Analysis
-
max time kernel
147s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 21:28
Static task
static1
Behavioral task
behavioral1
Sample
8ffb95d5e237a22a2773b17e34a4c6b0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8ffb95d5e237a22a2773b17e34a4c6b0.exe
Resource
win10v2004-20231215-en
General
-
Target
8ffb95d5e237a22a2773b17e34a4c6b0.exe
-
Size
668KB
-
MD5
8ffb95d5e237a22a2773b17e34a4c6b0
-
SHA1
7e74c23a6d66fc6ad4d6a5397642476af48735ad
-
SHA256
31eb4492dbdb099fae987f89fdb66fcd2a79367d6112a7f4a3ae47fdfa9e62d5
-
SHA512
e8a3c594e6d0009ad6cfe1f7d3341dcadac3fb536c001e0490c6b5f702abf904a30efc3964f797894c1aabbe03eb310d79ebf3e436b2a80c51dcc29de7f2aca8
-
SSDEEP
12288:+OqBS5JJ/+EkGz1lr3nxGteN4r3t8UOGz624SitfLmygYuV:/CSYE7z193Rit8UJ62BmhgjV
Malware Config
Extracted
xtremerat
sweetma198.no-ip.info
Signatures
-
Detect XtremeRAT payload 12 IoCs
resource yara_rule behavioral1/memory/2004-2-0x0000000000C80000-0x0000000000CE9000-memory.dmp family_xtremerat behavioral1/memory/2004-4-0x0000000000C80000-0x0000000000CE9000-memory.dmp family_xtremerat behavioral1/memory/2004-7-0x0000000000C80000-0x0000000000CE9000-memory.dmp family_xtremerat behavioral1/memory/2004-10-0x0000000000C80000-0x0000000000CE9000-memory.dmp family_xtremerat behavioral1/memory/2004-18-0x0000000000C80000-0x0000000000CE9000-memory.dmp family_xtremerat behavioral1/memory/2004-14-0x0000000000C80000-0x0000000000CE9000-memory.dmp family_xtremerat behavioral1/memory/2004-12-0x0000000000C80000-0x0000000000CE9000-memory.dmp family_xtremerat behavioral1/memory/2672-28-0x0000000000C80000-0x0000000000CE9000-memory.dmp family_xtremerat behavioral1/memory/2856-32-0x0000000000C80000-0x0000000000CE9000-memory.dmp family_xtremerat behavioral1/memory/2856-40-0x0000000000C80000-0x0000000000CE9000-memory.dmp family_xtremerat behavioral1/memory/2856-34-0x0000000000C80000-0x0000000000CE9000-memory.dmp family_xtremerat behavioral1/memory/2856-46-0x0000000000C80000-0x0000000000CE9000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{PF38VKJN-7V8U-658N-NM1O-1B1M1TAV43R7} 8ffb95d5e237a22a2773b17e34a4c6b0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{PF38VKJN-7V8U-658N-NM1O-1B1M1TAV43R7}\StubPath = "C:\\Windows\\InstallDir\\skypa.exe restart" 8ffb95d5e237a22a2773b17e34a4c6b0.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{PF38VKJN-7V8U-658N-NM1O-1B1M1TAV43R7} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{PF38VKJN-7V8U-658N-NM1O-1B1M1TAV43R7}\StubPath = "C:\\Windows\\InstallDir\\skypa.exe restart" svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{PF38VKJN-7V8U-658N-NM1O-1B1M1TAV43R7} skypa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{PF38VKJN-7V8U-658N-NM1O-1B1M1TAV43R7}\StubPath = "C:\\Windows\\InstallDir\\skypa.exe restart" skypa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{PF38VKJN-7V8U-658N-NM1O-1B1M1TAV43R7} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{PF38VKJN-7V8U-658N-NM1O-1B1M1TAV43R7}\StubPath = "C:\\Windows\\InstallDir\\skypa.exe restart" explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 2640 skypa.exe 1968 skypa.exe 2860 skypa.exe 1684 skypa.exe -
Loads dropped DLL 3 IoCs
