Malware Analysis Report

2025-01-02 02:12

Sample ID 240131-qvxt3sdbh5
Target 848d70a1a511b508aa9c8f17f11fe5b8
SHA256 9e062a277338fa22a89096a2b3a3e83aff243a2ce2b61ce030a00eba80e5f321
Tags
xtremerat persistence rat spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9e062a277338fa22a89096a2b3a3e83aff243a2ce2b61ce030a00eba80e5f321

Threat Level: Known bad

The file 848d70a1a511b508aa9c8f17f11fe5b8 was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware

Detect XtremeRAT payload

XtremeRAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-31 13:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-31 13:35

Reported

2024-01-31 13:38

Platform

win7-20231215-en

Max time kernel

142s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1996 set thread context of 2872 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\keygen.exe
PID 1996 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\keygen.exe
PID 1996 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\keygen.exe
PID 1996 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\keygen.exe
PID 1996 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe
PID 1996 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe
PID 1996 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe
PID 1996 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe
PID 1996 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe
PID 1996 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe
PID 1996 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe
PID 1996 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe
PID 1996 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe
PID 1996 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe
PID 1996 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe
PID 1996 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe
PID 1996 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe
PID 1996 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe

"C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe"

C:\Users\Admin\AppData\Local\Temp\keygen.exe

"C:\Users\Admin\AppData\Local\Temp\keygen.exe"

C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe

C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe

Network

N/A

Files

memory/1996-0-0x0000000074800000-0x0000000074DAB000-memory.dmp

memory/1996-1-0x0000000074800000-0x0000000074DAB000-memory.dmp

memory/1996-2-0x00000000008D0000-0x0000000000910000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\keygen.exe

MD5 1c47519f7f38f1ad6dc7b66cb88a7682
SHA1 1aaf1e6f8423ec37784f3c76495381ce032701dc
SHA256 37505ed965ec16a970d59ea3becd1497baff6a6b1131c1b49e558695f98a1092
SHA512 15292a0dfdb0213087c7306808d6b421be8df763410ecafc5d8e3082f4e83a3d7a7388d86db2ea0cd56ba71bce20d205f3d2fb5422df3a72fe5ea24de7aa79d7

memory/1996-11-0x00000000012D0000-0x0000000001342000-memory.dmp

memory/1996-13-0x00000000012D0000-0x0000000001342000-memory.dmp

memory/2312-15-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2312-16-0x0000000000020000-0x0000000000023000-memory.dmp

\Users\Admin\AppData\Local\Temp\wmpnetk.exe

MD5 34aa912defa18c2c129f1e09d75c1d7e
SHA1 9c3046324657505a30ecd9b1fdb46c05bde7d470
SHA256 6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512 d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

memory/2872-20-0x0000000010000000-0x000000001004A000-memory.dmp

memory/2872-22-0x0000000000400000-0x0000000000400000-memory.dmp

memory/1996-23-0x0000000074800000-0x0000000074DAB000-memory.dmp

memory/1996-24-0x00000000012D0000-0x0000000001342000-memory.dmp

memory/2312-25-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2312-26-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2312-27-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2312-28-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2312-29-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2312-30-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2312-31-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2312-32-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2312-33-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2312-34-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2312-35-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2312-36-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2312-37-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2312-38-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2312-39-0x0000000000400000-0x0000000000472000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-31 13:35

Reported

2024-01-31 13:38

Platform

win10v2004-20231222-en

Max time kernel

141s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1996 set thread context of 32 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\keygen.exe
PID 1996 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\keygen.exe
PID 1996 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\keygen.exe
PID 1996 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe
PID 1996 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe
PID 1996 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe
PID 1996 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe
PID 1996 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe
PID 1996 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe
PID 1996 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe
PID 1996 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe
PID 1996 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe
PID 1996 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe
PID 1996 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe
PID 1996 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe
PID 1996 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe

"C:\Users\Admin\AppData\Local\Temp\848d70a1a511b508aa9c8f17f11fe5b8.exe"

C:\Users\Admin\AppData\Local\Temp\keygen.exe

"C:\Users\Admin\AppData\Local\Temp\keygen.exe"

C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe

C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4ec 0x418

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 32 -ip 32

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 32 -s 12

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/1996-1-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

memory/1996-0-0x0000000074F20000-0x00000000754D1000-memory.dmp

memory/1996-2-0x0000000074F20000-0x00000000754D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\keygen.exe

MD5 1c47519f7f38f1ad6dc7b66cb88a7682
SHA1 1aaf1e6f8423ec37784f3c76495381ce032701dc
SHA256 37505ed965ec16a970d59ea3becd1497baff6a6b1131c1b49e558695f98a1092
SHA512 15292a0dfdb0213087c7306808d6b421be8df763410ecafc5d8e3082f4e83a3d7a7388d86db2ea0cd56ba71bce20d205f3d2fb5422df3a72fe5ea24de7aa79d7

memory/4928-13-0x00000000001C0000-0x00000000001C3000-memory.dmp

memory/4928-11-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe

MD5 daf7a9355937dfa59b6200be3ead7bde
SHA1 03505f598d72d8e2820369cd4bb892f7a2f6ab88
SHA256 225a5d49b8d5402c602dcda90838525dedd9057e1261517a878ec67e64dde331
SHA512 f8774359afb9c6b5bce9cb64c045446678435581d81046af410d4b8f8219150f8e7ca286133b6873ee323590e7d7fedd707762a34e74f76617ffca6fff9e6139

memory/32-15-0x0000000010000000-0x000000001004A000-memory.dmp

memory/1996-18-0x0000000074F20000-0x00000000754D1000-memory.dmp

memory/32-19-0x0000000000400000-0x0000000000400000-memory.dmp

memory/4928-20-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4928-21-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4928-22-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4928-23-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4928-24-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4928-25-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4928-26-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4928-27-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4928-28-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4928-29-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4928-30-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4928-31-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4928-32-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4928-33-0x0000000000400000-0x0000000000472000-memory.dmp