Analysis
-
max time kernel
152s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 22:18
Static task
static1
Behavioral task
behavioral1
Sample
92463f77f40595d193ec96d7110ca7d9.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
92463f77f40595d193ec96d7110ca7d9.exe
Resource
win10v2004-20231215-en
General
-
Target
92463f77f40595d193ec96d7110ca7d9.exe
-
Size
597KB
-
MD5
92463f77f40595d193ec96d7110ca7d9
-
SHA1
a1ef00f5635ade5de097373d89710cf00f16bfe3
-
SHA256
3ea0ae2b4f2ef54ec31a155fd20c493ebc6aae640aadf20a2731f50e3e1242f0
-
SHA512
59116d3df98e5ac0aecffc71328cc3d6065bbc193df1fc2555ebcc71783a3cdc16600ef54a6bf6aabcb3de6a230fc592bf302c8a879d817b6a6e3dcc5df7b7a5
-
SSDEEP
12288:WqucHnZrJ2WFtJMOqf2Q1/1MoF5+eh8aWvp2g1iqoY3t+vVLtT/:tr0YtKOqr1i+H6aWvpX3uVLtT/
Malware Config
Signatures
-
Detect XtremeRAT payload 5 IoCs
resource yara_rule behavioral2/memory/1936-10-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/2884-17-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/4536-19-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/1936-20-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/4536-22-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Adds policy Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Updater = "C:\\Windows\\UpdaterWin\\update.exe" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 92463f77f40595d193ec96d7110ca7d9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Updater = "C:\\Windows\\UpdaterWin\\update.exe" 92463f77f40595d193ec96d7110ca7d9.exe Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 92463f77f40595d193ec96d7110ca7d9.exe Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Updater = "C:\\Windows\\UpdaterWin\\update.exe" 92463f77f40595d193ec96d7110ca7d9.exe Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Updater = "C:\\Windows\\UpdaterWin\\update.exe" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 92463f77f40595d193ec96d7110ca7d9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\UpdaterWin\\update.exe restart" 92463f77f40595d193ec96d7110ca7d9.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\UpdaterWin\\update.exe restart" svchost.exe -
resource yara_rule behavioral2/memory/1936-5-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/1936-10-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/1936-7-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/2884-17-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/4536-19-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/1936-20-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/4536-22-0x0000000000C80000-0x0000000000C96000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4968 set thread context of 1936 4968 92463f77f40595d193ec96d7110ca7d9.exe 32 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\UpdaterWin\update.exe 92463f77f40595d193ec96d7110ca7d9.exe File opened for modification C:\Windows\UpdaterWin\ 92463f77f40595d193ec96d7110ca7d9.exe File opened for modification C:\Windows\UpdaterWin\update.exe 92463f77f40595d193ec96d7110ca7d9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4968 92463f77f40595d193ec96d7110ca7d9.exe 4968 92463f77f40595d193ec96d7110ca7d9.exe 4536 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 4968 wrote to memory of 1936 4968 92463f77f40595d193ec96d7110ca7d9.exe 32 PID 4968 wrote to memory of 1936 4968 92463f77f40595d193ec96d7110ca7d9.exe 32 PID 4968 wrote to memory of 1936 4968 92463f77f40595d193ec96d7110ca7d9.exe 32 PID 4968 wrote to memory of 1936 4968 92463f77f40595d193ec96d7110ca7d9.exe 32 PID 4968 wrote to memory of 1936 4968 92463f77f40595d193ec96d7110ca7d9.exe 32 PID 4968 wrote to memory of 1936 4968 92463f77f40595d193ec96d7110ca7d9.exe 32 PID 4968 wrote to memory of 1936 4968 92463f77f40595d193ec96d7110ca7d9.exe 32 PID 4968 wrote to memory of 1936 4968 92463f77f40595d193ec96d7110ca7d9.exe 32 PID 1936 wrote to memory of 2884 1936 92463f77f40595d193ec96d7110ca7d9.exe 45 PID 1936 wrote to memory of 2884 1936 92463f77f40595d193ec96d7110ca7d9.exe 45 PID 1936 wrote to memory of 2884 1936 92463f77f40595d193ec96d7110ca7d9.exe 45 PID 1936 wrote to memory of 2884 1936 92463f77f40595d193ec96d7110ca7d9.exe 45 PID 1936 wrote to memory of 936 1936 92463f77f40595d193ec96d7110ca7d9.exe 49 PID 1936 wrote to memory of 936 1936 92463f77f40595d193ec96d7110ca7d9.exe 49 PID 1936 wrote to memory of 3332 1936 92463f77f40595d193ec96d7110ca7d9.exe 48 PID 1936 wrote to memory of 3332 1936 92463f77f40595d193ec96d7110ca7d9.exe 48 PID 1936 wrote to memory of 3332 1936 92463f77f40595d193ec96d7110ca7d9.exe 48 PID 1936 wrote to memory of 2508 1936 92463f77f40595d193ec96d7110ca7d9.exe 66 PID 1936 wrote to memory of 2508 1936 92463f77f40595d193ec96d7110ca7d9.exe 66 PID 1936 wrote to memory of 852 1936 92463f77f40595d193ec96d7110ca7d9.exe 65 PID 1936 wrote to memory of 852 1936 92463f77f40595d193ec96d7110ca7d9.exe 65 PID 1936 wrote to memory of 852 1936 92463f77f40595d193ec96d7110ca7d9.exe 65 PID 1936 wrote to memory of 4592 1936 92463f77f40595d193ec96d7110ca7d9.exe 68 PID 1936 wrote to memory of 4592 1936 92463f77f40595d193ec96d7110ca7d9.exe 68 PID 1936 wrote to memory of 4536 1936 92463f77f40595d193ec96d7110ca7d9.exe 67 PID 1936 wrote to memory of 4536 1936 92463f77f40595d193ec96d7110ca7d9.exe 67 PID 1936 wrote to memory of 4536 1936 92463f77f40595d193ec96d7110ca7d9.exe 67 PID 1936 wrote to memory of 4536 1936 92463f77f40595d193ec96d7110ca7d9.exe 67
Processes
-
C:\Users\Admin\AppData\Local\Temp\92463f77f40595d193ec96d7110ca7d9.exe"C:\Users\Admin\AppData\Local\Temp\92463f77f40595d193ec96d7110ca7d9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\92463f77f40595d193ec96d7110ca7d9.exe2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
PID:2884
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:3332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:936
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:2508
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Suspicious use of SetWindowsHookEx
PID:4536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4592
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5ec0ed29f0f219f10b95e807bea9388a7
SHA101377f44b70103cc3666be777f70485c9baeaf37
SHA256ebc59363d110fd29e8a8bef24a303dacf9b018bccc778265114047460929740e
SHA512e89587940cfa2398edeee973def00373480aa763ea9b471edd06dc363658cfc28cf4c8bb0fdca1f9be1ae3b0d8905f6cb51c30e18a12b702964bb57fc8052792