pid Process 2856 explorer.exe 2856 explorer.exe 2672 svchost.exe -
resource yara_rule behavioral1/memory/544-77-0x0000000001610000-0x0000000001712000-memory.dmp upx behavioral1/memory/544-79-0x0000000001610000-0x0000000001712000-memory.dmp upx behavioral1/memory/544-81-0x0000000001610000-0x0000000001712000-memory.dmp upx behavioral1/memory/544-85-0x0000000001610000-0x0000000001712000-memory.dmp upx behavioral1/memory/544-87-0x0000000001610000-0x0000000001712000-memory.dmp upx behavioral1/memory/544-86-0x0000000001610000-0x0000000001712000-memory.dmp upx behavioral1/memory/544-89-0x0000000001610000-0x0000000001712000-memory.dmp upx behavioral1/memory/544-90-0x0000000001610000-0x0000000001712000-memory.dmp upx -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVG = "C:\\Windows\\InstallDir\\skypa.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVG = "C:\\Windows\\InstallDir\\skypa.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVG = "C:\\Windows\\InstallDir\\skypa.exe" skypa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVG = "C:\\Windows\\InstallDir\\skypa.exe" skypa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVG = "C:\\Windows\\InstallDir\\skypa.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVG = "C:\\Windows\\InstallDir\\skypa.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVG = "C:\\Windows\\InstallDir\\skypa.exe" 8ffb95d5e237a22a2773b17e34a4c6b0.exe Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVG = "C:\\Windows\\InstallDir\\skypa.exe" 8ffb95d5e237a22a2773b17e34a4c6b0.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini explorer.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3068 set thread context of 2004 3068 8ffb95d5e237a22a2773b17e34a4c6b0.exe 28 PID 2640 set thread context of 2860 2640 skypa.exe 33 PID 2860 set thread context of 544 2860 skypa.exe 34 PID 1968 set thread context of 1684 1968 skypa.exe 35 -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\InstallDir\ 8ffb95d5e237a22a2773b17e34a4c6b0.exe File opened for modification C:\Windows\InstallDir\skypa.exe skypa.exe File opened for modification C:\Windows\InstallDir\ skypa.exe File opened for modification C:\Windows\InstallDir\skypa.exe 8ffb95d5e237a22a2773b17e34a4c6b0.exe File created C:\Windows\InstallDir\skypa.exe 8ffb95d5e237a22a2773b17e34a4c6b0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 544 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2856 explorer.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2856 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2856 explorer.exe 544 explorer.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 3068 wrote to memory of 2004 3068 8ffb95d5e237a22a2773b17e34a4c6b0.exe 28 PID 3068 wrote to memory of 2004 3068 8ffb95d5e237a22a2773b17e34a4c6b0.exe 28 PID 3068 wrote to memory of 2004 3068 8ffb95d5e237a22a2773b17e34a4c6b0.exe 28 PID 3068 wrote to memory of 2004 3068 8ffb95d5e237a22a2773b17e34a4c6b0.exe 28 PID 3068 wrote to memory of 2004 3068 8ffb95d5e237a22a2773b17e34a4c6b0.exe 28 PID 3068 wrote to memory of 2004 3068 8ffb95d5e237a22a2773b17e34a4c6b0.exe 28 PID 3068 wrote to memory of 2004 3068 8ffb95d5e237a22a2773b17e34a4c6b0.exe 28 PID 3068 wrote to memory of 2004 3068 8ffb95d5e237a22a2773b17e34a4c6b0.exe 28 PID 3068 wrote to memory of 2004 3068 8ffb95d5e237a22a2773b17e34a4c6b0.exe 28 PID 3068 wrote to memory of 2004 3068 8ffb95d5e237a22a2773b17e34a4c6b0.exe 28 PID 3068 wrote to memory of 2004 3068 8ffb95d5e237a22a2773b17e34a4c6b0.exe 28 PID 3068 wrote to memory of 2004 3068 8ffb95d5e237a22a2773b17e34a4c6b0.exe 28 PID 2004 wrote to memory of 2672 2004 8ffb95d5e237a22a2773b17e34a4c6b0.exe 29 PID 2004 wrote to memory of 2672 2004 8ffb95d5e237a22a2773b17e34a4c6b0.exe 29 PID 2004 wrote to memory of 2672 2004 8ffb95d5e237a22a2773b17e34a4c6b0.exe 29 PID 2004 wrote to memory of 2672 2004 8ffb95d5e237a22a2773b17e34a4c6b0.exe 29 PID 2004 wrote to memory of 2672 2004 8ffb95d5e237a22a2773b17e34a4c6b0.exe 29 PID 2004 wrote to memory of 2856 2004 8ffb95d5e237a22a2773b17e34a4c6b0.exe 30 PID 2004 wrote to memory of 2856 2004 8ffb95d5e237a22a2773b17e34a4c6b0.exe 30 PID 2004 wrote to memory of 2856 2004 8ffb95d5e237a22a2773b17e34a4c6b0.exe 30 PID 2004 wrote to memory of 2856 2004 8ffb95d5e237a22a2773b17e34a4c6b0.exe 30 PID 2004 wrote to memory of 2856 2004 8ffb95d5e237a22a2773b17e34a4c6b0.exe 30 PID 2856 wrote to memory of 2640 2856 explorer.exe 31 PID 2856 wrote to memory of 2640 2856 explorer.exe 31 PID 2856 wrote to memory of 2640 2856 explorer.exe 31 PID 2856 wrote to memory of 2640 2856 explorer.exe 31 PID 2672 wrote to memory of 1968 2672 svchost.exe 32 PID 2672 wrote to memory of 1968 2672 svchost.exe 32 PID 2672 wrote to memory of 1968 2672 svchost.exe 32 PID 2672 wrote to memory of 1968 2672 svchost.exe 32 PID 2640 wrote to memory of 2860 2640 skypa.exe 33 PID 2640 wrote to memory of 2860 2640 skypa.exe 33 PID 2640 wrote to memory of 2860 2640 skypa.exe 33 PID 2640 wrote to memory of 2860 2640 skypa.exe 33 PID 2640 wrote to memory of 2860 2640 skypa.exe 33 PID 2640 wrote to memory of 2860 2640 skypa.exe 33 PID 2640 wrote to memory of 2860 2640 skypa.exe 33 PID 2640 wrote to memory of 2860 2640 skypa.exe 33 PID 2640 wrote to memory of 2860 2640 skypa.exe 33 PID 2640 wrote to memory of 2860 2640 skypa.exe 33 PID 2640 wrote to memory of 2860 2640 skypa.exe 33 PID 2640 wrote to memory of 2860 2640 skypa.exe 33 PID 2860 wrote to memory of 544 2860 skypa.exe 34 PID 2860 wrote to memory of 544 2860 skypa.exe 34 PID 2860 wrote to memory of 544 2860 skypa.exe 34 PID 2860 wrote to memory of 544 2860 skypa.exe 34 PID 2860 wrote to memory of 544 2860 skypa.exe 34 PID 2860 wrote to memory of 544 2860 skypa.exe 34 PID 2860 wrote to memory of 544 2860 skypa.exe 34 PID 2860 wrote to memory of 544 2860 skypa.exe 34 PID 1968 wrote to memory of 1684 1968 skypa.exe 35 PID 1968 wrote to memory of 1684 1968 skypa.exe 35 PID 1968 wrote to memory of 1684 1968 skypa.exe 35 PID 1968 wrote to memory of 1684 1968 skypa.exe 35 PID 1968 wrote to memory of 1684 1968 skypa.exe 35 PID 1968 wrote to memory of 1684 1968 skypa.exe 35 PID 1968 wrote to memory of 1684 1968 skypa.exe 35 PID 1968 wrote to memory of 1684 1968 skypa.exe 35 PID 1968 wrote to memory of 1684 1968 skypa.exe 35 PID 1968 wrote to memory of 1684 1968 skypa.exe 35 PID 1968 wrote to memory of 1684 1968 skypa.exe 35 PID 1968 wrote to memory of 1684 1968 skypa.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe"C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exeC:\Users\Admin\AppData\Local\Temp\8ffb95d5e237a22a2773b17e34a4c6b0.exe2⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\InstallDir\skypa.exe"C:\Windows\InstallDir\skypa.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\InstallDir\skypa.exeC:\Windows\InstallDir\skypa.exe5⤵
