Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 23:46
Static task
static1
Behavioral task
behavioral1
Sample
54538345681f03dfee0439fe6a48152b0684c049efa1db121c026be37e056af1.rar
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
54538345681f03dfee0439fe6a48152b0684c049efa1db121c026be37e056af1.rar
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
IDM 6.21 Build 17/Patch/1.internet.download.manager.v6-patch.exe
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
IDM 6.21 Build 17/Patch/1.internet.download.manager.v6-patch.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
IDM 6.21 Build 17/idman621build17.exe
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
IDM 6.21 Build 17/idman621build17.exe
Resource
win10v2004-20220901-en
General
-
Target
IDM 6.21 Build 17/idman621build17.exe
-
Size
6.3MB
-
MD5
7f66b63ae030d04a43178df57bb78b1a
-
SHA1
8605715d8de48241315ec8fcfb91a8380f6776c1
-
SHA256
b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7
-
SHA512
4a0590a23c10dd257692e1f4497912935556d4e152fe09ecd1eb2531fba0ee80a079c589068315623ff660c8e5c99871d68a4d48fecfc7ed579081c5e77def46
-
SSDEEP
98304:A1RaZKOTNyQE17hjs+USipFnLSXF9v8CqLoiLwst/IxZsQU3wDkAaXnmkhD:4aZXTLcVs+upF4Lv8CqSstUKQU1lL5
Malware Config
Extracted
xtremerat
remotedesktop11.no-ip.info
Signatures
-
Detect XtremeRAT payload 3 IoCs
Processes:
resource yara_rule behavioral6/memory/1124-142-0x0000000000000000-mapping.dmp family_xtremerat behavioral6/memory/3320-144-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral6/memory/1124-145-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral6/memory/1184-143-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral6/memory/908-152-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 -
Executes dropped EXE 7 IoCs
Processes:
11293.exe30730.exe25722.exeAdobeART.exewinlog.exe93147.exeIDM1.tmppid process 1184 11293.exe 1568 30730.exe 3320 25722.exe 908 AdobeART.exe 3824 winlog.exe 4648 93147.exe 3572 IDM1.tmp -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\11293.exe upx C:\Users\Admin\AppData\Local\Temp\11293.exe upx C:\Users\Admin\AppData\Local\Temp\25722.exe upx C:\Users\Admin\AppData\Local\Temp\25722.exe upx behavioral6/memory/1184-143-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral6/memory/3320-144-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral6/memory/1124-145-0x0000000010000000-0x000000001004D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\AdobeART.exe upx C:\Users\Admin\AppData\Roaming\AdobeART.exe upx behavioral6/memory/908-152-0x0000000000400000-0x0000000000414000-memory.dmp upx -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
idman621build17.exe11293.exe30730.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation idman621build17.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 11293.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 30730.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
AdobeART.exewinlog.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeART = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeART.exe" AdobeART.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlog.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlog.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winlog.exe" winlog.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1564 1124 WerFault.exe svchost.exe 3564 1124 WerFault.exe svchost.exe -
Modifies registry class 1 IoCs
Processes:
30730.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 30730.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
idman621build17.exedescription pid process Token: SeDebugPrivilege 4016 idman621build17.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
