Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-02-2024 19:28
Behavioral task
behavioral1
Sample
a9f9c075777cc004a908f6b68c11508c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a9f9c075777cc004a908f6b68c11508c.exe
Resource
win10v2004-20240226-en
General
-
Target
a9f9c075777cc004a908f6b68c11508c.exe
-
Size
301KB
-
MD5
a9f9c075777cc004a908f6b68c11508c
-
SHA1
256171a4139c31b8baf20b543474383b25d73746
-
SHA256
2c7b5d90ea3ba0041bc79f9fe07925b3a665d61d1af8921551d7b429f87082e7
-
SHA512
224d2c5c4ccdfe5a34d887633a5b074f8767be514d9ccfa606697e4940ccfa4ff6a6cf1e827bf97666e7bbe8ee8c2c11ef57b2bb49a03bc9034ad5548fa12b05
-
SSDEEP
768:N8m1Sq4NQErBsH1tzoisBKQI6dObAG/dq8uW29Ifnca/yyR+P2ujfGii7mzobNoz:psq+QV4rObAdXWpf/y+n6oa7OGoox
Malware Config
Signatures
-
Detect XtremeRAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1956-0-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2668-3-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/1956-4-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2668-5-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Processes:
resource yara_rule behavioral1/memory/1956-0-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2668-3-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/1956-4-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2668-5-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
a9f9c075777cc004a908f6b68c11508c.exedescription pid process target process PID 1956 wrote to memory of 2668 1956 a9f9c075777cc004a908f6b68c11508c.exe svchost.exe PID 1956 wrote to memory of 2668 1956 a9f9c075777cc004a908f6b68c11508c.exe svchost.exe PID 1956 wrote to memory of 2668 1956 a9f9c075777cc004a908f6b68c11508c.exe svchost.exe PID 1956 wrote to memory of 2668 1956 a9f9c075777cc004a908f6b68c11508c.exe svchost.exe PID 1956 wrote to memory of 2668 1956 a9f9c075777cc004a908f6b68c11508c.exe svchost.exe PID 1956 wrote to memory of 2944 1956 a9f9c075777cc004a908f6b68c11508c.exe iexplore.exe PID 1956 wrote to memory of 2944 1956 a9f9c075777cc004a908f6b68c11508c.exe iexplore.exe PID 1956 wrote to memory of 2944 1956 a9f9c075777cc004a908f6b68c11508c.exe iexplore.exe PID 1956 wrote to memory of 2944 1956 a9f9c075777cc004a908f6b68c11508c.exe iexplore.exe PID 1956 wrote to memory of 2944 1956 a9f9c075777cc004a908f6b68c11508c.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9f9c075777cc004a908f6b68c11508c.exe"C:\Users\Admin\AppData\Local\Temp\a9f9c075777cc004a908f6b68c11508c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2668
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵PID:2944