Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28-01-2024 12:36
Static task
static1
Behavioral task
behavioral1
Sample
7d25f10b8321bf59dc5dd65e23abacfc.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7d25f10b8321bf59dc5dd65e23abacfc.exe
Resource
win10v2004-20231215-en
General
-
Target
7d25f10b8321bf59dc5dd65e23abacfc.exe
-
Size
140KB
-
MD5
7d25f10b8321bf59dc5dd65e23abacfc
-
SHA1
f1920081a3b49130aaf9ac3a429bf9b5b9022266
-
SHA256
42a30e607fb699b5ee46ccb50113dd80dbaaae5a1bfe4877b8848a96c60e559d
-
SHA512
dd395d687978d0a15c1e26b4173b20180e397f470a15ec8deefed64d2aa769acc6199c6fbc764d11f438d02308fc91b0da2f9a79f0cac19863e2d5dd0a16997a
-
SSDEEP
3072:ltcwBbJ7WmdujrCN4N4dwfJ7WmdujrCN4N4dwL3KUeFbNJ4:ltTQONRdUQONRdM3NeFZ
Malware Config
Signatures
-
Detect XtremeRAT payload 3 IoCs
resource yara_rule behavioral1/memory/2720-34-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2896-35-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2720-36-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 2 IoCs
pid Process 3056 systemk.exe 2896 server.exe -
Loads dropped DLL 4 IoCs
pid Process 2980 7d25f10b8321bf59dc5dd65e23abacfc.exe 2980 7d25f10b8321bf59dc5dd65e23abacfc.exe 2980 7d25f10b8321bf59dc5dd65e23abacfc.exe 2980 7d25f10b8321bf59dc5dd65e23abacfc.exe -
resource yara_rule behavioral1/memory/3056-11-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/3056-12-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/3056-15-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/files/0x0009000000015491-21.dat upx behavioral1/memory/2980-23-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2896-30-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2720-34-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2896-35-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2720-36-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\upda88 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\upda57.exe\"" 7d25f10b8321bf59dc5dd65e23abacfc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2980 set thread context of 3056 2980 7d25f10b8321bf59dc5dd65e23abacfc.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2980 wrote to memory of 3056 2980 7d25f10b8321bf59dc5dd65e23abacfc.exe 28 PID 2980 wrote to memory of 3056 2980 7d25f10b8321bf59dc5dd65e23abacfc.exe 28 PID 2980 wrote to memory of 3056 2980 7d25f10b8321bf59dc5dd65e23abacfc.exe 28 PID 2980 wrote to memory of 3056 2980 7d25f10b8321bf59dc5dd65e23abacfc.exe 28 PID 2980 wrote to memory of 3056 2980 7d25f10b8321bf59dc5dd65e23abacfc.exe 28 PID 2980 wrote to memory of 3056 2980 7d25f10b8321bf59dc5dd65e23abacfc.exe 28 PID 2980 wrote to memory of 3056 2980 7d25f10b8321bf59dc5dd65e23abacfc.exe 28 PID 2980 wrote to memory of 3056 2980 7d25f10b8321bf59dc5dd65e23abacfc.exe 28 PID 2980 wrote to memory of 2896 2980 7d25f10b8321bf59dc5dd65e23abacfc.exe 29 PID 2980 wrote to memory of 2896 2980 7d25f10b8321bf59dc5dd65e23abacfc.exe 29 PID 2980 wrote to memory of 2896 2980 7d25f10b8321bf59dc5dd65e23abacfc.exe 29 PID 2980 wrote to memory of 2896 2980 7d25f10b8321bf59dc5dd65e23abacfc.exe 29 PID 2896 wrote to memory of 2720 2896 server.exe 30 PID 2896 wrote to memory of 2720 2896 server.exe 30 PID 2896 wrote to memory of 2720 2896 server.exe 30 PID 2896 wrote to memory of 2720 2896 server.exe 30 PID 2896 wrote to memory of 2720 2896 server.exe 30 PID 2896 wrote to memory of 2876 2896 server.exe 31 PID 2896 wrote to memory of 2876 2896 server.exe 31 PID 2896 wrote to memory of 2876 2896 server.exe 31 PID 2896 wrote to memory of 2876 2896 server.exe 31 PID 2896 wrote to memory of 2876 2896 server.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d25f10b8321bf59dc5dd65e23abacfc.exe"C:\Users\Admin\AppData\Local\Temp\7d25f10b8321bf59dc5dd65e23abacfc.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\systemk.exeC:\Users\Admin\AppData\Local\Temp\systemk.exe2⤵
- Executes dropped EXE
PID:3056
-
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:2720
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2876
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD5a00121c2f045a8f12c9a51a9b3872cb5
SHA15cdec4fc03894fbe452156543f2ec4fd72368ae8
SHA256438d8db46e231e9bd86b469eaaa924924ed69362008a3fc7dd589f4fc105846c
SHA51298b947e4cb98085b0fbfae69230b09ea6412773c72edd9e69cea0525d2a524c79965003779e1e7aa9150a5d861e4ac9b2e722de87f4c03a54be2bee898d8c780
-
Filesize
7KB
MD5d79efb472a22ad75d501317b21e66b5e
SHA124512f54884d3dda2d803457bbd3dcd513356196
SHA2567255b1d1f001b9d9a5177e1f8063bcc824effe3570e6c19508babe12bb73c7d6
SHA5127c5a2f516a727ddeb05f9a7c6565375debb05709ac9b95212fc748cba37a2ab81b7d727636141096e4511679ce140b07b37fdf36cfb47d8d1c8accdd24163ae5