Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29-01-2024 07:03
Static task
static1
Behavioral task
behavioral1
Sample
7f3288ccbcf8a013ab271528d5592fd2.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7f3288ccbcf8a013ab271528d5592fd2.exe
Resource
win10v2004-20231215-en
General
-
Target
7f3288ccbcf8a013ab271528d5592fd2.exe
-
Size
538KB
-
MD5
7f3288ccbcf8a013ab271528d5592fd2
-
SHA1
ae67dc40bfa75756af5d6b63168bdba9f9fc3d63
-
SHA256
52b4760df29374cf59babed736100e689a10ecf9a8ab651d28010f6489fb4e46
-
SHA512
7a31e4d5ad204ef70803ad6e9aa2ab80eb2d4bcf04f11a24033c171b9820742edc8fa79b2e4dacc4f5103369067baa303b77722613509319c2e35e54da57731a
-
SSDEEP
12288:7E6SXHwL6D6N7fn5nPKK/lGRgOUqmq9kR6lhKX0d2eaG7OElJlW:Y6SXtD6Rn5PKK/cRgOnmq9g6Ser7OElO
Malware Config
Signatures
-
Detect XtremeRAT payload 6 IoCs
resource yara_rule behavioral1/memory/2784-52-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral1/memory/2784-53-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral1/memory/2660-59-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral1/memory/2772-63-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral1/memory/2784-64-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral1/memory/2772-66-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 7f3288ccbcf8a013ab271528d5592fd2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" 7f3288ccbcf8a013ab271528d5592fd2.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" svchost.exe -
resource yara_rule behavioral1/memory/2784-41-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/2784-42-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/2784-46-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/2784-50-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/2784-52-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/2784-53-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/2660-59-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/2772-63-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/2784-64-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral1/memory/2772-66-0x0000000000C80000-0x0000000000C96000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" 7f3288ccbcf8a013ab271528d5592fd2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" 7f3288ccbcf8a013ab271528d5592fd2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\InstallDir\Server.exe 7f3288ccbcf8a013ab271528d5592fd2.exe File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe 7f3288ccbcf8a013ab271528d5592fd2.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2444 set thread context of 2744 2444 7f3288ccbcf8a013ab271528d5592fd2.exe 28 PID 2744 set thread context of 2784 2744 7f3288ccbcf8a013ab271528d5592fd2.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2444 7f3288ccbcf8a013ab271528d5592fd2.exe 2744 7f3288ccbcf8a013ab271528d5592fd2.exe 2772 svchost.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2444 wrote to memory of 2744 2444 7f3288ccbcf8a013ab271528d5592fd2.exe 28 PID 2444 wrote to memory of 2744 2444 7f3288ccbcf8a013ab271528d5592fd2.exe 28 PID 2444 wrote to memory of 2744 2444 7f3288ccbcf8a013ab271528d5592fd2.exe 28 PID 2444 wrote to memory of 2744 2444 7f3288ccbcf8a013ab271528d5592fd2.exe 28 PID 2444 wrote to memory of 2744 2444 7f3288ccbcf8a013ab271528d5592fd2.exe 28 PID 2444 wrote to memory of 2744 2444 7f3288ccbcf8a013ab271528d5592fd2.exe 28 PID 2444 wrote to memory of 2744 2444 7f3288ccbcf8a013ab271528d5592fd2.exe 28 PID 2444 wrote to memory of 2744 2444 7f3288ccbcf8a013ab271528d5592fd2.exe 28 PID 2444 wrote to memory of 2744 2444 7f3288ccbcf8a013ab271528d5592fd2.exe 28 PID 2744 wrote to memory of 2784 2744 7f3288ccbcf8a013ab271528d5592fd2.exe 29 PID 2744 wrote to memory of 2784 2744 7f3288ccbcf8a013ab271528d5592fd2.exe 29 PID 2744 wrote to memory of 2784 2744 7f3288ccbcf8a013ab271528d5592fd2.exe 29 PID 2744 wrote to memory of 2784 2744 7f3288ccbcf8a013ab271528d5592fd2.exe 29 PID 2744 wrote to memory of 2784 2744 7f3288ccbcf8a013ab271528d5592fd2.exe 29 PID 2744 wrote to memory of 2784 2744 7f3288ccbcf8a013ab271528d5592fd2.exe 29 PID 2744 wrote to memory of 2784 2744 7f3288ccbcf8a013ab271528d5592fd2.exe 29 PID 2744 wrote to memory of 2784 2744 7f3288ccbcf8a013ab271528d5592fd2.exe 29 PID 2784 wrote to memory of 2660 2784 7f3288ccbcf8a013ab271528d5592fd2.exe 30 PID 2784 wrote to memory of 2660 2784 7f3288ccbcf8a013ab271528d5592fd2.exe 30 PID 2784 wrote to memory of 2660 2784 7f3288ccbcf8a013ab271528d5592fd2.exe 30 PID 2784 wrote to memory of 2660 2784 7f3288ccbcf8a013ab271528d5592fd2.exe 30 PID 2784 wrote to memory of 2660 2784 7f3288ccbcf8a013ab271528d5592fd2.exe 30 PID 2784 wrote to memory of 2772 2784 7f3288ccbcf8a013ab271528d5592fd2.exe 31 PID 2784 wrote to memory of 2772 2784 7f3288ccbcf8a013ab271528d5592fd2.exe 31 PID 2784 wrote to memory of 2772 2784 7f3288ccbcf8a013ab271528d5592fd2.exe 31 PID 2784 wrote to memory of 2772 2784 7f3288ccbcf8a013ab271528d5592fd2.exe 31 PID 2784 wrote to memory of 2772 2784 7f3288ccbcf8a013ab271528d5592fd2.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe"C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe"C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:2660
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- Suspicious use of SetWindowsHookEx
PID:2772
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD56bd1be293735a234ab9c691598353422
SHA19824ef8f18a6a2c35aad8f598cdb4aaf887a54a4
SHA25642f6aeea5f4771233f06d1d3f05fd51ea5221c494b1828dd2fa3e53ba635ae00
SHA5125395587c3597db73424a667e0c5d8580c422f3feb1c7eb9b7987c28d8354621668bfdd57786f980ace21e2b1cc7274000a35521cd56e01c3169225db87ca761a