Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2024 22:56
Static task
static1
Behavioral task
behavioral1
Sample
a78f5b9da6c323a9b325511f6318d265.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a78f5b9da6c323a9b325511f6318d265.exe
Resource
win10v2004-20240226-en
General
-
Target
a78f5b9da6c323a9b325511f6318d265.exe
-
Size
296KB
-
MD5
a78f5b9da6c323a9b325511f6318d265
-
SHA1
c5574fde465517b9092be055aae25f2f243dd8c7
-
SHA256
6f401be102cc2060edd4c301f9bfff71ecf37f29e5cff3a42129c6e46c2e47d5
-
SHA512
2fa71e0c974538648f7510f7d4595991e340dfba54060954a64860106491fc9d94dc9191f5d0332aaa79bce6681ba7d921d591f5ddb1b91cf328818b1fc06f2a
-
SSDEEP
6144:f1C/mbSSGmG9StTknv48s8ssskeLCVfDa+PSq6fY:deaSr9SNknv48sUeLCV5PSHA
Malware Config
Signatures
-
Detect XtremeRAT payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/2696-5-0x0000000000C80000-0x0000000000CA8000-memory.dmp family_xtremerat behavioral2/memory/2696-6-0x0000000000C80000-0x0000000000CA8000-memory.dmp family_xtremerat behavioral2/memory/4544-12-0x0000000000C80000-0x0000000000CA8000-memory.dmp family_xtremerat behavioral2/memory/4668-14-0x0000000000C80000-0x0000000000CA8000-memory.dmp family_xtremerat behavioral2/memory/2696-15-0x0000000000C80000-0x0000000000CA8000-memory.dmp family_xtremerat behavioral2/memory/4668-17-0x0000000000C80000-0x0000000000CA8000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
a78f5b9da6c323a9b325511f6318d265.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\windows\\window.exe restart" a78f5b9da6c323a9b325511f6318d265.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Program Files (x86)\\windows\\window.exe" svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} a78f5b9da6c323a9b325511f6318d265.exe -
Processes:
resource yara_rule behavioral2/memory/2696-2-0x0000000000C80000-0x0000000000CA8000-memory.dmp upx behavioral2/memory/2696-4-0x0000000000C80000-0x0000000000CA8000-memory.dmp upx behavioral2/memory/2696-5-0x0000000000C80000-0x0000000000CA8000-memory.dmp upx behavioral2/memory/2696-6-0x0000000000C80000-0x0000000000CA8000-memory.dmp upx behavioral2/memory/4544-12-0x0000000000C80000-0x0000000000CA8000-memory.dmp upx behavioral2/memory/4668-14-0x0000000000C80000-0x0000000000CA8000-memory.dmp upx behavioral2/memory/2696-15-0x0000000000C80000-0x0000000000CA8000-memory.dmp upx behavioral2/memory/4668-17-0x0000000000C80000-0x0000000000CA8000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
a78f5b9da6c323a9b325511f6318d265.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\windows\\window.exe" a78f5b9da6c323a9b325511f6318d265.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\windows\\window.exe" a78f5b9da6c323a9b325511f6318d265.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\windows\\window.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\windows\\window.exe" svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a78f5b9da6c323a9b325511f6318d265.exedescription pid process target process PID 2744 set thread context of 2696 2744 a78f5b9da6c323a9b325511f6318d265.exe a78f5b9da6c323a9b325511f6318d265.exe -
Drops file in Program Files directory 2 IoCs
Processes:
a78f5b9da6c323a9b325511f6318d265.exedescription ioc process File opened for modification C:\Program Files (x86)\windows\window.exe a78f5b9da6c323a9b325511f6318d265.exe File created C:\Program Files (x86)\windows\window.exe a78f5b9da6c323a9b325511f6318d265.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
