Analysis
-
max time kernel
156s -
max time network
175s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 17:55
Static task
static1
Behavioral task
behavioral1
Sample
821e4c194c721f6f40b6a63b71229677.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
821e4c194c721f6f40b6a63b71229677.exe
Resource
win10v2004-20231215-en
General
-
Target
821e4c194c721f6f40b6a63b71229677.exe
-
Size
524KB
-
MD5
821e4c194c721f6f40b6a63b71229677
-
SHA1
38a1eb80a5c8f32c6bb56402e5d31b357c5f648d
-
SHA256
b95a5e2ae5653e4de504a1d230857b40b1c251c5b832057a3f3ac67ec4cdb408
-
SHA512
e258c243ee8ac819ae0df8c98a1b54e416a5f1387db2402e3467d6b5c5b0135c39cd15a9486413ac5139b23b0a7a0d0893111cbc492395f362ead4aef85ee4df
-
SSDEEP
12288:UK3D4laljl9uZ9QWAx2NwX1itI8qT3ABt2tW3OKFHE4PA7n:7VVQ6x2GaI8eIR3OKtE4P
Malware Config
Extracted
xtremerat
keohack.no-ip.biz
Signatures
-
Detect XtremeRAT payload 9 IoCs
resource yara_rule behavioral1/memory/2408-9-0x0000000010000000-0x00000000100C5000-memory.dmp family_xtremerat behavioral1/memory/2584-12-0x0000000010000000-0x00000000100C5000-memory.dmp family_xtremerat behavioral1/memory/2408-16-0x0000000010000000-0x00000000100C5000-memory.dmp family_xtremerat behavioral1/memory/2736-15-0x0000000010000000-0x00000000100C5000-memory.dmp family_xtremerat behavioral1/memory/2736-24-0x0000000010000000-0x00000000100C5000-memory.dmp family_xtremerat behavioral1/memory/2736-23-0x0000000010000000-0x00000000100C5000-memory.dmp family_xtremerat behavioral1/memory/2736-28-0x0000000010000000-0x00000000100C5000-memory.dmp family_xtremerat behavioral1/memory/2584-31-0x0000000010000000-0x00000000100C5000-memory.dmp family_xtremerat behavioral1/memory/2600-33-0x0000000001EC0000-0x0000000001F40000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{W8T14QPY-7Y46-5QEV-21J8-V8SC54R564PN} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{W8T14QPY-7Y46-5QEV-21J8-V8SC54R564PN}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\Server.exe restart" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{W8T14QPY-7Y46-5QEV-21J8-V8SC54R564PN} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{W8T14QPY-7Y46-5QEV-21J8-V8SC54R564PN}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\Server.exe" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2408 MINEEE~1.EXE 2600 ACELER~1.EXE -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 821e4c194c721f6f40b6a63b71229677.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\Server.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\Server.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\Server.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\Server.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2736 explorer.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1756 wrote to memory of 2408 1756 821e4c194c721f6f40b6a63b71229677.exe 28 PID 1756 wrote to memory of 2408 1756 821e4c194c721f6f40b6a63b71229677.exe 28 PID 1756 wrote to memory of 2408 1756 821e4c194c721f6f40b6a63b71229677.exe 28 PID 1756 wrote to memory of 2408 1756 821e4c194c721f6f40b6a63b71229677.exe 28 PID 2408 wrote to memory of 2584 2408 MINEEE~1.EXE 29 PID 2408 wrote to memory of 2584 2408 MINEEE~1.EXE 29 PID 2408 wrote to memory of 2584 2408 MINEEE~1.EXE 29 PID 2408 wrote to memory of 2584 2408 MINEEE~1.EXE 29 PID 2408 wrote to memory of 2584 2408 MINEEE~1.EXE 29 PID 2408 wrote to memory of 2736 2408 MINEEE~1.EXE 30 PID 2408 wrote to memory of 2736 2408 MINEEE~1.EXE 30 PID 2408 wrote to memory of 2736 2408 MINEEE~1.EXE 30 PID 2408 wrote to memory of 2736 2408 MINEEE~1.EXE 30 PID 2408 wrote to memory of 2736 2408 MINEEE~1.EXE 30 PID 1756 wrote to memory of 2600 1756 821e4c194c721f6f40b6a63b71229677.exe 31 PID 1756 wrote to memory of 2600 1756 821e4c194c721f6f40b6a63b71229677.exe 31 PID 1756 wrote to memory of 2600 1756 821e4c194c721f6f40b6a63b71229677.exe 31 PID 2600 wrote to memory of 3036 2600 ACELER~1.EXE 32 PID 2600 wrote to memory of 3036 2600 ACELER~1.EXE 32 PID 2600 wrote to memory of 3036 2600 ACELER~1.EXE 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\821e4c194c721f6f40b6a63b71229677.exe"C:\Users\Admin\AppData\Local\Temp\821e4c194c721f6f40b6a63b71229677.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MINEEE~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MINEEE~1.EXE2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:2584
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2736
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ACELER~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ACELER~1.EXE2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 4123⤵PID:3036
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
186KB
MD590ad798c72c142c27204801a41483630
SHA1ae45cb70ac04c135fc5f1bd1f5eb5093ef9bf676
SHA256ec5e60507ed862673894935dcc2c7dfd281b166ab5480e094991d3a8779ce665
SHA512f12c32c801124ec13efd0f48c434e96194352af0d2dcac29d5f611ece31ba62d812242970be45a7f7cdea4372db980e1ae6f353a1f61a34a2bee7e093e22f037
-
Filesize
95KB
MD5873a2bcda208068625b9a744f4062a29
SHA1f5a306be7467e86ac4fd21d1ea1e319f3e196b89
SHA2569aaceb5705833ab09ad60bbdf6c41b7d4175d3d2b0b74133037595b2db0f4441
SHA512e0d828d82adb69d8dc4a921ceda03844abbacdb12daa621a697eb8954815948b58f966766ccbc2a15809c2ae4d245dbcf74684484aa4e5f407ae7e9eacf09a96
-
Filesize
531KB
MD53ded0d9f3644be4ee425101d53c9d531
SHA1c19997e0c8da2243beb858d8d4e992710718705f
SHA256bfc0210ee77bb884d89be9c24dff0f44866355dfbfb5eae0d1d2a5c93d908467
SHA5125643a5828206ae6e92f3cc52ac1d35284b1ae2a81549a31f6d25d1e209bdb4222ccb114a6ea6d62936ad431775ecce8905421a62055f653c3503c764a38a1bd1