Overview

overview

10

Static

static

9a0b75dd14...74.exe

windows7-x64

10

9a0b75dd14...74.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2022, 10:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a0b75dd14192726868b36bec94af30659e7f56edb5a94ec0211668e0672da74.exe

  • Size

    568KB

  • MD5

    25e4604ad1befcfd562a254a4e4961ec

  • SHA1

    4fbdb4bd7f043950e31e33669e31aa9334ed08e1

  • SHA256

    9a0b75dd14192726868b36bec94af30659e7f56edb5a94ec0211668e0672da74

  • SHA512

    50270f32b17f3550a498e80f32d586697541c59fad76478e0db78497b6f219bc078376d254bb5f5235fcd882a9c8e53fe7de8ce34cdde16ab94609b7ecbad9ce

  • SSDEEP

    384:ug2JvTv+HdNpOFmagBRyRrhnbUQ3ZkDl7jdaVcrOF:uDJvKYFmabf5kDlMciF

Score
10/10
xtremeratpersistenceratspyware

Malware Config

Extracted

Family

xtremerat

C2

vpndodo.sytes.net

Signatures

  • Detect XtremeRAT payload 17 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a0b75dd14192726868b36bec94af30659e7f56edb5a94ec0211668e0672da74.exe
    "C:\Users\Admin\AppData\Local\Temp\9a0b75dd14192726868b36bec94af30659e7f56edb5a94ec0211668e0672da74.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Users\Admin\AppData\Local\Temp\9a0b75dd14192726868b36bec94af30659e7f56edb5a94ec0211668e0672da74.exe
      C:\Users\Admin\AppData\Local\Temp\9a0b75dd14192726868b36bec94af30659e7f56edb5a94ec0211668e0672da74.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:848
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
        • Modifies Installed Components in the registry
        • Adds Run key to start application
        PID:2008
      • C:\Windows\SysWOW64\calc.exe
        calc.exe
        3⤵
        • Modifies Installed Components in the registry
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1304

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\microsofts\microsoft.exe
    Filesize

    568KB

    MD5

    25e4604ad1befcfd562a254a4e4961ec

    SHA1

    4fbdb4bd7f043950e31e33669e31aa9334ed08e1

    SHA256

    9a0b75dd14192726868b36bec94af30659e7f56edb5a94ec0211668e0672da74

    SHA512

    50270f32b17f3550a498e80f32d586697541c59fad76478e0db78497b6f219bc078376d254bb5f5235fcd882a9c8e53fe7de8ce34cdde16ab94609b7ecbad9ce

    Download Submit

  • memory/848-68-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/848-59-0x0000000010000000-0x000000001004A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/848-60-0x0000000010000000-0x000000001004A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/848-61-0x0000000010000000-0x000000001004A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/848-62-0x0000000010000000-0x000000001004A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/848-63-0x0000000010000000-0x000000001004A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/848-65-0x0000000010000000-0x000000001004A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/848-56-0x0000000010000000-0x000000001004A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/848-67-0x0000000010000000-0x000000001004A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/848-57-0x0000000010000000-0x000000001004A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/848-70-0x0000000010000000-0x000000001004A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/848-69-0x0000000010000000-0x000000001004A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/848-78-0x0000000010000000-0x000000001004A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1304-80-0x0000000010000000-0x000000001004A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1304-83-0x0000000010000000-0x000000001004A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2008-81-0x0000000010000000-0x000000001004A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2008-84-0x0000000010000000-0x000000001004A000-memory.dmp

    Filesize

    296KB

    Download