Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-02-2024 17:50
Behavioral task
behavioral1
Sample
a9c8cae9854449ed7e490c8de523c158.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a9c8cae9854449ed7e490c8de523c158.exe
Resource
win10v2004-20240226-en
General
-
Target
a9c8cae9854449ed7e490c8de523c158.exe
-
Size
65KB
-
MD5
a9c8cae9854449ed7e490c8de523c158
-
SHA1
55130806c705709fc71fc1f339a11f0144ee716e
-
SHA256
b71745bd8676d052b0d35507af40ead88f447efcae034fba84b623551c2baa3e
-
SHA512
acd29374a508cc3e8f171d6db9a551cdc6dd1bbbe7c0b6e0b41726dd37bc35a075d704a212b8f21f673cc9594d49cd52cf2b39642bba0c2162fe3861c77491c1
-
SSDEEP
768:88m1Sq4NQErBsH1tzoisBKQI6dObAG/dq8uW29Ifnca/yyR+P2ujfGiXsbs8Hvzu:esq+QV4rObAdXWpf/y+Yaro
Malware Config
Signatures
-
Detect XtremeRAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2344-2-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat C:\Windows\InstallDir\Server.exe family_xtremerat behavioral1/memory/1612-6-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2344-8-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/1612-11-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
a9c8cae9854449ed7e490c8de523c158.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} a9c8cae9854449ed7e490c8de523c158.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" a9c8cae9854449ed7e490c8de523c158.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
a9c8cae9854449ed7e490c8de523c158.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" a9c8cae9854449ed7e490c8de523c158.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" a9c8cae9854449ed7e490c8de523c158.exe -
Drops file in Windows directory 3 IoCs
Processes:
a9c8cae9854449ed7e490c8de523c158.exedescription ioc process File opened for modification C:\Windows\InstallDir\Server.exe a9c8cae9854449ed7e490c8de523c158.exe File created C:\Windows\InstallDir\Server.exe a9c8cae9854449ed7e490c8de523c158.exe File opened for modification C:\Windows\InstallDir\ a9c8cae9854449ed7e490c8de523c158.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
a9c8cae9854449ed7e490c8de523c158.exepid process 1612 a9c8cae9854449ed7e490c8de523c158.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
a9c8cae9854449ed7e490c8de523c158.exedescription pid process target process PID 1612 wrote to memory of 2344 1612 a9c8cae9854449ed7e490c8de523c158.exe svchost.exe PID 1612 wrote to memory of 2344 1612 a9c8cae9854449ed7e490c8de523c158.exe svchost.exe PID 1612 wrote to memory of 2344 1612 a9c8cae9854449ed7e490c8de523c158.exe svchost.exe PID 1612 wrote to memory of 2344 1612 a9c8cae9854449ed7e490c8de523c158.exe svchost.exe PID 1612 wrote to memory of 2344 1612 a9c8cae9854449ed7e490c8de523c158.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9c8cae9854449ed7e490c8de523c158.exe"C:\Users\Admin\AppData\Local\Temp\a9c8cae9854449ed7e490c8de523c158.exe"1⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:2344
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5a9c8cae9854449ed7e490c8de523c158
SHA155130806c705709fc71fc1f339a11f0144ee716e
SHA256b71745bd8676d052b0d35507af40ead88f447efcae034fba84b623551c2baa3e
SHA512acd29374a508cc3e8f171d6db9a551cdc6dd1bbbe7c0b6e0b41726dd37bc35a075d704a212b8f21f673cc9594d49cd52cf2b39642bba0c2162fe3861c77491c1