Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 20:17
Static task
static1
Behavioral task
behavioral1
Sample
e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e.exe
Resource
win7-20221111-en
General
-
Target
e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e.exe
-
Size
170KB
-
MD5
0095463dcec80139f260441f55342f6e
-
SHA1
c26f18944a0764a399d376b636c7748e0f9505ea
-
SHA256
e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e
-
SHA512
0fbd6ad24d77982cffd5ea34ae587197303d869388f62b188872da2c101e6206f52d567076e32f92833aac18eff6ac911df9e512d802a08195e544c5544bbe47
-
SSDEEP
3072:7DYClxW48oQyMmEwr+tDDdvT3osib+yg7RXdNW5uWw+ISzuaG5UE6Cs6igErg4bf:7D9/81yRrrQXdvbfib+V7l2njGprs6sh
Malware Config
Signatures
-
Detect XtremeRAT payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/1604-143-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/1604-144-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/5076-145-0x0000000000000000-mapping.dmp family_xtremerat behavioral2/memory/5076-146-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/3500-151-0x0000000000000000-mapping.dmp family_xtremerat behavioral2/memory/3500-161-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat behavioral2/memory/3500-166-0x0000000000C80000-0x0000000000C95000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 3 IoCs
Processes:
explorer.exemvscavAP.exeSiaPort.exepid process 3340 explorer.exe 1668 mvscavAP.exe 2380 SiaPort.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe" svchost.exe -
Processes:
resource yara_rule behavioral2/memory/1604-140-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/1604-142-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/1604-143-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/1604-144-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/5076-146-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/3500-161-0x0000000000C80000-0x0000000000C95000-memory.dmp upx behavioral2/memory/3500-166-0x0000000000C80000-0x0000000000C95000-memory.dmp upx -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e.exeexplorer.exemvscavAP.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mvscavAP.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
mvscavAP.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\mvscavAP.exe" mvscavAP.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe" svchost.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe" svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
explorer.exeSiaPort.exedescription pid process target process PID 3340 set thread context of 1604 3340 explorer.exe AppLaunch.exe PID 2380 set thread context of 4224 2380 SiaPort.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
explorer.exemvscavAP.exeSiaPort.exepid process 3340 explorer.exe 1668 mvscavAP.exe 2380 SiaPort.exe 3340 explorer.exe 1668 mvscavAP.exe 2380 SiaPort.exe 3340 explorer.exe 1668 mvscavAP.exe 2380 SiaPort.exe 3340 explorer.exe 1668 mvscavAP.exe 2380 SiaPort.exe 3340 explorer.exe 1668 mvscavAP.exe 2380 SiaPort.exe 3340 explorer.exe 1668 mvscavAP.exe 2380 SiaPort.exe 3340 explorer.exe 1668 mvscavAP.exe 2380 SiaPort.exe 3340 explorer.exe 1668 mvscavAP.exe 2380 SiaPort.exe 3340 explorer.exe 1668 mvscavAP.exe 2380 SiaPort.exe 3340 explorer.exe 1668 mvscavAP.exe 2380 SiaPort.exe 3340 explorer.exe 1668 mvscavAP.exe 2380 SiaPort.exe 3340 explorer.exe 1668 mvscavAP.exe 2380 SiaPort.exe 3340 explorer.exe 1668 mvscavAP.exe 2380 SiaPort.exe 3340 explorer.exe 1668 mvscavAP.exe 2380 SiaPort.exe 3340 explorer.exe 1668 mvscavAP.exe 2380 SiaPort.exe 3340 explorer.exe 1668 mvscavAP.exe 2380 SiaPort.exe 3340 explorer.exe 1668 mvscavAP.exe 2380 SiaPort.exe 3340 explorer.exe 1668 mvscavAP.exe 2380 SiaPort.exe 3340 explorer.exe 1668 mvscavAP.exe 2380 SiaPort.exe 3340 explorer.exe 1668 mvscavAP.exe 2380 SiaPort.exe 3340 explorer.exe 1668 mvscavAP.exe 2380 SiaPort.exe 3340 explorer.