Analysis

  • max time kernel
    142s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2024 03:27

General

  • Target

    7ec3398e4abc142e218b6850fb3bd659.exe

  • Size

    52KB

  • MD5

    7ec3398e4abc142e218b6850fb3bd659

  • SHA1

    2e04288a95dbe1f24c56df7d04d191f6c40db0de

  • SHA256

    0e294545adcade01b253ee9cec5688e2513559f6384fdcace9bb4701cb480db1

  • SHA512

    513e22cb576d1ed0d9d07a86f1f2975f160e856384d271ad7de8a5235b867e2fdbecc494e9958761f6174211091c1b81cd1915ae4871fbd35312cad66f3dec85

  • SSDEEP

    768:xav20XVFaBDVKLgvdwv3/zL7DZdi7NVCU7Dt8E4ukOt8E4ukO:Yvv+BVKLg+v3H71sKYfdf

Malware Config

Extracted

Family

xtremerat

C2

esam2at.no-ip.biz

Signatures

  • Detect XtremeRAT payload 4 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ec3398e4abc142e218b6850fb3bd659.exe
    "C:\Users\Admin\AppData\Local\Temp\7ec3398e4abc142e218b6850fb3bd659.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
        PID:3676
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 480
          3⤵
          • Program crash
          PID:4948
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 488
          3⤵
          • Program crash
          PID:2136
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        2⤵
          PID:4128
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3676 -ip 3676
        1⤵
          PID:5100
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3676 -ip 3676
          1⤵
            PID:1900

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/2780-0-0x0000000010000000-0x0000000010055000-memory.dmp

            Filesize

            340KB

          • memory/2780-1-0x0000000010000000-0x0000000010055000-memory.dmp

            Filesize

            340KB

          • memory/2780-3-0x0000000010000000-0x0000000010055000-memory.dmp

            Filesize

            340KB

          • memory/3676-2-0x0000000010000000-0x0000000010055000-memory.dmp

            Filesize

            340KB

          • memory/3676-4-0x0000000010000000-0x0000000010055000-memory.dmp

            Filesize

            340KB