Analysis

  • max time kernel
    92s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-02-2024 21:51

General

  • Target

    aa3f313ac924c27b2d2fe5acf6c5401a.exe

  • Size

    106KB

  • MD5

    aa3f313ac924c27b2d2fe5acf6c5401a

  • SHA1

    63fcc3eb367d36544dcd0810310ed26ba5f3ce4c

  • SHA256

    7bec450473cf1cffaba40e912d04dd7cc5da0d00649f17c31a099557721c74d9

  • SHA512

    f07c87f247ca1346a5d4279730795c77b2a5150482482e7dca816278e7785d524c0c3ddf0997fe25ec20ce8cb5f29d68bda006e594e4f0ad64f2ffe964bb2a89

  • SSDEEP

    1536:rqHvMCaAweZSsHpy/RGeCyjmKq5D6pMFhWi+PUlOCX/Aq4eoiU:atUsHp+5xe5WWHAyo1

Malware Config

Signatures

  • Detect XtremeRAT payload 7 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa3f313ac924c27b2d2fe5acf6c5401a.exe
    "C:\Users\Admin\AppData\Local\Temp\aa3f313ac924c27b2d2fe5acf6c5401a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3468
    • C:\Users\Admin\AppData\Local\Temp\aa3f313ac924c27b2d2fe5acf6c5401a.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
          PID:4656
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 480
            4⤵
            • Program crash
            PID:3928
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 488
            4⤵
            • Program crash
            PID:4420
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
          3⤵
            PID:4380
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4656 -ip 4656
        1⤵
          PID:3516
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4656 -ip 4656
          1⤵
            PID:4340

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/2052-2-0x0000000010000000-0x000000001004A000-memory.dmp

            Filesize

            296KB

          • memory/2052-3-0x0000000010000000-0x000000001004A000-memory.dmp

            Filesize

            296KB

          • memory/2052-4-0x0000000010000000-0x000000001004A000-memory.dmp

            Filesize

            296KB

          • memory/2052-5-0x0000000010000000-0x000000001004A000-memory.dmp

            Filesize

            296KB

          • memory/2052-7-0x0000000010000000-0x000000001004A000-memory.dmp

            Filesize

            296KB

          • memory/4656-6-0x0000000010000000-0x000000001004A000-memory.dmp

            Filesize

            296KB

          • memory/4656-8-0x0000000010000000-0x000000001004A000-memory.dmp

            Filesize

            296KB