Analysis
-
max time kernel
165s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03/12/2022, 11:09
Static task
static1
Behavioral task
behavioral1
Sample
b7de05c202f4f3fe3cb0da046881c193ca27a63a4bb51cec5b7f2aa6a6b52437.exe
Resource
win7-20221111-en
windows7-x64
18 signatures
150 seconds
General
-
Target
b7de05c202f4f3fe3cb0da046881c193ca27a63a4bb51cec5b7f2aa6a6b52437.exe
-
Size
168KB
-
MD5
913a6bfca17e940efd2b71b61b8422c4
-
SHA1
a09ded6937cdc682475e6343afccc20f93ef9481
-
SHA256
b7de05c202f4f3fe3cb0da046881c193ca27a63a4bb51cec5b7f2aa6a6b52437
-
SHA512
1849ea9fcf805ae9f6732539a40927581ac00651771d581d595f459d2abab8de5666a16df9036ccfa97d03fb1f0b0c1b57499e3a275ba79dfcc0f6b29eda24d7
-
SSDEEP
3072:NdZPIf4J6rvsqNrOF4skXeXaJbNL8aBohO7Yt8dME51zdVHS3u3nY:NwfU6rvsXmXeKJG8odt9815VHS3u3Y
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
Family
xtremerat
C2
maradona.no-ip.org
Signatures
-
Detect XtremeRAT payload 3 IoCs
resource yara_rule behavioral2/memory/2068-138-0x0000000000000000-mapping.dmp family_xtremerat behavioral2/memory/3272-139-0x0000000010000000-0x000000001005E000-memory.dmp family_xtremerat behavioral2/memory/2068-140-0x0000000010000000-0x000000001005E000-memory.dmp family_xtremerat -
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" tmp.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" tmp.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" tmp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tmp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tmp.exe -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 1 IoCs
pid Process 3272 tmp.exe -
resource yara_rule behavioral2/files/0x000a00000002317e-135.dat upx behavioral2/files/0x000a00000002317e-136.dat upx behavioral2/memory/3272-137-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/3272-139-0x0000000010000000-0x000000001005E000-memory.dmp upx behavioral2/memory/2068-140-0x0000000010000000-0x000000001005E000-memory.dmp upx behavioral2/memory/3272-141-0x00000000022D0000-0x000000000335E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" tmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tmp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tmp.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3696 2068 WerFault.exe 83 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3272 tmp.exe 3272 tmp.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe Token: SeDebugPrivilege 3272 tmp.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4104 b7de05c202f4f3fe3cb0da046881c193ca27a63a4bb51cec5b7f2aa6a6b52437.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 4104 wrote to memory of 3272 4104 b7de05c202f4f3fe3cb0da046881c193ca27a63a4bb51cec5b7f2aa6a6b52437.exe 82 PID 4104 wrote to memory of 3272 4104 b7de05c202f4f3fe3cb0da046881c193ca27a63a4bb51cec5b7f2aa6a6b52437.exe 82 PID 4104 wrote to memory of 3272 4104 b7de05c202f4f3fe3cb0da046881c193ca27a63a4bb51cec5b7f2aa6a6b52437.exe 82 PID 3272 wrote to memory of 768 3272 tmp.exe 8 PID 3272 wrote to memory of 776 3272 tmp.exe 80 PID 3272 wrote to memory of 1012 3272 tmp.exe 76 PID 3272 wrote to memory of 2496 3272 tmp.exe 45 PID 3272 wrote to memory of 2508 3272 tmp.exe 44 PID 3272 wrote to memory of 2788 3272 tmp.exe 37 PID 3272 wrote to memory of 1192 3272 tmp.exe 35 PID 3272 wrote to memory of 3008 3272 tmp.exe 34 PID 3272 wrote to memory of 3256 3272 tmp.exe 33 PID 3272 wrote to memory of 3352 3272 tmp.exe 32 PID 3272 wrote to memory of 3416 3272 tmp.exe 31 PID 3272 wrote to memory of 3512 3272 tmp.exe 30 PID 3272 wrote to memory of 3796 3272 tmp.exe 29 PID 3272 wrote to memory of 4432 3272 tmp.exe 11 PID 3272 wrote to memory of 4928 3272 tmp.exe 10 PID 3272 wrote to memory of 4240 3272 tmp.exe 9 PID 3272 wrote to memory of 4104 3272 tmp.exe 81 PID 3272 wrote to memory of 4104 3272 tmp.exe 81 PID 3272 wrote to memory of 2068 3272 tmp.exe 83 PID 3272 wrote to memory of 2068 3272 tmp.exe 83 PID 3272 wrote to memory of 2068 3272 tmp.exe 83 PID 3272 wrote to memory of 2068 3272 tmp.exe 83 PID 3272 wrote to memory of 1620 3272 tmp.exe 84 PID 3272 wrote to memory of 1620 3272 tmp.exe 84 PID 3272 wrote to memory of 1620 3272 tmp.exe 84 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tmp.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4240
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4928
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4432
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3796
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3512
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3416
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3352
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3256
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3008
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\b7de05c202f4f3fe3cb0da046881c193ca27a63a4bb51cec5b7f2aa6a6b52437.exe"C:\Users\Admin\AppData\Local\Temp\b7de05c202f4f3fe3cb0da046881c193ca27a63a4bb51cec5b7f2aa6a6b52437.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Users\Admin\AppData\Local\Temp\tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3272 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:2068
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 3485⤵
- Program crash
PID:3696
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:1620
-
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2788
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2508
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2496
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1012
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2068 -ip 20681⤵PID:4428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2068 -ip 20681⤵PID:4652
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
104KB
MD555ba04631a2e6284bfc0762968a427ae
SHA18f384cd44e6300c66b8675328d85b181ed12c8d4
SHA256775dbacfda9795ab7484be4c0c97ce330734eb381ee864fb3d0ac05dbb3623fb
SHA5129a5e4df4b0b02bae64a6f957d268580e1f4599adca5776918859ffacf4794d7fdb5dc8eba99fc310bce2c521acbe32ef5babd447b7fef5057fbe79d906eb20e6
-
Filesize
104KB
MD555ba04631a2e6284bfc0762968a427ae
SHA18f384cd44e6300c66b8675328d85b181ed12c8d4
SHA256775dbacfda9795ab7484be4c0c97ce330734eb381ee864fb3d0ac05dbb3623fb
SHA5129a5e4df4b0b02bae64a6f957d268580e1f4599adca5776918859ffacf4794d7fdb5dc8eba99fc310bce2c521acbe32ef5babd447b7fef5057fbe79d906eb20e6