Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2024 10:56
Static task
static1
Behavioral task
behavioral1
Sample
86b7b7ba056bd0cbbbca84e0dd4e7dd5.rar
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
86b7b7ba056bd0cbbbca84e0dd4e7dd5.rar
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
Avira_AntiVir_Premium_En_Activation Key-2012/Avira_AntiVir_Premium_En_Activation Key-2012.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
Avira_AntiVir_Premium_En_Activation Key-2012/Avira_AntiVir_Premium_En_Activation Key-2012.exe
Resource
win10v2004-20231215-en
General
-
Target
Avira_AntiVir_Premium_En_Activation Key-2012/Avira_AntiVir_Premium_En_Activation Key-2012.exe
-
Size
123KB
-
MD5
66a173eb1770809c39deb08ab53d522d
-
SHA1
234f0e5440d1a6e3bb59b32a8afaa158afb96cc2
-
SHA256
f4ec593c1c0aa1f6b54e7c44a31da4e0161dea649a06b7f41f286ae4da834901
-
SHA512
674e472bc0ca36172d0a0ba3e666458bae3b5c584cc8cf35c50d233318a54b6e40c537e8be4045a31597c8092432c18736cbef17bde6666f6acb6ee5986c9014
-
SSDEEP
3072:b1dlKwgj23+Oz05YoNozau+gIjZ0DGfaWoO7:b1dlZro5ydI6DPWoU
Malware Config
Extracted
xtremerat
avic.zapto.org
Signatures
-
Detect XtremeRAT payload 3 IoCs
Processes:
resource yara_rule behavioral4/memory/3052-25-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral4/memory/1804-26-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral4/memory/3052-27-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Avira_AntiVir_Premium_En_Activation Key-2012.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation Avira_AntiVir_Premium_En_Activation Key-2012.exe -
Executes dropped EXE 1 IoCs
Processes:
activation.exepid Process 1804 activation.exe -
Processes:
resource yara_rule behavioral4/files/0x0007000000023209-20.dat upx behavioral4/memory/1804-24-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral4/memory/3052-25-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral4/memory/1804-26-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral4/memory/3052-27-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target Process procid_target 1660 3052 WerFault.exe 85 828 3052 WerFault.exe 85 -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Avira_AntiVir_Premium_En_Activation Key-2012.exeactivation.exedescription pid Process procid_target PID 4548 wrote to memory of 1804 4548 Avira_AntiVir_Premium_En_Activation Key-2012.exe 84 PID 4548 wrote to memory of 1804 4548 Avira_AntiVir_Premium_En_Activation Key-2012.exe 84 PID 4548 wrote to memory of 1804 4548 Avira_AntiVir_Premium_En_Activation Key-2012.exe 84 PID 1804 wrote to memory of 3052 1804 activation.exe 85 PID 1804 wrote to memory of 3052 1804 activation.exe 85 PID 1804 wrote to memory of 3052 1804 activation.exe 85 PID 1804 wrote to memory of 3052 1804 activation.exe 85 PID 1804 wrote to memory of 4004 1804 activation.exe 86 PID 1804 wrote to memory of 4004 1804 activation.exe 86 PID 1804 wrote to memory of 4004 1804 activation.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\Avira_AntiVir_Premium_En_Activation Key-2012\Avira_AntiVir_Premium_En_Activation Key-2012.exe"C:\Users\Admin\AppData\Local\Temp\Avira_AntiVir_Premium_En_Activation Key-2012\Avira_AntiVir_Premium_En_Activation Key-2012.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\activation.exe"C:\Users\Admin\AppData\Local\Temp\activation.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:3052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 4804⤵
- Program crash
PID:1660
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 5044⤵
- Program crash
PID:828
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4004
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3052 -ip 30521⤵PID:1008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3052 -ip 30521⤵PID:1624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD58dff34bbd074ac6e82b88e8277ee9ce5
SHA1a90d9f2a6057bc28e8b18364c53d8052556f3950
SHA256a1e31d9df888ffb07dc84669cef4773e4f00e86c644e24c0c83da7bc08433405
SHA512a2e5df1a356de19230c2655ccf3ca5c8e4b3a4cb7606f8ae65532de8139e68ae281f509d48b12f36cc8706d02103ad45507de1dff26f0af44c5507e04d5f4a10
-
Filesize
175B
MD5f640f27720afe6c6f49c54efc882aa61
SHA13df731fbca9f35c0483a3b3148d994b20f667b3b
SHA256e4430c6a106911d4d6f7444364671e79c5ff2d0eb517f13fb42590bd590a0d1d
SHA512262e8039fa648d9c52696e752d4b51444a23aa8622da0f27a6e7018bf378b27855380425ac63f72d3ff3320982f36fa17100b1dd946d44143e1232703c6aec74