idman621build17.exe25722.exe11293.exe30730.exe93147.exedescription pid process target process PID 4016 wrote to memory of 1184 4016 idman621build17.exe 11293.exe PID 4016 wrote to memory of 1184 4016 idman621build17.exe 11293.exe PID 4016 wrote to memory of 1184 4016 idman621build17.exe 11293.exe PID 4016 wrote to memory of 1568 4016 idman621build17.exe 30730.exe PID 4016 wrote to memory of 1568 4016 idman621build17.exe 30730.exe PID 4016 wrote to memory of 1568 4016 idman621build17.exe 30730.exe PID 4016 wrote to memory of 3320 4016 idman621build17.exe 25722.exe PID 4016 wrote to memory of 3320 4016 idman621build17.exe 25722.exe PID 4016 wrote to memory of 3320 4016 idman621build17.exe 25722.exe PID 3320 wrote to memory of 1124 3320 25722.exe svchost.exe PID 3320 wrote to memory of 1124 3320 25722.exe svchost.exe PID 3320 wrote to memory of 1124 3320 25722.exe svchost.exe PID 3320 wrote to memory of 1124 3320 25722.exe svchost.exe PID 3320 wrote to memory of 640 3320 25722.exe msedge.exe PID 3320 wrote to memory of 640 3320 25722.exe msedge.exe PID 3320 wrote to memory of 640 3320 25722.exe msedge.exe PID 1184 wrote to memory of 908 1184 11293.exe AdobeART.exe PID 1184 wrote to memory of 908 1184 11293.exe AdobeART.exe PID 1184 wrote to memory of 908 1184 11293.exe AdobeART.exe PID 1568 wrote to memory of 3824 1568 30730.exe winlog.exe PID 1568 wrote to memory of 3824 1568 30730.exe winlog.exe PID 1568 wrote to memory of 3824 1568 30730.exe winlog.exe PID 4016 wrote to memory of 4648 4016 idman621build17.exe 93147.exe PID 4016 wrote to memory of 4648 4016 idman621build17.exe 93147.exe PID 4016 wrote to memory of 4648 4016 idman621build17.exe 93147.exe PID 4648 wrote to memory of 3572 4648 93147.exe IDM1.tmp PID 4648 wrote to memory of 3572 4648 93147.exe IDM1.tmp PID 4648 wrote to memory of 3572 4648 93147.exe IDM1.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\IDM 6.21 Build 17\idman621build17.exe"C:\Users\Admin\AppData\Local\Temp\IDM 6.21 Build 17\idman621build17.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\11293.exe"C:\Users\Admin\AppData\Local\Temp\11293.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Admin\AppData\Roaming\AdobeART.exe"C:\Users\Admin\AppData\Roaming\AdobeART.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:908 -
C:\Users\Admin\AppData\Local\Temp\30730.exe"C:\Users\Admin\AppData\Local\Temp\30730.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Roaming\Microsoft\winlog.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winlog.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\25722.exe"C:\Users\Admin\AppData\Local\Temp\25722.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:1124
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 4844⤵
- Program crash
PID:1564 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 5044⤵
- Program crash
PID:3564 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\93147.exe"C:\Users\Admin\AppData\Local\Temp\93147.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp"C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"3⤵
- Executes dropped EXE
PID:3572
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1124 -ip 11241⤵PID:2228
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1124 -ip 11241⤵PID:3096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\11293.exeFilesize
18KB
MD5f30c2e06f7cf7477666464e5b2073edd
SHA1250ad655475c0fe6c9da849e7ef8717ee204def9
SHA256a6f315dfc79dbcbd5143240fb10e7e3b43772b791a45f624c64a50591bcca758
SHA512232ffead37983ef2318121c65519eee565de05d6292bf3ff6f569c9a8ed85d082b7725cdc2ca6ca9193256fdef15fb6ab5172653475c133669c8d453135045df
-
C:\Users\Admin\AppData\Local\Temp\11293.exeFilesize
18KB
MD5f30c2e06f7cf7477666464e5b2073edd
SHA1250ad655475c0fe6c9da849e7ef8717ee204def9
SHA256a6f315dfc79dbcbd5143240fb10e7e3b43772b791a45f624c64a50591bcca758
SHA512232ffead37983ef2318121c65519eee565de05d6292bf3ff6f569c9a8ed85d082b7725cdc2ca6ca9193256fdef15fb6ab5172653475c133669c8d453135045df
-
C:\Users\Admin\AppData\Local\Temp\25722.exeFilesize
33KB
MD5e131dc8199e0dbe6a6eeec0766843ed5
SHA10da7ff2a654a45a54fcaa6018faebe05e13c2648
SHA256243d00f021be7a7f38949e42d0fa15b0878855673857a6489666769c7698f316
SHA512c75337c0556a2cbcc3eca8923b657c1cb79a12cfd3defce7427a0537f81a901124891677758394a20a5ed9857e2e84a64853ee77e9302b587816bc0071dc7fde
-
C:\Users\Admin\AppData\Local\Temp\25722.exeFilesize
33KB
MD5e131dc8199e0dbe6a6eeec0766843ed5
SHA10da7ff2a654a45a54fcaa6018faebe05e13c2648
SHA256243d00f021be7a7f38949e42d0fa15b0878855673857a6489666769c7698f316
SHA512c75337c0556a2cbcc3eca8923b657c1cb79a12cfd3defce7427a0537f81a901124891677758394a20a5ed9857e2e84a64853ee77e9302b587816bc0071dc7fde