a78f5b9da6c323a9b325511f6318d265.exesvchost.exepid process 2744 a78f5b9da6c323a9b325511f6318d265.exe 4668 svchost.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
a78f5b9da6c323a9b325511f6318d265.exea78f5b9da6c323a9b325511f6318d265.exedescription pid process target process PID 2744 wrote to memory of 2696 2744 a78f5b9da6c323a9b325511f6318d265.exe a78f5b9da6c323a9b325511f6318d265.exe PID 2744 wrote to memory of 2696 2744 a78f5b9da6c323a9b325511f6318d265.exe a78f5b9da6c323a9b325511f6318d265.exe PID 2744 wrote to memory of 2696 2744 a78f5b9da6c323a9b325511f6318d265.exe a78f5b9da6c323a9b325511f6318d265.exe PID 2744 wrote to memory of 2696 2744 a78f5b9da6c323a9b325511f6318d265.exe a78f5b9da6c323a9b325511f6318d265.exe PID 2744 wrote to memory of 2696 2744 a78f5b9da6c323a9b325511f6318d265.exe a78f5b9da6c323a9b325511f6318d265.exe PID 2744 wrote to memory of 2696 2744 a78f5b9da6c323a9b325511f6318d265.exe a78f5b9da6c323a9b325511f6318d265.exe PID 2744 wrote to memory of 2696 2744 a78f5b9da6c323a9b325511f6318d265.exe a78f5b9da6c323a9b325511f6318d265.exe PID 2744 wrote to memory of 2696 2744 a78f5b9da6c323a9b325511f6318d265.exe a78f5b9da6c323a9b325511f6318d265.exe PID 2696 wrote to memory of 4544 2696 a78f5b9da6c323a9b325511f6318d265.exe svchost.exe PID 2696 wrote to memory of 4544 2696 a78f5b9da6c323a9b325511f6318d265.exe svchost.exe PID 2696 wrote to memory of 4544 2696 a78f5b9da6c323a9b325511f6318d265.exe svchost.exe PID 2696 wrote to memory of 4544 2696 a78f5b9da6c323a9b325511f6318d265.exe svchost.exe PID 2696 wrote to memory of 4524 2696 a78f5b9da6c323a9b325511f6318d265.exe svchost.exe PID 2696 wrote to memory of 4524 2696 a78f5b9da6c323a9b325511f6318d265.exe svchost.exe PID 2696 wrote to memory of 4524 2696 a78f5b9da6c323a9b325511f6318d265.exe svchost.exe PID 2696 wrote to memory of 3136 2696 a78f5b9da6c323a9b325511f6318d265.exe svchost.exe PID 2696 wrote to memory of 3136 2696 a78f5b9da6c323a9b325511f6318d265.exe svchost.exe PID 2696 wrote to memory of 3136 2696 a78f5b9da6c323a9b325511f6318d265.exe svchost.exe PID 2696 wrote to memory of 4668 2696 a78f5b9da6c323a9b325511f6318d265.exe svchost.exe PID 2696 wrote to memory of 4668 2696 a78f5b9da6c323a9b325511f6318d265.exe svchost.exe PID 2696 wrote to memory of 4668 2696 a78f5b9da6c323a9b325511f6318d265.exe svchost.exe PID 2696 wrote to memory of 4668 2696 a78f5b9da6c323a9b325511f6318d265.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a78f5b9da6c323a9b325511f6318d265.exe"C:\Users\Admin\AppData\Local\Temp\a78f5b9da6c323a9b325511f6318d265.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\a78f5b9da6c323a9b325511f6318d265.exeC:\Users\Admin\AppData\Local\Temp\a78f5b9da6c323a9b325511f6318d265.exe2⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:4544 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:4524
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:3136
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Suspicious use of SetWindowsHookEx
PID:4668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
296KB
MD5a78f5b9da6c323a9b325511f6318d265
SHA1c5574fde465517b9092be055aae25f2f243dd8c7
SHA2566f401be102cc2060edd4c301f9bfff71ecf37f29e5cff3a42129c6e46c2e47d5
SHA5122fa71e0c974538648f7510f7d4595991e340dfba54060954a64860106491fc9d94dc9191f5d0332aaa79bce6681ba7d921d591f5ddb1b91cf328818b1fc06f2a