Analysis
-
max time kernel
92s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 19:28
Behavioral task
behavioral1
Sample
a9f9c075777cc004a908f6b68c11508c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a9f9c075777cc004a908f6b68c11508c.exe
Resource
win10v2004-20240226-en
General
-
Target
a9f9c075777cc004a908f6b68c11508c.exe
-
Size
301KB
-
MD5
a9f9c075777cc004a908f6b68c11508c
-
SHA1
256171a4139c31b8baf20b543474383b25d73746
-
SHA256
2c7b5d90ea3ba0041bc79f9fe07925b3a665d61d1af8921551d7b429f87082e7
-
SHA512
224d2c5c4ccdfe5a34d887633a5b074f8767be514d9ccfa606697e4940ccfa4ff6a6cf1e827bf97666e7bbe8ee8c2c11ef57b2bb49a03bc9034ad5548fa12b05
-
SSDEEP
768:N8m1Sq4NQErBsH1tzoisBKQI6dObAG/dq8uW29Ifnca/yyR+P2ujfGii7mzobNoz:psq+QV4rObAdXWpf/y+n6oa7OGoox
Malware Config
Signatures
-
Detect XtremeRAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4952-0-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/4268-1-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/4952-2-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/4268-3-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Processes:
resource yara_rule behavioral2/memory/4952-0-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/4268-1-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/4952-2-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/4268-3-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 956 4268 WerFault.exe svchost.exe 1460 4268 WerFault.exe svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
a9f9c075777cc004a908f6b68c11508c.exedescription pid process target process PID 4952 wrote to memory of 4268 4952 a9f9c075777cc004a908f6b68c11508c.exe svchost.exe PID 4952 wrote to memory of 4268 4952 a9f9c075777cc004a908f6b68c11508c.exe svchost.exe PID 4952 wrote to memory of 4268 4952 a9f9c075777cc004a908f6b68c11508c.exe svchost.exe PID 4952 wrote to memory of 4268 4952 a9f9c075777cc004a908f6b68c11508c.exe svchost.exe PID 4952 wrote to memory of 3512 4952 a9f9c075777cc004a908f6b68c11508c.exe msedge.exe PID 4952 wrote to memory of 3512 4952 a9f9c075777cc004a908f6b68c11508c.exe msedge.exe PID 4952 wrote to memory of 3512 4952 a9f9c075777cc004a908f6b68c11508c.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9f9c075777cc004a908f6b68c11508c.exe"C:\Users\Admin\AppData\Local\Temp\a9f9c075777cc004a908f6b68c11508c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:4268
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 4803⤵
- Program crash
PID:956 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 4883⤵
- Program crash
PID:1460 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:3512
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4268 -ip 42681⤵PID:5112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4268 -ip 42681⤵PID:2768