-
C:\Users\Admin\AppData\Local\Temp\30730.exeFilesize
141KB
MD51951f07d6c54d91f4ea2b3f1ff33c8c8
SHA10e60cd436e7d5c79c30c8901fa32663b493050d6
SHA2565a041be295970031524383bdd5a08417bc1e9c95f390d3e77996887fd9350473
SHA5127c7c34d03c51e8e2f3711d112cd2cd7ebe6627acfb725dad8881064c78b6ea99dd8986fd54398fbd22cac05d422b03f67c8184baaf0c0c8f3cf3dc930e6d0ae0
-
C:\Users\Admin\AppData\Local\Temp\30730.exeFilesize
141KB
MD51951f07d6c54d91f4ea2b3f1ff33c8c8
SHA10e60cd436e7d5c79c30c8901fa32663b493050d6
SHA2565a041be295970031524383bdd5a08417bc1e9c95f390d3e77996887fd9350473
SHA5127c7c34d03c51e8e2f3711d112cd2cd7ebe6627acfb725dad8881064c78b6ea99dd8986fd54398fbd22cac05d422b03f67c8184baaf0c0c8f3cf3dc930e6d0ae0
-
C:\Users\Admin\AppData\Local\Temp\93147.exeFilesize
6.1MB
MD5f24a3484dde51c6495dca7b21450d011
SHA1641d93056aa4dcdca292dbb571693a27bbafb6ba
SHA2568fe784aeff05522dce528702866178075daa7f4eb0ea1bb2949702118ae16cc3
SHA512e168b53dc1d71a08e1ee745869867ecf2b4d66be6b07083180a5648047226491849e6e8a1418c936af0d4943927da7764148d38f5998b06b1d13315f78ebd39f
-
C:\Users\Admin\AppData\Local\Temp\93147.exeFilesize
6.1MB
MD5f24a3484dde51c6495dca7b21450d011
SHA1641d93056aa4dcdca292dbb571693a27bbafb6ba
SHA2568fe784aeff05522dce528702866178075daa7f4eb0ea1bb2949702118ae16cc3
SHA512e168b53dc1d71a08e1ee745869867ecf2b4d66be6b07083180a5648047226491849e6e8a1418c936af0d4943927da7764148d38f5998b06b1d13315f78ebd39f
-
C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmpFilesize
175KB
MD595dc303033dc07fe499f50e5fb4dc167
SHA199359db6ecf799eaa96aa68657636cee8e3f162c
SHA2569f71d3d58daa0bd5ad1c47094c609405ac1c58099a2249f24ee2b9c062d60bd9
SHA512d33186151e825bc6bfa36a700ac40315faa9c35e26b9ab07d25332ab0a06c6d6119de8920bff6bc9b350a1b67c9534e43948ad51249d208ded535143a5462707
-
C:\Users\Admin\AppData\Roaming\AdobeART.exeFilesize
18KB
MD5f30c2e06f7cf7477666464e5b2073edd
SHA1250ad655475c0fe6c9da849e7ef8717ee204def9
SHA256a6f315dfc79dbcbd5143240fb10e7e3b43772b791a45f624c64a50591bcca758
SHA512232ffead37983ef2318121c65519eee565de05d6292bf3ff6f569c9a8ed85d082b7725cdc2ca6ca9193256fdef15fb6ab5172653475c133669c8d453135045df
-
C:\Users\Admin\AppData\Roaming\AdobeART.exeFilesize
18KB
MD5f30c2e06f7cf7477666464e5b2073edd
SHA1250ad655475c0fe6c9da849e7ef8717ee204def9
SHA256a6f315dfc79dbcbd5143240fb10e7e3b43772b791a45f624c64a50591bcca758
SHA512232ffead37983ef2318121c65519eee565de05d6292bf3ff6f569c9a8ed85d082b7725cdc2ca6ca9193256fdef15fb6ab5172653475c133669c8d453135045df
-
C:\Users\Admin\AppData\Roaming\Microsoft\winlog.exeFilesize
141KB
MD51951f07d6c54d91f4ea2b3f1ff33c8c8
SHA10e60cd436e7d5c79c30c8901fa32663b493050d6
SHA2565a041be295970031524383bdd5a08417bc1e9c95f390d3e77996887fd9350473
SHA5127c7c34d03c51e8e2f3711d112cd2cd7ebe6627acfb725dad8881064c78b6ea99dd8986fd54398fbd22cac05d422b03f67c8184baaf0c0c8f3cf3dc930e6d0ae0
-
C:\Users\Admin\AppData\Roaming\Microsoft\winlog.exeFilesize
141KB
MD51951f07d6c54d91f4ea2b3f1ff33c8c8
SHA10e60cd436e7d5c79c30c8901fa32663b493050d6
SHA2565a041be295970031524383bdd5a08417bc1e9c95f390d3e77996887fd9350473
SHA5127c7c34d03c51e8e2f3711d112cd2cd7ebe6627acfb725dad8881064c78b6ea99dd8986fd54398fbd22cac05d422b03f67c8184baaf0c0c8f3cf3dc930e6d0ae0
-
memory/908-152-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/908-146-0x0000000000000000-mapping.dmp
-
memory/1124-145-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB
-
memory/1124-142-0x0000000000000000-mapping.dmp
-
memory/1184-133-0x0000000000000000-mapping.dmp
-
memory/1184-143-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1568-136-0x0000000000000000-mapping.dmp
-
memory/3320-139-0x0000000000000000-mapping.dmp
-
memory/3320-144-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB
-
memory/3572-157-0x0000000000000000-mapping.dmp
-
memory/3572-160-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/3824-149-0x0000000000000000-mapping.dmp
-
memory/4016-132-0x00007FF833420000-0x00007FF833E56000-memory.dmpFilesize
10.2MB
-
memory/4648-153-0x0000000000000000-mapping.dmp
-
memory/4648-156-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4648-159-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB