Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 17:09
Static task
static1
Behavioral task
behavioral1
Sample
7f3288ccbcf8a013ab271528d5592fd2.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
7f3288ccbcf8a013ab271528d5592fd2.exe
Resource
win10v2004-20231215-en
General
-
Target
7f3288ccbcf8a013ab271528d5592fd2.exe
-
Size
538KB
-
MD5
7f3288ccbcf8a013ab271528d5592fd2
-
SHA1
ae67dc40bfa75756af5d6b63168bdba9f9fc3d63
-
SHA256
52b4760df29374cf59babed736100e689a10ecf9a8ab651d28010f6489fb4e46
-
SHA512
7a31e4d5ad204ef70803ad6e9aa2ab80eb2d4bcf04f11a24033c171b9820742edc8fa79b2e4dacc4f5103369067baa303b77722613509319c2e35e54da57731a
-
SSDEEP
12288:7E6SXHwL6D6N7fn5nPKK/lGRgOUqmq9kR6lhKX0d2eaG7OElJlW:Y6SXtD6Rn5PKK/cRgOnmq9g6Ser7OElO
Malware Config
Signatures
-
Detect XtremeRAT payload 6 IoCs
resource yara_rule behavioral2/memory/3076-52-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/3076-51-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/4136-56-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/3892-58-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/3076-59-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/3892-61-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 7f3288ccbcf8a013ab271528d5592fd2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" 7f3288ccbcf8a013ab271528d5592fd2.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" svchost.exe -
resource yara_rule behavioral2/memory/3076-46-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/3076-52-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/3076-51-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/3076-49-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/4136-56-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/3892-58-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/3076-59-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/3892-61-0x0000000000C80000-0x0000000000C96000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" 7f3288ccbcf8a013ab271528d5592fd2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" 7f3288ccbcf8a013ab271528d5592fd2.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe 7f3288ccbcf8a013ab271528d5592fd2.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe 7f3288ccbcf8a013ab271528d5592fd2.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3768 set thread context of 4352 3768 7f3288ccbcf8a013ab271528d5592fd2.exe 96 PID 4352 set thread context of 3076 4352 7f3288ccbcf8a013ab271528d5592fd2.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3768 7f3288ccbcf8a013ab271528d5592fd2.exe 4352 7f3288ccbcf8a013ab271528d5592fd2.exe 3892 svchost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3768 wrote to memory of 4352 3768 7f3288ccbcf8a013ab271528d5592fd2.exe 96 PID 3768 wrote to memory of 4352 3768 7f3288ccbcf8a013ab271528d5592fd2.exe 96 PID 3768 wrote to memory of 4352 3768 7f3288ccbcf8a013ab271528d5592fd2.exe 96 PID 3768 wrote to memory of 4352 3768 7f3288ccbcf8a013ab271528d5592fd2.exe 96 PID 3768 wrote to memory of 4352 3768 7f3288ccbcf8a013ab271528d5592fd2.exe 96 PID 3768 wrote to memory of 4352 3768 7f3288ccbcf8a013ab271528d5592fd2.exe 96 PID 3768 wrote to memory of 4352 3768 7f3288ccbcf8a013ab271528d5592fd2.exe 96 PID 3768 wrote to memory of 4352 3768 7f3288ccbcf8a013ab271528d5592fd2.exe 96 PID 4352 wrote to memory of 3076 4352 7f3288ccbcf8a013ab271528d5592fd2.exe 93 PID 4352 wrote to memory of 3076 4352 7f3288ccbcf8a013ab271528d5592fd2.exe 93 PID 4352 wrote to memory of 3076 4352 7f3288ccbcf8a013ab271528d5592fd2.exe 93 PID 4352 wrote to memory of 3076 4352 7f3288ccbcf8a013ab271528d5592fd2.exe 93 PID 4352 wrote to memory of 3076 4352 7f3288ccbcf8a013ab271528d5592fd2.exe 93 PID 4352 wrote to memory of 3076 4352 7f3288ccbcf8a013ab271528d5592fd2.exe 93 PID 4352 wrote to memory of 3076 4352 7f3288ccbcf8a013ab271528d5592fd2.exe 93 PID 4352 wrote to memory of 3076 4352 7f3288ccbcf8a013ab271528d5592fd2.exe 93 PID 3076 wrote to memory of 4136 3076 7f3288ccbcf8a013ab271528d5592fd2.exe 94 PID 3076 wrote to memory of 4136 3076 7f3288ccbcf8a013ab271528d5592fd2.exe 94 PID 3076 wrote to memory of 4136 3076 7f3288ccbcf8a013ab271528d5592fd2.exe 94 PID 3076 wrote to memory of 4136 3076 7f3288ccbcf8a013ab271528d5592fd2.exe 94 PID 3076 wrote to memory of 3892 3076 7f3288ccbcf8a013ab271528d5592fd2.exe 95 PID 3076 wrote to memory of 3892 3076 7f3288ccbcf8a013ab271528d5592fd2.exe 95 PID 3076 wrote to memory of 3892 3076 7f3288ccbcf8a013ab271528d5592fd2.exe 95 PID 3076 wrote to memory of 3892 3076 7f3288ccbcf8a013ab271528d5592fd2.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe"C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe"C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4352
-
-
C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe1⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:4136
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Suspicious use of SetWindowsHookEx
PID:3892
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150KB
MD5bf28f8fb31a4f40582f6101327d87699
SHA1dba0a546428f6e8762e2b380ca610af2bcf2b652
SHA256c3950ff601608fb705d1ec47860db16089e5869037be61563c5aad6540d27518
SHA512c788e88f5f1cec1aa200de2f34e0fc1d1e7a4af8c3cce6406ded6b2bb1884b8ee5240cdfb621d3ebf453f13b07512df031f599d24c2eb02545fdf1dd6931220d