Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
03-02-2024 00:14
Static task
static1
Behavioral task
behavioral1
Sample
8ae60ffd054b91d05a999b81c842dff6.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
8ae60ffd054b91d05a999b81c842dff6.exe
Resource
win10v2004-20231215-en
General
-
Target
8ae60ffd054b91d05a999b81c842dff6.exe
-
Size
272KB
-
MD5
8ae60ffd054b91d05a999b81c842dff6
-
SHA1
c4d53e74655ecef838f43679f86ac97fa03b693b
-
SHA256
3855d14233d9b0d2264b18749baef259989099aa3471fde387885743d1809299
-
SHA512
847aa1f2290b877070eab91ab53186465916a1caa4c9a41943a8ae36807400930f402e0d91d28363a116ae2fe97ec771e07e63c7e86c121a0b0376ad93046448
-
SSDEEP
6144:z5MiHH39hzMBo7Ljd/Q1RgOw7I43qRKoC4pFsMmKAae0d7:VT3Lzqo7Li1RgdI0wbC4pFpmKAae0d7
Malware Config
Extracted
xtremerat
firefox-dmm.sytes.net
google-pro.dyndns.info
Signatures
-
Detect XtremeRAT payload 8 IoCs
Processes:
resource yara_rule behavioral1/memory/3028-10-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral1/memory/3028-9-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral1/memory/2192-13-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral1/memory/2560-20-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral1/memory/3028-17-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral1/memory/2560-16-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral1/memory/2192-22-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral1/memory/2560-23-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
notepad.exesvchost.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{180WIO5D-O6JI-26AO-IEK4-67D88J77OD50} notepad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{180WIO5D-O6JI-26AO-IEK4-67D88J77OD50}\StubPath = "C:\\Windows\\system32\\InstallDir\\ver.exe restart" notepad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{180WIO5D-O6JI-26AO-IEK4-67D88J77OD50} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{180WIO5D-O6JI-26AO-IEK4-67D88J77OD50}\StubPath = "C:\\Windows\\system32\\InstallDir\\ver.exe" svchost.exe -
Processes:
resource yara_rule behavioral1/memory/3028-4-0x0000000010000000-0x0000000010048000-memory.dmp upx behavioral1/memory/3028-10-0x0000000010000000-0x0000000010048000-memory.dmp upx behavioral1/memory/3028-9-0x0000000010000000-0x0000000010048000-memory.dmp upx behavioral1/memory/3028-7-0x0000000010000000-0x0000000010048000-memory.dmp upx behavioral1/memory/2192-13-0x0000000010000000-0x0000000010048000-memory.dmp upx behavioral1/memory/2560-20-0x0000000010000000-0x0000000010048000-memory.dmp upx behavioral1/memory/3028-17-0x0000000010000000-0x0000000010048000-memory.dmp upx behavioral1/memory/2560-16-0x0000000010000000-0x0000000010048000-memory.dmp upx behavioral1/memory/2192-22-0x0000000010000000-0x0000000010048000-memory.dmp upx behavioral1/memory/2560-23-0x0000000010000000-0x0000000010048000-memory.dmp upx -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
svchost.exenotepad.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\ver.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\ver.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\ver.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\ver.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "㩃坜湩潤獷卜獹佗㙗尴潮整慰\u2e64硥e엸က엸က㽜" notepad.exe -
Drops file in System32 directory 3 IoCs
Processes:
notepad.exedescription ioc Process File created C:\Windows\SysWOW64\InstallDir\ver.exe notepad.exe File opened for modification C:\Windows\SysWOW64\InstallDir\ notepad.exe File opened for modification C:\Windows\SysWOW64\InstallDir\ver.exe notepad.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
8ae60ffd054b91d05a999b81c842dff6.exedescription pid Process procid_target PID 880 set thread context of 3028 880 8ae60ffd054b91d05a999b81c842dff6.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
8ae60ffd054b91d05a999b81c842dff6.exenotepad.exepid Process 880 8ae60ffd054b91d05a999b81c842dff6.exe 2560 notepad.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
8ae60ffd054b91d05a999b81c842dff6.exe8ae60ffd054b91d05a999b81c842dff6.exedescription pid Process procid_target PID 880 wrote to memory of 3028 880 8ae60ffd054b91d05a999b81c842dff6.exe 29 PID 880 wrote to memory of 3028 880 8ae60ffd054b91d05a999b81c842dff6.exe 29 PID 880 wrote to memory of 3028 880 8ae60ffd054b91d05a999b81c842dff6.exe 29 PID 880 wrote to memory of 3028 880 8ae60ffd054b91d05a999b81c842dff6.exe 29 PID 880 wrote to memory of 3028 880 8ae60ffd054b91d05a999b81c842dff6.exe 29 PID 880 wrote to memory of 3028 880 8ae60ffd054b91d05a999b81c842dff6.exe 29 PID 880 wrote to memory of 3028 880 8ae60ffd054b91d05a999b81c842dff6.exe 29 PID 880 wrote to memory of 3028 880 8ae60ffd054b91d05a999b81c842dff6.exe 29 PID 880 wrote to memory of 3028 880 8ae60ffd054b91d05a999b81c842dff6.exe 29 PID 3028 wrote to memory of 2192 3028 8ae60ffd054b91d05a999b81c842dff6.exe 28 PID 3028 wrote to memory of 2192 3028 8ae60ffd054b91d05a999b81c842dff6.exe 28 PID 3028 wrote to memory of 2192 3028 8ae60ffd054b91d05a999b81c842dff6.exe 28 PID 3028 wrote to memory of 2192 3028 8ae60ffd054b91d05a999b81c842dff6.exe 28 PID 3028 wrote to memory of 2192 3028 8ae60ffd054b91d05a999b81c842dff6.exe 28 PID 3028 wrote to memory of 2560 3028 8ae60ffd054b91d05a999b81c842dff6.exe 30 PID 3028 wrote to memory of 2560 3028 8ae60ffd054b91d05a999b81c842dff6.exe 30 PID 3028 wrote to memory of 2560 3028 8ae60ffd054b91d05a999b81c842dff6.exe 30 PID 3028 wrote to memory of 2560 3028 8ae60ffd054b91d05a999b81c842dff6.exe 30 PID 3028 wrote to memory of 2560 3028 8ae60ffd054b91d05a999b81c842dff6.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ae60ffd054b91d05a999b81c842dff6.exe"C:\Users\Admin\AppData\Local\Temp\8ae60ffd054b91d05a999b81c842dff6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Local\Temp\8ae60ffd054b91d05a999b81c842dff6.exeC:\Users\Admin\AppData\Local\Temp\8ae60ffd054b91d05a999b81c842dff6.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2560
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe1⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:2192
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272KB
MD58ae60ffd054b91d05a999b81c842dff6
SHA1c4d53e74655ecef838f43679f86ac97fa03b693b
SHA2563855d14233d9b0d2264b18749baef259989099aa3471fde387885743d1809299
SHA512847aa1f2290b877070eab91ab53186465916a1caa4c9a41943a8ae36807400930f402e0d91d28363a116ae2fe97ec771e07e63c7e86c121a0b0376ad93046448