- Executes dropped EXE
PID:1684
-
-
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\InstallDir\skypa.exe"C:\Windows\InstallDir\skypa.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\InstallDir\skypa.exeC:\Windows\InstallDir\skypa.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:544
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53c4d3cd283491acb2b8be880e6515e34
SHA124a402254b7b16a007a334655e811fee25bfac61
SHA256077c026e8eaa149a9a0b3b2f361f1d5d90852bd082d40d5366f70a3b783100e5
SHA512ec420ca447b53ec38b1ac879d8e03ad7f89babf8ce0f81d91d0befae0402f594e6a7f229763d6a3a1483a4d8658cdd5e581a7bf35d496c98402460d608a970c1
-
Filesize
2B
MD584cad01fdb44ae58dbe6c3973dcd87f5
SHA14700b42849fb35be323774820bf1bc8019d26c80
SHA2568b1f194be530240c18bf0b1ee0d038e750fab8b24c6bd25c864297e5ebb41fa6
SHA5126e10d3ec4724c1aca9ff3f6a26292ba80065d18e8e9395f1474c0a298008f25e312e2f7024e7d10aab3264764e69a25553cc20afd23090f83921d20e42b989ab
-
Filesize
343KB
MD56426d400c96fb9ffef4eaa54f6647f4c
SHA170a37871aff432790b6adf7d3fc4eb929476e082
SHA25698bba0cf4c57ecd35b227f45e4aa6dd50ef7cfb1160235cc14687c96eb09fa3c
SHA5122c8b4d3ab066cbfca6cf0c8d89d5044152b5e3d7100249cbedd1c816e3a4a94efc8bc6b79c1dab4bdf96e3ce476d6caccf625cfbe0aff3bf5e7a29dfcfa948c5
-
Filesize
93KB
MD5391211f48801d386ad55f2327543c4c0
SHA15d77cd181341594311ce384b451ab9bdf4bb607b
SHA25653fbae69f1cda07a6cc91fe4833c6f2a73178bcd5da3216514fc854c0ca5c2ef
SHA512b2dd1358f353192aab5a5aa2bbc762f1f28a1aacca21543a9a2c44d887bfcf8de36d5a524bd3b4f05a758ea12ec70784087fbb063d1d782410b5fe73169dbe89
-
Filesize
381KB
MD577602e679bc6f083bc49aae4f658adb5
SHA121cf0e86ad3febf0da71444bb879399e0754032f
SHA2564c35b58be0d9a61037790b82b7b9d5b08bf695af7e3a0c75ea2a3e5efb1cd359
SHA512ee5b8a18f03673a53023a2f2d2d6178457c4111ab7a154e4fab6bdef23d1be2599a79271da5c7523f7ade151077eb86c070bb0f41d7a3f2cf42f6f4f025f31fa
-
Filesize
192KB
MD537ae693d4a9a755b9c620bf5473bd3d1
SHA154af2c11b8aae8d6cfe855b250f53a5051728215
SHA256bbb5b65c4320858bbc4016265cfc49baf1bcff7b9495e4ec29c5576f5f638421
SHA51296c6eb3dad16b5c7e6e4300983501e390d38415b50515e6412c70b6af7046933aaa7b15edf12676f5ea530273bd83d5e3ed37ed926382f51c682e4570324607d
-
Filesize
668KB
MD58ffb95d5e237a22a2773b17e34a4c6b0
SHA17e74c23a6d66fc6ad4d6a5397642476af48735ad
SHA25631eb4492dbdb099fae987f89fdb66fcd2a79367d6112a7f4a3ae47fdfa9e62d5
SHA512e8a3c594e6d0009ad6cfe1f7d3341dcadac3fb536c001e0490c6b5f702abf904a30efc3964f797894c1aabbe03eb310d79ebf3e436b2a80c51dcc29de7f2aca8
-
Filesize
64KB
MD51ad8c36c519b748fbe1aa79b574573fa
SHA1d783363eeb161fbd096b5657c2a27480b3e1f79a
SHA25644ca58e48755b2148b09dce0fcc79a4a87495110cb3c9a4b9fbfb1530c29ceaf
SHA5128bc7fa99e860b07e478f4d1357c98f484ad649a2e2223deabfffe62350f68d0948669fdd503257bb891aa2c32b1d7d7c44fe6dfd4402e71ca3331b47d4b1b684