Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 14:07
Behavioral task
behavioral1
Sample
a95aa8f30ca55435085536fa44267ebe.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a95aa8f30ca55435085536fa44267ebe.exe
Resource
win10v2004-20240226-en
General
-
Target
a95aa8f30ca55435085536fa44267ebe.exe
-
Size
45KB
-
MD5
a95aa8f30ca55435085536fa44267ebe
-
SHA1
75eee9f9eed3b142c0187a38ad7df62181254c81
-
SHA256
5f3bd6c7e98fd1a5af9cfc95f2ff61670db0099a52caeaeae90ce527d0736a33
-
SHA512
b9c2d511f70a5d53ea51bf01288eb9d96b41808d356ae1b235a8da7d91cc37721f36f14fdf049f5e54dc6555beca5916844d1fe42199a55b71a43d26d1e2ecea
-
SSDEEP
768:PBr+tjFY90iY6W1jwmDzKgEFQXaklMIAn0tYCpPQzoEv:ZyRh31jxPEFQXak+05QoEv
Malware Config
Extracted
xtremerat
rax.no-ip.biz
Signatures
-
Detect XtremeRAT payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/2956-6-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat C:\Users\Admin\AppData\Roaming\flashEXE\ctfmon.exe family_xtremerat behavioral2/memory/3560-8-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/1972-9-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/4380-10-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/1972-11-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
a95aa8f30ca55435085536fa44267ebe.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{61ESDE00-7JEI-D478-YP30-51F6J284W87C} a95aa8f30ca55435085536fa44267ebe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61ESDE00-7JEI-D478-YP30-51F6J284W87C}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\flashEXE\\ctfmon.exe restart" a95aa8f30ca55435085536fa44267ebe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{61ESDE00-7JEI-D478-YP30-51F6J284W87C} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61ESDE00-7JEI-D478-YP30-51F6J284W87C}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\flashEXE\\ctfmon.exe restart" svchost.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 3560 explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exea95aa8f30ca55435085536fa44267ebe.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\flashEXE\\ctfmon.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\flashEXE\\ctfmon.exe" a95aa8f30ca55435085536fa44267ebe.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\flashEXE\\ctfmon.exe" a95aa8f30ca55435085536fa44267ebe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\flashEXE\\ctfmon.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
a95aa8f30ca55435085536fa44267ebe.exedescription pid process target process PID 4380 wrote to memory of 2956 4380 a95aa8f30ca55435085536fa44267ebe.exe svchost.exe PID 4380 wrote to memory of 2956 4380 a95aa8f30ca55435085536fa44267ebe.exe svchost.exe PID 4380 wrote to memory of 2956 4380 a95aa8f30ca55435085536fa44267ebe.exe svchost.exe PID 4380 wrote to memory of 2956 4380 a95aa8f30ca55435085536fa44267ebe.exe svchost.exe PID 4380 wrote to memory of 2012 4380 a95aa8f30ca55435085536fa44267ebe.exe msedge.exe PID 4380 wrote to memory of 2012 4380 a95aa8f30ca55435085536fa44267ebe.exe msedge.exe PID 4380 wrote to memory of 1972 4380 a95aa8f30ca55435085536fa44267ebe.exe explorer.exe PID 4380 wrote to memory of 1972 4380 a95aa8f30ca55435085536fa44267ebe.exe explorer.exe PID 4380 wrote to memory of 1972 4380 a95aa8f30ca55435085536fa44267ebe.exe explorer.exe PID 4380 wrote to memory of 3560 4380 a95aa8f30ca55435085536fa44267ebe.exe explorer.exe PID 4380 wrote to memory of 3560 4380 a95aa8f30ca55435085536fa44267ebe.exe explorer.exe PID 4380 wrote to memory of 3560 4380 a95aa8f30ca55435085536fa44267ebe.exe explorer.exe PID 4380 wrote to memory of 3560 4380 a95aa8f30ca55435085536fa44267ebe.exe explorer.exe PID 4380 wrote to memory of 1972 4380 a95aa8f30ca55435085536fa44267ebe.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a95aa8f30ca55435085536fa44267ebe.exe"C:\Users\Admin\AppData\Local\Temp\a95aa8f30ca55435085536fa44267ebe.exe"1⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:2956 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:2012
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:1972
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵
- Deletes itself
PID:3560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5a95aa8f30ca55435085536fa44267ebe
SHA175eee9f9eed3b142c0187a38ad7df62181254c81
SHA2565f3bd6c7e98fd1a5af9cfc95f2ff61670db0099a52caeaeae90ce527d0736a33
SHA512b9c2d511f70a5d53ea51bf01288eb9d96b41808d356ae1b235a8da7d91cc37721f36f14fdf049f5e54dc6555beca5916844d1fe42199a55b71a43d26d1e2ecea