Malware Analysis Report

2025-01-02 02:16

Sample ID 240201-m1rcpsddgl
Target 86b7b7ba056bd0cbbbca84e0dd4e7dd5
SHA256 de215fbe071105e63bad7cf6cb488ca8fa3ac6402c3e679b6f24bbf228fad218
Tags
xtremerat persistence rat spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de215fbe071105e63bad7cf6cb488ca8fa3ac6402c3e679b6f24bbf228fad218

Threat Level: Known bad

The file 86b7b7ba056bd0cbbbca84e0dd4e7dd5 was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware upx

XtremeRAT

Detect XtremeRAT payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-01 10:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-01 10:56

Reported

2024-02-01 10:58

Platform

win7-20231215-en

Max time kernel

121s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\86b7b7ba056bd0cbbbca84e0dd4e7dd5.rar

Signatures

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2180 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2180 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\86b7b7ba056bd0cbbbca84e0dd4e7dd5.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\86b7b7ba056bd0cbbbca84e0dd4e7dd5.rar"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-01 10:56

Reported

2024-02-01 10:58

Platform

win10v2004-20231215-en

Max time kernel

133s

Max time network

134s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\86b7b7ba056bd0cbbbca84e0dd4e7dd5.rar

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4012 wrote to memory of 3224 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 4012 wrote to memory of 3224 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\86b7b7ba056bd0cbbbca84e0dd4e7dd5.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\86b7b7ba056bd0cbbbca84e0dd4e7dd5.rar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-01 10:56

Reported

2024-02-01 10:58

Platform

win7-20231215-en

Max time kernel

154s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Avira_AntiVir_Premium_En_Activation Key-2012\Avira_AntiVir_Premium_En_Activation Key-2012.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\activation.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1280 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Avira_AntiVir_Premium_En_Activation Key-2012\Avira_AntiVir_Premium_En_Activation Key-2012.exe C:\Users\Admin\AppData\Local\Temp\activation.exe
PID 1280 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Avira_AntiVir_Premium_En_Activation Key-2012\Avira_AntiVir_Premium_En_Activation Key-2012.exe C:\Users\Admin\AppData\Local\Temp\activation.exe
PID 1280 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Avira_AntiVir_Premium_En_Activation Key-2012\Avira_AntiVir_Premium_En_Activation Key-2012.exe C:\Users\Admin\AppData\Local\Temp\activation.exe
PID 1280 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Avira_AntiVir_Premium_En_Activation Key-2012\Avira_AntiVir_Premium_En_Activation Key-2012.exe C:\Users\Admin\AppData\Local\Temp\activation.exe
PID 3000 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\activation.exe C:\Windows\SysWOW64\svchost.exe
PID 3000 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\activation.exe C:\Windows\SysWOW64\svchost.exe
PID 3000 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\activation.exe C:\Windows\SysWOW64\svchost.exe
PID 3000 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\activation.exe C:\Windows\SysWOW64\svchost.exe
PID 3000 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\activation.exe C:\Windows\SysWOW64\svchost.exe
PID 3000 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\activation.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3000 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\activation.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3000 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\activation.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3000 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\activation.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3000 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\activation.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Avira_AntiVir_Premium_En_Activation Key-2012\Avira_AntiVir_Premium_En_Activation Key-2012.exe

"C:\Users\Admin\AppData\Local\Temp\Avira_AntiVir_Premium_En_Activation Key-2012\Avira_AntiVir_Premium_En_Activation Key-2012.exe"

C:\Users\Admin\AppData\Local\Temp\activation.exe

"C:\Users\Admin\AppData\Local\Temp\activation.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\sfx.ini

MD5 f640f27720afe6c6f49c54efc882aa61
SHA1 3df731fbca9f35c0483a3b3148d994b20f667b3b
SHA256 e4430c6a106911d4d6f7444364671e79c5ff2d0eb517f13fb42590bd590a0d1d
SHA512 262e8039fa648d9c52696e752d4b51444a23aa8622da0f27a6e7018bf378b27855380425ac63f72d3ff3320982f36fa17100b1dd946d44143e1232703c6aec74

