Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-02-2024 14:07
Behavioral task
behavioral1
Sample
a95aa8f30ca55435085536fa44267ebe.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a95aa8f30ca55435085536fa44267ebe.exe
Resource
win10v2004-20240226-en
General
-
Target
a95aa8f30ca55435085536fa44267ebe.exe
-
Size
45KB
-
MD5
a95aa8f30ca55435085536fa44267ebe
-
SHA1
75eee9f9eed3b142c0187a38ad7df62181254c81
-
SHA256
5f3bd6c7e98fd1a5af9cfc95f2ff61670db0099a52caeaeae90ce527d0736a33
-
SHA512
b9c2d511f70a5d53ea51bf01288eb9d96b41808d356ae1b235a8da7d91cc37721f36f14fdf049f5e54dc6555beca5916844d1fe42199a55b71a43d26d1e2ecea
-
SSDEEP
768:PBr+tjFY90iY6W1jwmDzKgEFQXaklMIAn0tYCpPQzoEv:ZyRh31jxPEFQXak+05QoEv
Malware Config
Extracted
xtremerat
rax.no-ip.biz
Signatures
-
Detect XtremeRAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2036-8-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat C:\Users\Admin\AppData\Roaming\flashEXE\ctfmon.exe family_xtremerat behavioral1/memory/2560-12-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2212-15-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2188-16-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2212-17-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
svchost.exea95aa8f30ca55435085536fa44267ebe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61ESDE00-7JEI-D478-YP30-51F6J284W87C}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\flashEXE\\ctfmon.exe restart" svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{61ESDE00-7JEI-D478-YP30-51F6J284W87C} a95aa8f30ca55435085536fa44267ebe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61ESDE00-7JEI-D478-YP30-51F6J284W87C}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\flashEXE\\ctfmon.exe restart" a95aa8f30ca55435085536fa44267ebe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{61ESDE00-7JEI-D478-YP30-51F6J284W87C} svchost.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 2560 explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
a95aa8f30ca55435085536fa44267ebe.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\flashEXE\\ctfmon.exe" a95aa8f30ca55435085536fa44267ebe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\flashEXE\\ctfmon.exe" a95aa8f30ca55435085536fa44267ebe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\flashEXE\\ctfmon.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\flashEXE\\ctfmon.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
a95aa8f30ca55435085536fa44267ebe.exedescription pid process target process PID 2188 wrote to memory of 2036 2188 a95aa8f30ca55435085536fa44267ebe.exe svchost.exe PID 2188 wrote to memory of 2036 2188 a95aa8f30ca55435085536fa44267ebe.exe svchost.exe PID 2188 wrote to memory of 2036 2188 a95aa8f30ca55435085536fa44267ebe.exe svchost.exe PID 2188 wrote to memory of 2036 2188 a95aa8f30ca55435085536fa44267ebe.exe svchost.exe PID 2188 wrote to memory of 2036 2188 a95aa8f30ca55435085536fa44267ebe.exe svchost.exe PID 2188 wrote to memory of 2524 2188 a95aa8f30ca55435085536fa44267ebe.exe iexplore.exe PID 2188 wrote to memory of 2524 2188 a95aa8f30ca55435085536fa44267ebe.exe iexplore.exe PID 2188 wrote to memory of 2524 2188 a95aa8f30ca55435085536fa44267ebe.exe iexplore.exe PID 2188 wrote to memory of 2524 2188 a95aa8f30ca55435085536fa44267ebe.exe iexplore.exe PID 2188 wrote to memory of 2212 2188 a95aa8f30ca55435085536fa44267ebe.exe explorer.exe PID 2188 wrote to memory of 2212 2188 a95aa8f30ca55435085536fa44267ebe.exe explorer.exe PID 2188 wrote to memory of 2212 2188 a95aa8f30ca55435085536fa44267ebe.exe explorer.exe PID 2188 wrote to memory of 2212 2188 a95aa8f30ca55435085536fa44267ebe.exe explorer.exe PID 2188 wrote to memory of 2560 2188 a95aa8f30ca55435085536fa44267ebe.exe explorer.exe PID 2188 wrote to memory of 2560 2188 a95aa8f30ca55435085536fa44267ebe.exe explorer.exe PID 2188 wrote to memory of 2560 2188 a95aa8f30ca55435085536fa44267ebe.exe explorer.exe PID 2188 wrote to memory of 2560 2188 a95aa8f30ca55435085536fa44267ebe.exe explorer.exe PID 2188 wrote to memory of 2560 2188 a95aa8f30ca55435085536fa44267ebe.exe explorer.exe PID 2188 wrote to memory of 2212 2188 a95aa8f30ca55435085536fa44267ebe.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a95aa8f30ca55435085536fa44267ebe.exe"C:\Users\Admin\AppData\Local\Temp\a95aa8f30ca55435085536fa44267ebe.exe"1⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:2036 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵PID:2524
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:2212
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵
- Deletes itself
PID:2560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5a95aa8f30ca55435085536fa44267ebe
SHA175eee9f9eed3b142c0187a38ad7df62181254c81
SHA2565f3bd6c7e98fd1a5af9cfc95f2ff61670db0099a52caeaeae90ce527d0736a33
SHA512b9c2d511f70a5d53ea51bf01288eb9d96b41808d356ae1b235a8da7d91cc37721f36f14fdf049f5e54dc6555beca5916844d1fe42199a55b71a43d26d1e2ecea