Analysis

  • max time kernel
    124s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-01-2024 23:42

General

  • Target

    7b9731b71c1b7f94c0747406687c9f72.exe

  • Size

    85KB

  • MD5

    7b9731b71c1b7f94c0747406687c9f72

  • SHA1

    24954377aba04ef528e8bee20ed1312ab2bfc0b4

  • SHA256

    8edf305ce7e4270c8d111fd9172b4168fbcf63e6bd7a53b937eb90d6b069d1b2

  • SHA512

    5071d35e13641a4ee2f6ada576dcbbd52b86b200fc82aa5e1786ac0e4f532069440718a08d47706a476b4bdc1683942e5a0ea458935ef4094e0a59e8366d784a

  • SSDEEP

    768:28m1Sq4NQErBsH1RzoisBKQI6dObAG/dq8uW29Ifnca/yyR+P2ujfGiZKPA+7Xoh:Esq+QVcrObAdXWpf/y+7ozNwiGfEftog

Malware Config

Extracted

Family

xtremerat

C2

esam2at.no-ip.biz

Signatures

  • Detect XtremeRAT payload 3 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b9731b71c1b7f94c0747406687c9f72.exe
    "C:\Users\Admin\AppData\Local\Temp\7b9731b71c1b7f94c0747406687c9f72.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
        PID:4240
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 480
          3⤵
          • Program crash
          PID:3572
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 488
          3⤵
          • Program crash
          PID:1116
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        2⤵
          PID:1196
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4240 -ip 4240
        1⤵
          PID:840
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4240 -ip 4240
          1⤵
            PID:2368

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/2492-1-0x0000000010000000-0x000000001004F000-memory.dmp

            Filesize

            316KB

          • memory/4240-0-0x0000000010000000-0x000000001004F000-memory.dmp

            Filesize

            316KB

          • memory/4240-2-0x0000000010000000-0x000000001004F000-memory.dmp

            Filesize

            316KB