\Users\Admin\AppData\Local\Temp\activation.exe

MD5 8dff34bbd074ac6e82b88e8277ee9ce5
SHA1 a90d9f2a6057bc28e8b18364c53d8052556f3950
SHA256 a1e31d9df888ffb07dc84669cef4773e4f00e86c644e24c0c83da7bc08433405
SHA512 a2e5df1a356de19230c2655ccf3ca5c8e4b3a4cb7606f8ae65532de8139e68ae281f509d48b12f36cc8706d02103ad45507de1dff26f0af44c5507e04d5f4a10

memory/3000-25-0x0000000010000000-0x000000001004D000-memory.dmp

memory/2988-26-0x0000000010000000-0x000000001004D000-memory.dmp

memory/2988-28-0x0000000010000000-0x000000001004D000-memory.dmp

memory/3000-29-0x0000000010000000-0x000000001004D000-memory.dmp

memory/2988-30-0x0000000010000000-0x000000001004D000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-01 10:56

Reported

2024-02-01 10:58

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Avira_AntiVir_Premium_En_Activation Key-2012\Avira_AntiVir_Premium_En_Activation Key-2012.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Avira_AntiVir_Premium_En_Activation Key-2012\Avira_AntiVir_Premium_En_Activation Key-2012.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\activation.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4548 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\Avira_AntiVir_Premium_En_Activation Key-2012\Avira_AntiVir_Premium_En_Activation Key-2012.exe C:\Users\Admin\AppData\Local\Temp\activation.exe
PID 4548 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\Avira_AntiVir_Premium_En_Activation Key-2012\Avira_AntiVir_Premium_En_Activation Key-2012.exe C:\Users\Admin\AppData\Local\Temp\activation.exe
PID 4548 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\Avira_AntiVir_Premium_En_Activation Key-2012\Avira_AntiVir_Premium_En_Activation Key-2012.exe C:\Users\Admin\AppData\Local\Temp\activation.exe
PID 1804 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\activation.exe C:\Windows\SysWOW64\svchost.exe
PID 1804 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\activation.exe C:\Windows\SysWOW64\svchost.exe
PID 1804 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\activation.exe C:\Windows\SysWOW64\svchost.exe
PID 1804 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\activation.exe C:\Windows\SysWOW64\svchost.exe
PID 1804 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\activation.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1804 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\activation.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1804 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\activation.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Avira_AntiVir_Premium_En_Activation Key-2012\Avira_AntiVir_Premium_En_Activation Key-2012.exe

"C:\Users\Admin\AppData\Local\Temp\Avira_AntiVir_Premium_En_Activation Key-2012\Avira_AntiVir_Premium_En_Activation Key-2012.exe"

C:\Users\Admin\AppData\Local\Temp\activation.exe

"C:\Users\Admin\AppData\Local\Temp\activation.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3052 -ip 3052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3052 -ip 3052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 504

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\sfx.ini

MD5 f640f27720afe6c6f49c54efc882aa61
SHA1 3df731fbca9f35c0483a3b3148d994b20f667b3b
SHA256 e4430c6a106911d4d6f7444364671e79c5ff2d0eb517f13fb42590bd590a0d1d
SHA512 262e8039fa648d9c52696e752d4b51444a23aa8622da0f27a6e7018bf378b27855380425ac63f72d3ff3320982f36fa17100b1dd946d44143e1232703c6aec74

C:\Users\Admin\AppData\Local\Temp\activation.exe

MD5 8dff34bbd074ac6e82b88e8277ee9ce5
SHA1 a90d9f2a6057bc28e8b18364c53d8052556f3950
SHA256 a1e31d9df888ffb07dc84669cef4773e4f00e86c644e24c0c83da7bc08433405
SHA512 a2e5df1a356de19230c2655ccf3ca5c8e4b3a4cb7606f8ae65532de8139e68ae281f509d48b12f36cc8706d02103ad45507de1dff26f0af44c5507e04d5f4a10

memory/1804-24-0x0000000010000000-0x000000001004D000-memory.dmp

memory/3052-25-0x0000000010000000-0x000000001004D000-memory.dmp

memory/1804-26-0x0000000010000000-0x000000001004D000-memory.dmp

memory/3052-27-0x0000000010000000-0x000000001004D000-memory.dmp