Analysis
-
max time kernel
146s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-02-2024 00:08
Static task
static1
Behavioral task
behavioral1
Sample
a7b619b63d04e9a3cfcd483997a80eed.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a7b619b63d04e9a3cfcd483997a80eed.exe
Resource
win10v2004-20240226-en
General
-
Target
a7b619b63d04e9a3cfcd483997a80eed.exe
-
Size
37KB
-
MD5
a7b619b63d04e9a3cfcd483997a80eed
-
SHA1
0d6ecc6b7fcd77f75c7d81098587089f046c81d4
-
SHA256
5a74ec4a87740ce4535f8af0f01ebedb3c2d850b618b6c6ded92004dc5976030
-
SHA512
478a06625925bc29e174c9701810b2e05a34443964ea9deac65fcdbbce1836c239733f9d1092d3129f4c36639811143d497d0084a9d5ea2b36500abb3701cf36
-
SSDEEP
768:IaKgWMAg3BuZEiwefKEeY4921tWY+hTFCeSyMQQHFY7D8:IaDAiBuWZEeYu23WYyFTSysHF
Malware Config
Extracted
xtremerat
mohamedmmk.zapto.org
Signatures
-
Detect XtremeRAT payload 8 IoCs
Processes:
resource yara_rule behavioral1/memory/2972-4-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2972-7-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2972-6-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2972-9-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/3020-15-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2036-19-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2972-20-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2036-22-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
a7b619b63d04e9a3cfcd483997a80eed.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{268440QE-82NW-T265-8D28-T8YA6XD4LE6B} a7b619b63d04e9a3cfcd483997a80eed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{268440QE-82NW-T265-8D28-T8YA6XD4LE6B}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\schov.exe restart" a7b619b63d04e9a3cfcd483997a80eed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{268440QE-82NW-T265-8D28-T8YA6XD4LE6B} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{268440QE-82NW-T265-8D28-T8YA6XD4LE6B}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\schov.exe restart" svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
a7b619b63d04e9a3cfcd483997a80eed.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\schov.exe" a7b619b63d04e9a3cfcd483997a80eed.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\schov.exe" a7b619b63d04e9a3cfcd483997a80eed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\schov.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\schov.exe" svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a7b619b63d04e9a3cfcd483997a80eed.exedescription pid process target process PID 1048 set thread context of 2972 1048 a7b619b63d04e9a3cfcd483997a80eed.exe a7b619b63d04e9a3cfcd483997a80eed.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
a7b619b63d04e9a3cfcd483997a80eed.exenotepad.exepid process 1048 a7b619b63d04e9a3cfcd483997a80eed.exe 2036 notepad.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
a7b619b63d04e9a3cfcd483997a80eed.exea7b619b63d04e9a3cfcd483997a80eed.exedescription pid process target process PID 1048 wrote to memory of 2972 1048 a7b619b63d04e9a3cfcd483997a80eed.exe a7b619b63d04e9a3cfcd483997a80eed.exe PID 1048 wrote to memory of 2972 1048 a7b619b63d04e9a3cfcd483997a80eed.exe a7b619b63d04e9a3cfcd483997a80eed.exe PID 1048 wrote to memory of 2972 1048 a7b619b63d04e9a3cfcd483997a80eed.exe a7b619b63d04e9a3cfcd483997a80eed.exe PID 1048 wrote to memory of 2972 1048 a7b619b63d04e9a3cfcd483997a80eed.exe a7b619b63d04e9a3cfcd483997a80eed.exe PID 1048 wrote to memory of 2972 1048 a7b619b63d04e9a3cfcd483997a80eed.exe a7b619b63d04e9a3cfcd483997a80eed.exe PID 1048 wrote to memory of 2972 1048 a7b619b63d04e9a3cfcd483997a80eed.exe a7b619b63d04e9a3cfcd483997a80eed.exe PID 1048 wrote to memory of 2972 1048 a7b619b63d04e9a3cfcd483997a80eed.exe a7b619b63d04e9a3cfcd483997a80eed.exe PID 1048 wrote to memory of 2972 1048 a7b619b63d04e9a3cfcd483997a80eed.exe a7b619b63d04e9a3cfcd483997a80eed.exe PID 1048 wrote to memory of 2972 1048 a7b619b63d04e9a3cfcd483997a80eed.exe a7b619b63d04e9a3cfcd483997a80eed.exe PID 1048 wrote to memory of 2972 1048 a7b619b63d04e9a3cfcd483997a80eed.exe a7b619b63d04e9a3cfcd483997a80eed.exe PID 1048 wrote to memory of 2972 1048 a7b619b63d04e9a3cfcd483997a80eed.exe a7b619b63d04e9a3cfcd483997a80eed.exe PID 1048 wrote to memory of 2972 1048 a7b619b63d04e9a3cfcd483997a80eed.exe a7b619b63d04e9a3cfcd483997a80eed.exe PID 1048 wrote to memory of 2972 1048 a7b619b63d04e9a3cfcd483997a80eed.exe a7b619b63d04e9a3cfcd483997a80eed.exe PID 1048 wrote to memory of 2972 1048 a7b619b63d04e9a3cfcd483997a80eed.exe a7b619b63d04e9a3cfcd483997a80eed.exe PID 2972 wrote to memory of 3020 2972 a7b619b63d04e9a3cfcd483997a80eed.exe svchost.exe PID 2972 wrote to memory of 3020 2972 a7b619b63d04e9a3cfcd483997a80eed.exe svchost.exe PID 2972 wrote to memory of 3020 2972 a7b619b63d04e9a3cfcd483997a80eed.exe svchost.exe PID 2972 wrote to memory of 3020 2972 a7b619b63d04e9a3cfcd483997a80eed.exe svchost.exe PID 2972 wrote to memory of 3020 2972 a7b619b63d04e9a3cfcd483997a80eed.exe svchost.exe PID 2972 wrote to memory of 2036 2972 a7b619b63d04e9a3cfcd483997a80eed.exe notepad.exe PID 2972 wrote to memory of 2036 2972 a7b619b63d04e9a3cfcd483997a80eed.exe notepad.exe PID 2972 wrote to memory of 2036 2972 a7b619b63d04e9a3cfcd483997a80eed.exe notepad.exe PID 2972 wrote to memory of 2036 2972 a7b619b63d04e9a3cfcd483997a80eed.exe notepad.exe PID 2972 wrote to memory of 2036 2972 a7b619b63d04e9a3cfcd483997a80eed.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7b619b63d04e9a3cfcd483997a80eed.exe"C:\Users\Admin\AppData\Local\Temp\a7b619b63d04e9a3cfcd483997a80eed.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\a7b619b63d04e9a3cfcd483997a80eed.exe"C:\Users\Admin\AppData\Local\Temp\a7b619b63d04e9a3cfcd483997a80eed.exe"2⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:3020 -
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
- Suspicious use of SetWindowsHookEx
PID:2036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5a7b619b63d04e9a3cfcd483997a80eed
SHA10d6ecc6b7fcd77f75c7d81098587089f046c81d4
SHA2565a74ec4a87740ce4535f8af0f01ebedb3c2d850b618b6c6ded92004dc5976030
SHA512478a06625925bc29e174c9701810b2e05a34443964ea9deac65fcdbbce1836c239733f9d1092d3129f4c36639811143d497d0084a9d5ea2b36500abb3701cf36