Analysis

  • max time kernel
    154s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    01-02-2024 10:56

General

  • Target

    Avira_AntiVir_Premium_En_Activation Key-2012/Avira_AntiVir_Premium_En_Activation Key-2012.exe

  • Size

    123KB

  • MD5

    66a173eb1770809c39deb08ab53d522d

  • SHA1

    234f0e5440d1a6e3bb59b32a8afaa158afb96cc2

  • SHA256

    f4ec593c1c0aa1f6b54e7c44a31da4e0161dea649a06b7f41f286ae4da834901

  • SHA512

    674e472bc0ca36172d0a0ba3e666458bae3b5c584cc8cf35c50d233318a54b6e40c537e8be4045a31597c8092432c18736cbef17bde6666f6acb6ee5986c9014

  • SSDEEP

    3072:b1dlKwgj23+Oz05YoNozau+gIjZ0DGfaWoO7:b1dlZro5ydI6DPWoU

Malware Config

Extracted

Family

xtremerat

C2

avic.zapto.org

Signatures

  • Detect XtremeRAT payload 3 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Avira_AntiVir_Premium_En_Activation Key-2012\Avira_AntiVir_Premium_En_Activation Key-2012.exe
    "C:\Users\Admin\AppData\Local\Temp\Avira_AntiVir_Premium_En_Activation Key-2012\Avira_AntiVir_Premium_En_Activation Key-2012.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Users\Admin\AppData\Local\Temp\activation.exe
      "C:\Users\Admin\AppData\Local\Temp\activation.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
          PID:2988
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:2612

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\sfx.ini

        Filesize

        175B

        MD5

        f640f27720afe6c6f49c54efc882aa61

        SHA1

        3df731fbca9f35c0483a3b3148d994b20f667b3b

        SHA256

        e4430c6a106911d4d6f7444364671e79c5ff2d0eb517f13fb42590bd590a0d1d

        SHA512

        262e8039fa648d9c52696e752d4b51444a23aa8622da0f27a6e7018bf378b27855380425ac63f72d3ff3320982f36fa17100b1dd946d44143e1232703c6aec74

      • \Users\Admin\AppData\Local\Temp\activation.exe

        Filesize

        33KB

        MD5

        8dff34bbd074ac6e82b88e8277ee9ce5

        SHA1

        a90d9f2a6057bc28e8b18364c53d8052556f3950

        SHA256

        a1e31d9df888ffb07dc84669cef4773e4f00e86c644e24c0c83da7bc08433405

        SHA512

        a2e5df1a356de19230c2655ccf3ca5c8e4b3a4cb7606f8ae65532de8139e68ae281f509d48b12f36cc8706d02103ad45507de1dff26f0af44c5507e04d5f4a10

      • memory/2988-26-0x0000000010000000-0x000000001004D000-memory.dmp

        Filesize

        308KB

      • memory/2988-28-0x0000000010000000-0x000000001004D000-memory.dmp

        Filesize

        308KB

      • memory/2988-30-0x0000000010000000-0x000000001004D000-memory.dmp

        Filesize

        308KB

      • memory/3000-25-0x0000000010000000-0x000000001004D000-memory.dmp

        Filesize

        308KB

      • memory/3000-29-0x0000000010000000-0x000000001004D000-memory.dmp

        Filesize

        308KB