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e.exeexplorer.exemvscavAP.exeSiaPort.exedescription pid process Token: SeDebugPrivilege 4928 e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e.exe Token: SeDebugPrivilege 3340 explorer.exe Token: SeDebugPrivilege 1668 mvscavAP.exe Token: SeDebugPrivilege 2380 SiaPort.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 3500 svchost.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e.exeexplorer.exeAppLaunch.exemvscavAP.exeSiaPort.exedescription pid process target process PID 4928 wrote to memory of 3340 4928 e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e.exe explorer.exe PID 4928 wrote to memory of 3340 4928 e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e.exe explorer.exe PID 4928 wrote to memory of 3340 4928 e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e.exe explorer.exe PID 3340 wrote to memory of 1604 3340 explorer.exe AppLaunch.exe PID 3340 wrote to memory of 1604 3340 explorer.exe AppLaunch.exe PID 3340 wrote to memory of 1604 3340 explorer.exe AppLaunch.exe PID 3340 wrote to memory of 1604 3340 explorer.exe AppLaunch.exe PID 3340 wrote to memory of 1604 3340 explorer.exe AppLaunch.exe PID 3340 wrote to memory of 1604 3340 explorer.exe AppLaunch.exe PID 3340 wrote to memory of 1604 3340 explorer.exe AppLaunch.exe PID 3340 wrote to memory of 1604 3340 explorer.exe AppLaunch.exe PID 1604 wrote to memory of 5076 1604 AppLaunch.exe svchost.exe PID 1604 wrote to memory of 5076 1604 AppLaunch.exe svchost.exe PID 1604 wrote to memory of 5076 1604 AppLaunch.exe svchost.exe PID 1604 wrote to memory of 5076 1604 AppLaunch.exe svchost.exe PID 1604 wrote to memory of 4400 1604 AppLaunch.exe svchost.exe PID 1604 wrote to memory of 4400 1604 AppLaunch.exe svchost.exe PID 1604 wrote to memory of 4400 1604 AppLaunch.exe svchost.exe PID 3340 wrote to memory of 1668 3340 explorer.exe mvscavAP.exe PID 3340 wrote to memory of 1668 3340 explorer.exe mvscavAP.exe PID 3340 wrote to memory of 1668 3340 explorer.exe mvscavAP.exe PID 1604 wrote to memory of 4284 1604 AppLaunch.exe svchost.exe PID 1604 wrote to memory of 4284 1604 AppLaunch.exe svchost.exe PID 1604 wrote to memory of 4284 1604 AppLaunch.exe svchost.exe PID 1604 wrote to memory of 3500 1604 AppLaunch.exe svchost.exe PID 1604 wrote to memory of 3500 1604 AppLaunch.exe svchost.exe PID 1604 wrote to memory of 3500 1604 AppLaunch.exe svchost.exe PID 1604 wrote to memory of 3500 1604 AppLaunch.exe svchost.exe PID 1668 wrote to memory of 2380 1668 mvscavAP.exe SiaPort.exe PID 1668 wrote to memory of 2380 1668 mvscavAP.exe SiaPort.exe PID 1668 wrote to memory of 2380 1668 mvscavAP.exe SiaPort.exe PID 2380 wrote to memory of 4224 2380 SiaPort.exe AppLaunch.exe PID 2380 wrote to memory of 4224 2380 SiaPort.exe AppLaunch.exe PID 2380 wrote to memory of 4224 2380 SiaPort.exe AppLaunch.exe PID 2380 wrote to memory of 4224 2380 SiaPort.exe AppLaunch.exe PID 2380 wrote to memory of 4224 2380 SiaPort.exe AppLaunch.exe PID 2380 wrote to memory of 4224 2380 SiaPort.exe AppLaunch.exe PID 2380 wrote to memory of 4224 2380 SiaPort.exe AppLaunch.exe PID 2380 wrote to memory of 4224 2380 SiaPort.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e.exe"C:\Users\Admin\AppData\Local\Temp\e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
-
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe"C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe"C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD5c9da99e1ffd31fc2dbf0764ab7cfff72
SHA193f84ebb0bdfe9ce96f028fde3c877513f16f3a9
SHA2567c7f55972198db856af338942a34015f76a4d628f74be891ba05c4a1631f649f
SHA512831d19099248958e7078854c111d49e739c5d5ae40aff2d785e13a33807c0fa9695202d8424299ceed017792e465f8cd0aa579689fbf4e38194c844205ae5ce1
-
C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exeFilesize
170KB
MD50095463dcec80139f260441f55342f6e
SHA1c26f18944a0764a399d376b636c7748e0f9505ea
