Analysis
-
max time kernel
154s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01-02-2024 10:56
Static task
static1
Behavioral task
behavioral1
Sample
86b7b7ba056bd0cbbbca84e0dd4e7dd5.rar
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
86b7b7ba056bd0cbbbca84e0dd4e7dd5.rar
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
Avira_AntiVir_Premium_En_Activation Key-2012/Avira_AntiVir_Premium_En_Activation Key-2012.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
Avira_AntiVir_Premium_En_Activation Key-2012/Avira_AntiVir_Premium_En_Activation Key-2012.exe
Resource
win10v2004-20231215-en
General
-
Target
Avira_AntiVir_Premium_En_Activation Key-2012/Avira_AntiVir_Premium_En_Activation Key-2012.exe
-
Size
123KB
-
MD5
66a173eb1770809c39deb08ab53d522d
-
SHA1
234f0e5440d1a6e3bb59b32a8afaa158afb96cc2
-
SHA256
f4ec593c1c0aa1f6b54e7c44a31da4e0161dea649a06b7f41f286ae4da834901
-
SHA512
674e472bc0ca36172d0a0ba3e666458bae3b5c584cc8cf35c50d233318a54b6e40c537e8be4045a31597c8092432c18736cbef17bde6666f6acb6ee5986c9014
-
SSDEEP
3072:b1dlKwgj23+Oz05YoNozau+gIjZ0DGfaWoO7:b1dlZro5ydI6DPWoU
Malware Config
Extracted
xtremerat
avic.zapto.org
Signatures
-
Detect XtremeRAT payload 3 IoCs
Processes:
resource yara_rule behavioral3/memory/2988-28-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral3/memory/3000-29-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral3/memory/2988-30-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE 1 IoCs
Processes:
activation.exepid Process 3000 activation.exe -
Loads dropped DLL 2 IoCs
Processes:
Avira_AntiVir_Premium_En_Activation Key-2012.exepid Process 1280 Avira_AntiVir_Premium_En_Activation Key-2012.exe 1280 Avira_AntiVir_Premium_En_Activation Key-2012.exe -
Processes:
resource yara_rule behavioral3/files/0x000b0000000142e4-18.dat upx behavioral3/memory/3000-25-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral3/memory/2988-28-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral3/memory/3000-29-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral3/memory/2988-30-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Avira_AntiVir_Premium_En_Activation Key-2012.exeactivation.exedescription pid Process procid_target PID 1280 wrote to memory of 3000 1280 Avira_AntiVir_Premium_En_Activation Key-2012.exe 28 PID 1280 wrote to memory of 3000 1280 Avira_AntiVir_Premium_En_Activation Key-2012.exe 28 PID 1280 wrote to memory of 3000 1280 Avira_AntiVir_Premium_En_Activation Key-2012.exe 28 PID 1280 wrote to memory of 3000 1280 Avira_AntiVir_Premium_En_Activation Key-2012.exe 28 PID 3000 wrote to memory of 2988 3000 activation.exe 29 PID 3000 wrote to memory of 2988 3000 activation.exe 29 PID 3000 wrote to memory of 2988 3000 activation.exe 29 PID 3000 wrote to memory of 2988 3000 activation.exe 29 PID 3000 wrote to memory of 2988 3000 activation.exe 29 PID 3000 wrote to memory of 2612 3000 activation.exe 30 PID 3000 wrote to memory of 2612 3000 activation.exe 30 PID 3000 wrote to memory of 2612 3000 activation.exe 30 PID 3000 wrote to memory of 2612 3000 activation.exe 30 PID 3000 wrote to memory of 2612 3000 activation.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Avira_AntiVir_Premium_En_Activation Key-2012\Avira_AntiVir_Premium_En_Activation Key-2012.exe"C:\Users\Admin\AppData\Local\Temp\Avira_AntiVir_Premium_En_Activation Key-2012\Avira_AntiVir_Premium_En_Activation Key-2012.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\activation.exe"C:\Users\Admin\AppData\Local\Temp\activation.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:2988
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2612
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175B
MD5f640f27720afe6c6f49c54efc882aa61
SHA13df731fbca9f35c0483a3b3148d994b20f667b3b
SHA256e4430c6a106911d4d6f7444364671e79c5ff2d0eb517f13fb42590bd590a0d1d
SHA512262e8039fa648d9c52696e752d4b51444a23aa8622da0f27a6e7018bf378b27855380425ac63f72d3ff3320982f36fa17100b1dd946d44143e1232703c6aec74
-
Filesize
33KB
MD58dff34bbd074ac6e82b88e8277ee9ce5
SHA1a90d9f2a6057bc28e8b18364c53d8052556f3950
SHA256a1e31d9df888ffb07dc84669cef4773e4f00e86c644e24c0c83da7bc08433405
SHA512a2e5df1a356de19230c2655ccf3ca5c8e4b3a4cb7606f8ae65532de8139e68ae281f509d48b12f36cc8706d02103ad45507de1dff26f0af44c5507e04d5f4a10