHA512
0ff6c31444662eb8e8322f676f735f5a3a288c9c8b587592d2f9d40ab2cba0c3ac7c4379d84c7a24565ca588f85b5b6302bf5896cc19d3bf4033504486d16129
-
SSDEEP
12288:Feo9tmBXojQaRK+nm7tqpVCm257KzQWFUrZAf05pVMSr:0h4jQaR5nmheg57XCULLVM
Malware Config
Signatures
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe"C:\Users\Admin\AppData\Local\Temp\c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe"C:\Users\Admin\AppData\Local\Temp\c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
C:\Windows\{90783-8547-9081-90}\appinit.exe"C:\Windows\{90783-8547-9081-90}\appinit.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\{90783-8547-9081-90}\appinit.exe"C:\Windows\{90783-8547-9081-90}\appinit.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Adds Run key to start application
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\G5lZfyWn78ljg6\G5lZfyWn78ljg6.datFilesize
2B
MD593e00066d099c0485cfffa1359246d26
SHA1bc69a773f37b2f2071e25f755a66d47b871e5d98
SHA2563b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde
SHA512d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\G5lZfyWn78ljg6\G5lZfyWn78ljg6.nfoFilesize
3KB
MD5f7fae5c69b6ae78f297542f1c1405dcf
SHA1e275446b5bff321022e3833f67f63d1d0cca3883
SHA256c13949237267afdf33459d743748646af80dd77f291f0a0644b9edb7953a0d94
SHA512953f4f55494e58273a0d371db6cfcc10a18e9374d411eb8ae5e469c7a80bf706940ad1569a475a8c52d5e43ab7127c2206831d7aec97f6a3bc8defa67e8c65f8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\G5lZfyWn78ljg6\G5lZfyWn78ljg6.nfoFilesize
3KB
MD5f7fae5c69b6ae78f297542f1c1405dcf
SHA1e275446b5bff321022e3833f67f63d1d0cca3883
SHA256c13949237267afdf33459d743748646af80dd77f291f0a0644b9edb7953a0d94
SHA512953f4f55494e58273a0d371db6cfcc10a18e9374d411eb8ae5e469c7a80bf706940ad1569a475a8c52d5e43ab7127c2206831d7aec97f6a3bc8defa67e8c65f8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\G5lZfyWn78ljg6\G5lZfyWn78ljg6.svrFilesize
358KB
MD5ad69242f4bf9548496051bd95ac05e1e
SHA1913292f6b83adf41337fd50201ad341500abc8b0
SHA2562663fdfe0fe4c37532f919282d035579bf84a895be5971982437cffbd41bdb1b
SHA51209bed3adc8427e4aeec4e32dfd0640da71d2839b62973e4bae94f0965c5836028511295d99be878af388789fc020117972c3cf51d5a2ef1899aeb9d43c2fd94e
-
C:\Windows\{90783-8547-9081-90}\appinit.exeFilesize
526KB
MD55109339d6fbcf467a9d50cd9e092c480
SHA1819f1177d29584624eb9b1b9c219f550b068125b
SHA256c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7
SHA5120ff6c31444662eb8e8322f676f735f5a3a288c9c8b587592d2f9d40ab2cba0c3ac7c4379d84c7a24565ca588f85b5b6302bf5896cc19d3bf4033504486d16129
-
C:\Windows\{90783-8547-9081-90}\appinit.exeFilesize
526KB
MD55109339d6fbcf467a9d50cd9e092c480
SHA1819f1177d29584624eb9b1b9c219f550b068125b
SHA256c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7
SHA5120ff6c31444662eb8e8322f676f735f5a3a288c9c8b587592d2f9d40ab2cba0c3ac7c4379d84c7a24565ca588f85b5b6302bf5896cc19d3bf4033504486d16129
-
C:\Windows\{90783-8547-9081-90}\appinit.exeFilesize
526KB
MD55109339d6fbcf467a9d50cd9e092c480
SHA1819f1177d29584624eb9b1b9c219f550b068125b
SHA256c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7
SHA5120ff6c31444662eb8e8322f676f735f5a3a288c9c8b587592d2f9d40ab2cba0c3ac7c4379d84c7a24565ca588f85b5b6302bf5896cc19d3bf4033504486d16129
-
memory/3504-158-0x0000000001610000-0x0000000001720000-memory.dmpFilesize
1.1MB
-
memory/3504-156-0x0000000001610000-0x0000000001720000-memory.dmpFilesize
1.1MB
-
memory/3504-153-0x0000000001610000-0x0000000001720000-memory.dmpFilesize
1.1MB
-
memory/3504-166-0x00000000016C5000-0x000000000171E000-memory.dmpFilesize
356KB
-
memory/3504-154-0x0000000001610000-0x0000000001720000-memory.dmpFilesize
1.1MB
-
memory/3504-165-0x00000000016C5000-0x000000000171E000-memory.dmpFilesize
356KB
-
memory/3504-163-0x00000000016C5000-0x000000000171E000-memory.dmpFilesize
356KB
-
memory/3504-157-0x0000000001610000-0x0000000001720000-memory.dmpFilesize
1.1MB
-
memory/3504-159-0x0000000001610000-0x0000000001720000-memory.dmpFilesize
1.1MB
-
memory/3504-164-0x0000000001611000-0x00000000016C5000-memory.dmpFilesize
720KB
-
memory/3504-151-0x0000000000000000-mapping.dmp
-
memory/3504-152-0x0000000001610000-0x0000000001720000-memory.dmpFilesize
1.1MB
-
memory/3876-141-0x0000000000000000-mapping.dmp
-
memory/3876-162-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/3876-149-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/4596-142-0x0000000072E80000-0x0000000073431000-memory.dmpFilesize
5.7MB
-
memory/4596-145-0x0000000072E80000-0x0000000073431000-memory.dmpFilesize
5.7MB
-
memory/4596-138-0x0000000000000000-mapping.dmp
-
memory/4904-148-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/4904-137-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/4904-134-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/4904-133-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/4904-132-0x0000000000000000-mapping.dmp
-
memory/4904-136-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/4908-135-0x00000000753A0000-0x0000000075951000-memory.dmpFilesize
5.7MB