SHA256e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e
SHA5120fbd6ad24d77982cffd5ea34ae587197303d869388f62b188872da2c101e6206f52d567076e32f92833aac18eff6ac911df9e512d802a08195e544c5544bbe47
-
C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exeFilesize
170KB
MD50095463dcec80139f260441f55342f6e
SHA1c26f18944a0764a399d376b636c7748e0f9505ea
SHA256e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e
SHA5120fbd6ad24d77982cffd5ea34ae587197303d869388f62b188872da2c101e6206f52d567076e32f92833aac18eff6ac911df9e512d802a08195e544c5544bbe47
-
C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exeFilesize
38KB
MD553e6c622c66f33d787b8be3fb9fcf606
SHA13422385a97ed913cd91d14caaffbe61933d31907
SHA256861100189fbe2faa23a28bb8dd1b755aec30ce57641a60ea0f4ef6b9bd11ecb5
SHA51272c57805a045f86b2f5541e4fae41e7bdfe2c030c1a0b33eba31db7b93818c7695c3eb817d31b770885b84e53011055db4e32fef9c29e822a682b04b143a4d09
-
C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exeFilesize
38KB
MD553e6c622c66f33d787b8be3fb9fcf606
SHA13422385a97ed913cd91d14caaffbe61933d31907
SHA256861100189fbe2faa23a28bb8dd1b755aec30ce57641a60ea0f4ef6b9bd11ecb5
SHA51272c57805a045f86b2f5541e4fae41e7bdfe2c030c1a0b33eba31db7b93818c7695c3eb817d31b770885b84e53011055db4e32fef9c29e822a682b04b143a4d09
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\P3dGcZj.cfgFilesize
1KB
MD5bff0cf7ee4da7954bf2032dbf2dd0879
SHA1e5d5513fb6fd8a86927b6c34854b992672a1947f
SHA25626a87b785a61e8d3cd1d594bc51a55632c0073ccfe9131d046c4c715d1f58ce5
SHA512881c378ad2bd4b417d730940ba437d997f00dfcc93e582fac13ae79f6fc859fbca898f21a6611c5bf3ce8e067877669771734d2cf62486045482ed8c4076b46c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
170KB
MD50095463dcec80139f260441f55342f6e
SHA1c26f18944a0764a399d376b636c7748e0f9505ea
SHA256e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e
SHA5120fbd6ad24d77982cffd5ea34ae587197303d869388f62b188872da2c101e6206f52d567076e32f92833aac18eff6ac911df9e512d802a08195e544c5544bbe47
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
170KB
MD50095463dcec80139f260441f55342f6e
SHA1c26f18944a0764a399d376b636c7748e0f9505ea
SHA256e6719eeccee467080c1873920610821f0488bdf5674357d4c0183d609d51e09e
SHA5120fbd6ad24d77982cffd5ea34ae587197303d869388f62b188872da2c101e6206f52d567076e32f92833aac18eff6ac911df9e512d802a08195e544c5544bbe47
-
memory/1604-138-0x0000000000000000-mapping.dmp
-
memory/1604-142-0x0000000000C80000-0x0000000000C95000-memory.dmpFilesize
84KB
-
memory/1604-143-0x0000000000C80000-0x0000000000C95000-memory.dmpFilesize
84KB
-
memory/1604-144-0x0000000000C80000-0x0000000000C95000-memory.dmpFilesize
84KB
-
memory/1604-140-0x0000000000C80000-0x0000000000C95000-memory.dmpFilesize
84KB
-
memory/1668-165-0x0000000075480000-0x0000000075A31000-memory.dmpFilesize
5.7MB
-
memory/1668-160-0x0000000075480000-0x0000000075A31000-memory.dmpFilesize
5.7MB
-
memory/1668-147-0x0000000000000000-mapping.dmp
-
memory/2380-162-0x0000000075480000-0x0000000075A31000-memory.dmpFilesize
5.7MB
-
memory/2380-152-0x0000000000000000-mapping.dmp
-
memory/2380-167-0x0000000075480000-0x0000000075A31000-memory.dmpFilesize
5.7MB
-
memory/3340-139-0x0000000075480000-0x0000000075A31000-memory.dmpFilesize
5.7MB
-
memory/3340-164-0x0000000075480000-0x0000000075A31000-memory.dmpFilesize
5.7MB
-
memory/3340-133-0x0000000000000000-mapping.dmp
-
memory/3500-151-0x0000000000000000-mapping.dmp
-
memory/3500-161-0x0000000000C80000-0x0000000000C95000-memory.dmpFilesize
84KB
-
memory/3500-166-0x0000000000C80000-0x0000000000C95000-memory.dmpFilesize
84KB
-
memory/4224-154-0x0000000000000000-mapping.dmp
-
memory/4928-132-0x0000000075480000-0x0000000075A31000-memory.dmpFilesize
5.7MB
-
memory/4928-136-0x0000000075480000-0x0000000075A31000-memory.dmpFilesize
5.7MB
-
memory/5076-146-0x0000000000C80000-0x0000000000C95000-memory.dmpFilesize
84KB
-
memory/5076-145-0x0000000000000000-mapping.dmp