Analysis

  • max time kernel
    148s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2024 07:03

General

  • Target

    7f3288ccbcf8a013ab271528d5592fd2.exe

  • Size

    538KB

  • MD5

    7f3288ccbcf8a013ab271528d5592fd2

  • SHA1

    ae67dc40bfa75756af5d6b63168bdba9f9fc3d63

  • SHA256

    52b4760df29374cf59babed736100e689a10ecf9a8ab651d28010f6489fb4e46

  • SHA512

    7a31e4d5ad204ef70803ad6e9aa2ab80eb2d4bcf04f11a24033c171b9820742edc8fa79b2e4dacc4f5103369067baa303b77722613509319c2e35e54da57731a

  • SSDEEP

    12288:7E6SXHwL6D6N7fn5nPKK/lGRgOUqmq9kR6lhKX0d2eaG7OElJlW:Y6SXtD6Rn5PKK/cRgOnmq9g6Ser7OElO

Malware Config

Signatures

  • Detect XtremeRAT payload 6 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
    "C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
      "C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
        3⤵
        • Modifies Installed Components in the registry
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:1204
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          PID:5632
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • Suspicious use of SetWindowsHookEx
          PID:6056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Gy7rQ.xtr

    Filesize

    150KB

    MD5

    ee68d9b3b9f4332079680c4544405475

    SHA1

    e4f1e83b54b09333daca10659d86fbc8a265ac1a

    SHA256

    f64ea01ec8f45635701f8c42a225462eca8b3188f66bd55c9150b44254e7a32e

    SHA512

    a0c6488c80703d71f05c0a5498fe5d347468722d6be0619f3d8d424172219c88ed057b2f27793126e5c2275696d5bd2019bce1630bcf96d0a26f91e7f41a5787

  • C:\Windows\SysWOW64\InstallDir\Server.exe

    Filesize

    538KB

    MD5

    7f3288ccbcf8a013ab271528d5592fd2

    SHA1

    ae67dc40bfa75756af5d6b63168bdba9f9fc3d63

    SHA256

    52b4760df29374cf59babed736100e689a10ecf9a8ab651d28010f6489fb4e46

    SHA512

    7a31e4d5ad204ef70803ad6e9aa2ab80eb2d4bcf04f11a24033c171b9820742edc8fa79b2e4dacc4f5103369067baa303b77722613509319c2e35e54da57731a

  • memory/1148-35-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

  • memory/1148-41-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

  • memory/1148-48-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

  • memory/1204-46-0x0000000000C80000-0x0000000000C96000-memory.dmp

    Filesize

    88KB

  • memory/1204-49-0x0000000000C80000-0x0000000000C96000-memory.dmp

    Filesize

    88KB

  • memory/1204-59-0x0000000000C80000-0x0000000000C96000-memory.dmp

    Filesize

    88KB

  • memory/1204-52-0x0000000000C80000-0x0000000000C96000-memory.dmp

    Filesize

    88KB

  • memory/1204-51-0x0000000000C80000-0x0000000000C96000-memory.dmp

    Filesize

    88KB

  • memory/2228-23-0x0000000002D20000-0x0000000002D21000-memory.dmp

    Filesize

    4KB

  • memory/2228-27-0x0000000002250000-0x0000000002251000-memory.dmp

    Filesize

    4KB

  • memory/2228-8-0x0000000002A40000-0x0000000002A41000-memory.dmp

    Filesize

    4KB

  • memory/2228-9-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

    Filesize

    4KB

  • memory/2228-13-0x0000000003B60000-0x0000000003B63000-memory.dmp

    Filesize

    12KB

  • memory/2228-14-0x0000000002B40000-0x0000000002B41000-memory.dmp

    Filesize

    4KB

  • memory/2228-12-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

    Filesize

    4KB

  • memory/2228-10-0x0000000003B70000-0x0000000003B71000-memory.dmp

    Filesize

    4KB

  • memory/2228-15-0x0000000002B30000-0x0000000002B31000-memory.dmp

    Filesize

    4KB

  • memory/2228-17-0x0000000002B60000-0x0000000002B61000-memory.dmp

    Filesize

    4KB

  • memory/2228-16-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

    Filesize

    4KB

  • memory/2228-18-0x0000000002B10000-0x0000000002B11000-memory.dmp

    Filesize

    4KB

  • memory/2228-20-0x0000000002D00000-0x0000000002D01000-memory.dmp

    Filesize

    4KB

  • memory/2228-19-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

    Filesize

    4KB

  • memory/2228-22-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

    Filesize

    4KB

  • memory/2228-21-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

    Filesize

    4KB

  • memory/2228-4-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

    Filesize

    4KB

  • memory/2228-24-0x0000000002D40000-0x0000000002D41000-memory.dmp

    Filesize

    4KB

  • memory/2228-25-0x0000000002B50000-0x0000000002B51000-memory.dmp

    Filesize

    4KB

  • memory/2228-26-0x0000000002240000-0x0000000002241000-memory.dmp

    Filesize

    4KB

  • memory/2228-28-0x0000000003BA0000-0x0000000003BA1000-memory.dmp

    Filesize

    4KB

  • memory/2228-7-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

    Filesize

    4KB

  • memory/2228-29-0x0000000003B90000-0x0000000003B91000-memory.dmp

    Filesize

    4KB

  • memory/2228-30-0x0000000003B80000-0x0000000003B81000-memory.dmp

    Filesize

    4KB

  • memory/2228-31-0x0000000003C20000-0x0000000003C21000-memory.dmp

    Filesize

    4KB

  • memory/2228-32-0x0000000003C10000-0x0000000003C11000-memory.dmp

    Filesize

    4KB

  • memory/2228-34-0x0000000003C50000-0x0000000003C51000-memory.dmp

    Filesize

    4KB

  • memory/2228-33-0x0000000003C60000-0x0000000003C61000-memory.dmp

    Filesize

    4KB

  • memory/2228-36-0x0000000003C80000-0x0000000003C81000-memory.dmp

    Filesize

    4KB

  • memory/2228-37-0x0000000003C70000-0x0000000003C71000-memory.dmp

    Filesize

    4KB

  • memory/2228-38-0x0000000003CA0000-0x0000000003CA1000-memory.dmp

    Filesize

    4KB

  • memory/2228-6-0x0000000002A00000-0x0000000002A01000-memory.dmp

    Filesize

    4KB

  • memory/2228-3-0x0000000002A10000-0x0000000002A11000-memory.dmp

    Filesize

    4KB

  • memory/2228-40-0x0000000003C90000-0x0000000003C91000-memory.dmp

    Filesize

    4KB

  • memory/2228-42-0x0000000000400000-0x00000000004E7000-memory.dmp

    Filesize

    924KB

  • memory/2228-44-0x0000000002A60000-0x0000000002AC0000-memory.dmp

    Filesize

    384KB

  • memory/2228-0-0x0000000000400000-0x00000000004E7000-memory.dmp

    Filesize

    924KB

  • memory/2228-2-0x0000000002A20000-0x0000000002A21000-memory.dmp

    Filesize

    4KB

  • memory/2228-1-0x0000000002A60000-0x0000000002AC0000-memory.dmp

    Filesize

    384KB

  • memory/5632-56-0x0000000000C80000-0x0000000000C96000-memory.dmp

    Filesize

    88KB

  • memory/6056-58-0x0000000000C80000-0x0000000000C96000-memory.dmp

    Filesize

    88KB

  • memory/6056-61-0x0000000000C80000-0x0000000000C96000-memory.dmp

    Filesize

    88KB