Analysis
-
max time kernel
148s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2024 07:03
Static task
static1
Behavioral task
behavioral1
Sample
7f3288ccbcf8a013ab271528d5592fd2.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7f3288ccbcf8a013ab271528d5592fd2.exe
Resource
win10v2004-20231215-en
General
-
Target
7f3288ccbcf8a013ab271528d5592fd2.exe
-
Size
538KB
-
MD5
7f3288ccbcf8a013ab271528d5592fd2
-
SHA1
ae67dc40bfa75756af5d6b63168bdba9f9fc3d63
-
SHA256
52b4760df29374cf59babed736100e689a10ecf9a8ab651d28010f6489fb4e46
-
SHA512
7a31e4d5ad204ef70803ad6e9aa2ab80eb2d4bcf04f11a24033c171b9820742edc8fa79b2e4dacc4f5103369067baa303b77722613509319c2e35e54da57731a
-
SSDEEP
12288:7E6SXHwL6D6N7fn5nPKK/lGRgOUqmq9kR6lhKX0d2eaG7OElJlW:Y6SXtD6Rn5PKK/cRgOnmq9g6Ser7OElO
Malware Config
Signatures
-
Detect XtremeRAT payload 6 IoCs
resource yara_rule behavioral2/memory/1204-51-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/1204-52-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/5632-56-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/6056-58-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/1204-59-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat behavioral2/memory/6056-61-0x0000000000C80000-0x0000000000C96000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" 7f3288ccbcf8a013ab271528d5592fd2.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} 7f3288ccbcf8a013ab271528d5592fd2.exe -
resource yara_rule behavioral2/memory/1204-46-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/1204-49-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/1204-51-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/1204-52-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/5632-56-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/6056-58-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/1204-59-0x0000000000C80000-0x0000000000C96000-memory.dmp upx behavioral2/memory/6056-61-0x0000000000C80000-0x0000000000C96000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" 7f3288ccbcf8a013ab271528d5592fd2.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" 7f3288ccbcf8a013ab271528d5592fd2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe 7f3288ccbcf8a013ab271528d5592fd2.exe File created C:\Windows\SysWOW64\InstallDir\Server.exe 7f3288ccbcf8a013ab271528d5592fd2.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2228 set thread context of 1148 2228 7f3288ccbcf8a013ab271528d5592fd2.exe 86 PID 1148 set thread context of 1204 1148 7f3288ccbcf8a013ab271528d5592fd2.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2228 7f3288ccbcf8a013ab271528d5592fd2.exe 1148 7f3288ccbcf8a013ab271528d5592fd2.exe 6056 svchost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2228 wrote to memory of 1148 2228 7f3288ccbcf8a013ab271528d5592fd2.exe 86 PID 2228 wrote to memory of 1148 2228 7f3288ccbcf8a013ab271528d5592fd2.exe 86 PID 2228 wrote to memory of 1148 2228 7f3288ccbcf8a013ab271528d5592fd2.exe 86 PID 2228 wrote to memory of 1148 2228 7f3288ccbcf8a013ab271528d5592fd2.exe 86 PID 2228 wrote to memory of 1148 2228 7f3288ccbcf8a013ab271528d5592fd2.exe 86 PID 2228 wrote to memory of 1148 2228 7f3288ccbcf8a013ab271528d5592fd2.exe 86 PID 2228 wrote to memory of 1148 2228 7f3288ccbcf8a013ab271528d5592fd2.exe 86 PID 2228 wrote to memory of 1148 2228 7f3288ccbcf8a013ab271528d5592fd2.exe 86 PID 1148 wrote to memory of 1204 1148 7f3288ccbcf8a013ab271528d5592fd2.exe 87 PID 1148 wrote to memory of 1204 1148 7f3288ccbcf8a013ab271528d5592fd2.exe 87 PID 1148 wrote to memory of 1204 1148 7f3288ccbcf8a013ab271528d5592fd2.exe 87 PID 1148 wrote to memory of 1204 1148 7f3288ccbcf8a013ab271528d5592fd2.exe 87 PID 1148 wrote to memory of 1204 1148 7f3288ccbcf8a013ab271528d5592fd2.exe 87 PID 1148 wrote to memory of 1204 1148 7f3288ccbcf8a013ab271528d5592fd2.exe 87 PID 1148 wrote to memory of 1204 1148 7f3288ccbcf8a013ab271528d5592fd2.exe 87 PID 1148 wrote to memory of 1204 1148 7f3288ccbcf8a013ab271528d5592fd2.exe 87 PID 1204 wrote to memory of 5632 1204 7f3288ccbcf8a013ab271528d5592fd2.exe 88 PID 1204 wrote to memory of 5632 1204 7f3288ccbcf8a013ab271528d5592fd2.exe 88 PID 1204 wrote to memory of 5632 1204 7f3288ccbcf8a013ab271528d5592fd2.exe 88 PID 1204 wrote to memory of 5632 1204 7f3288ccbcf8a013ab271528d5592fd2.exe 88 PID 1204 wrote to memory of 6056 1204 7f3288ccbcf8a013ab271528d5592fd2.exe 89 PID 1204 wrote to memory of 6056 1204 7f3288ccbcf8a013ab271528d5592fd2.exe 89 PID 1204 wrote to memory of 6056 1204 7f3288ccbcf8a013ab271528d5592fd2.exe 89 PID 1204 wrote to memory of 6056 1204 7f3288ccbcf8a013ab271528d5592fd2.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe"C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe"C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:5632
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- Suspicious use of SetWindowsHookEx
PID:6056
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150KB
MD5ee68d9b3b9f4332079680c4544405475
SHA1e4f1e83b54b09333daca10659d86fbc8a265ac1a
SHA256f64ea01ec8f45635701f8c42a225462eca8b3188f66bd55c9150b44254e7a32e
SHA512a0c6488c80703d71f05c0a5498fe5d347468722d6be0619f3d8d424172219c88ed057b2f27793126e5c2275696d5bd2019bce1630bcf96d0a26f91e7f41a5787
-
Filesize
538KB
MD57f3288ccbcf8a013ab271528d5592fd2
SHA1ae67dc40bfa75756af5d6b63168bdba9f9fc3d63
SHA25652b4760df29374cf59babed736100e689a10ecf9a8ab651d28010f6489fb4e46
SHA5127a31e4d5ad204ef70803ad6e9aa2ab80eb2d4bcf04f11a24033c171b9820742edc8fa79b2e4dacc4f5103369067baa303b77722613509319c2e35e54da57731a