Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27-01-2024 11:06
Behavioral task
behavioral1
Sample
7a127c8ad3cd129dc1b89758c92fc546.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7a127c8ad3cd129dc1b89758c92fc546.exe
Resource
win10v2004-20231215-en
General
-
Target
7a127c8ad3cd129dc1b89758c92fc546.exe
-
Size
33KB
-
MD5
7a127c8ad3cd129dc1b89758c92fc546
-
SHA1
483d4039519d778f5997e4e7e55a07a3f49a4b6f
-
SHA256
5ac1151c2cf7ab64415e88fe0f36c9185ee122861ce1bc700522413bff8b593c
-
SHA512
9227e6cc8b1d96a280260f78c472e4c4a4b5a4a7c6a9a101522b93b5ec0892b94ad69f20fcc1e961fbcf28ec611d5442b4394786769ee1fa8fe9e473ee170d66
-
SSDEEP
768:fMuijtHf5g7/IIG3bGcYDBSvFIWuePQtv66lztzAdUHO:0NW71rcYDAWeotvXlB8o
Malware Config
Signatures
-
Detect XtremeRAT payload 3 IoCs
resource yara_rule behavioral1/memory/2664-0-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2664-4-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/1296-5-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
resource yara_rule behavioral1/memory/2664-0-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2664-4-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/1296-5-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2664 wrote to memory of 1296 2664 7a127c8ad3cd129dc1b89758c92fc546.exe 28 PID 2664 wrote to memory of 1296 2664 7a127c8ad3cd129dc1b89758c92fc546.exe 28 PID 2664 wrote to memory of 1296 2664 7a127c8ad3cd129dc1b89758c92fc546.exe 28 PID 2664 wrote to memory of 1296 2664 7a127c8ad3cd129dc1b89758c92fc546.exe 28 PID 2664 wrote to memory of 1296 2664 7a127c8ad3cd129dc1b89758c92fc546.exe 28 PID 2664 wrote to memory of 2408 2664 7a127c8ad3cd129dc1b89758c92fc546.exe 29 PID 2664 wrote to memory of 2408 2664 7a127c8ad3cd129dc1b89758c92fc546.exe 29 PID 2664 wrote to memory of 2408 2664 7a127c8ad3cd129dc1b89758c92fc546.exe 29 PID 2664 wrote to memory of 2408 2664 7a127c8ad3cd129dc1b89758c92fc546.exe 29 PID 2664 wrote to memory of 2408 2664 7a127c8ad3cd129dc1b89758c92fc546.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a127c8ad3cd129dc1b89758c92fc546.exe"C:\Users\Admin\AppData\Local\Temp\7a127c8ad3cd129dc1b89758c92fc546.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:1296
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵PID:2408
-