Analysis
-
max time kernel
131s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 17:37
Static task
static1
Behavioral task
behavioral1
Sample
a8fbf6e88569331b344cbde17bb9269d5621e672a74a86e896b9bd30755be827.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a8fbf6e88569331b344cbde17bb9269d5621e672a74a86e896b9bd30755be827.exe
Resource
win10v2004-20220812-en
General
-
Target
a8fbf6e88569331b344cbde17bb9269d5621e672a74a86e896b9bd30755be827.exe
-
Size
902KB
-
MD5
0b0afbc1eb5c9a1748b8f1371887e84c
-
SHA1
4cadb39e4270e7a4cf226975ba5ce0bfbad59192
-
SHA256
a8fbf6e88569331b344cbde17bb9269d5621e672a74a86e896b9bd30755be827
-
SHA512
73c1a78fe4d87d505ed08da838455f371c65ac556bcc392585a2667d288398ba81aa5faae597c1916c7cef6df72a49cc1725b9cbe3f6a141882fadae79cd84d4
-
SSDEEP
24576:Z4lavt0LkLL9IMixoEgea5DJ4Bq9MmCS:okwkn9IMHea5DJsaPCS
Malware Config
Extracted
xtremerat
bt-root.ddns.net
Signatures
-
Detect XtremeRAT payload 5 IoCs
resource yara_rule behavioral2/memory/4508-135-0x0000000000000000-mapping.dmp family_xtremerat behavioral2/memory/3376-136-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/4508-137-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/3376-138-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/4508-139-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 1 IoCs
pid Process 3376 538.exe -
resource yara_rule behavioral2/files/0x0007000000022e05-133.dat upx behavioral2/files/0x0007000000022e05-134.dat upx behavioral2/memory/3376-136-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/4508-137-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/3376-138-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/4508-139-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation a8fbf6e88569331b344cbde17bb9269d5621e672a74a86e896b9bd30755be827.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3900 4508 WerFault.exe 82 4692 4508 WerFault.exe 82 -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1744 wrote to memory of 3376 1744 a8fbf6e88569331b344cbde17bb9269d5621e672a74a86e896b9bd30755be827.exe 80 PID 1744 wrote to memory of 3376 1744 a8fbf6e88569331b344cbde17bb9269d5621e672a74a86e896b9bd30755be827.exe 80 PID 1744 wrote to memory of 3376 1744 a8fbf6e88569331b344cbde17bb9269d5621e672a74a86e896b9bd30755be827.exe 80 PID 3376 wrote to memory of 4508 3376 538.exe 82 PID 3376 wrote to memory of 4508 3376 538.exe 82 PID 3376 wrote to memory of 4508 3376 538.exe 82 PID 3376 wrote to memory of 4508 3376 538.exe 82 PID 3376 wrote to memory of 3036 3376 538.exe 83 PID 3376 wrote to memory of 3036 3376 538.exe 83 PID 3376 wrote to memory of 3036 3376 538.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8fbf6e88569331b344cbde17bb9269d5621e672a74a86e896b9bd30755be827.exe"C:\Users\Admin\AppData\Local\Temp\a8fbf6e88569331b344cbde17bb9269d5621e672a74a86e896b9bd30755be827.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\538\538.exe"C:\Users\Admin\AppData\Local\Temp\538\538.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:4508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 4884⤵
- Program crash
PID:3900
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 3484⤵
- Program crash
PID:4692
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:3036
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4508 -ip 45081⤵PID:4248
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4508 -ip 45081⤵PID:4716
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD545359d47690a523444e4de78968d4c7e
SHA16e091358bf3dc4be417ed1a3d666892a8a0e76f4
SHA2564bb9e27647b985da39aa1fe463c3650df847ab03458443927ffa7f85830b6967
SHA5124d48cd74ed0fdc6e6d2a53a7629b331e8b4e0612908bbdfa7b02861517bea075938f0af66138ac99e82ab990d76cc78f53a9434478c6c58e5b7b653a494d63e9
-
Filesize
33KB
MD545359d47690a523444e4de78968d4c7e
SHA16e091358bf3dc4be417ed1a3d666892a8a0e76f4
SHA2564bb9e27647b985da39aa1fe463c3650df847ab03458443927ffa7f85830b6967
SHA5124d48cd74ed0fdc6e6d2a53a7629b331e8b4e0612908bbdfa7b02861517bea075938f0af66138ac99e82ab990d76cc78f53a9434478c6c58e5b7b653a494d63e9