Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-02-2024 21:16
Static task
static1
Behavioral task
behavioral1
Sample
aa2cb15a973424af10b43d595fc3784a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
aa2cb15a973424af10b43d595fc3784a.exe
Resource
win10v2004-20240226-en
General
-
Target
aa2cb15a973424af10b43d595fc3784a.exe
-
Size
170KB
-
MD5
aa2cb15a973424af10b43d595fc3784a
-
SHA1
9ffc9fac0be1a0d4609de1a3c31f35e66fa849cc
-
SHA256
fdab584b663b098e50b365092b53ad81d8503340c42346cdf2b5b35203001e48
-
SHA512
381d899cfad764eb12a1edca2bfc89449e0434035904035cb4a0aae3b215868fdc9b0a49a7ccc78da6ccfe41cd772f4cfdc0631fc47492d78582e84c9c91979c
-
SSDEEP
3072:vrDBQZKHe8fAIwgw4lAA1Bh9BhmhllVobtGiNlI/VJLEwmbqNn4diI82hJNILHEB:hQAHe8fAIwgw4lAAx9BhmroAiHI/VZE9
Malware Config
Extracted
xtremerat
tubass.no-ip.org
Signatures
-
Detect XtremeRAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2752-9-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat behavioral1/memory/2752-10-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat behavioral1/memory/2556-13-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat behavioral1/memory/2752-14-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat behavioral1/memory/2556-15-0x0000000010000000-0x000000001004B000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Processes:
resource yara_rule behavioral1/memory/2752-3-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral1/memory/2752-8-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral1/memory/2752-9-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral1/memory/2752-10-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral1/memory/2556-13-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral1/memory/2752-14-0x0000000010000000-0x000000001004B000-memory.dmp upx behavioral1/memory/2556-15-0x0000000010000000-0x000000001004B000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
aa2cb15a973424af10b43d595fc3784a.exedescription ioc process File created C:\Windows\SysWOW64\CFGMGR32.DLL aa2cb15a973424af10b43d595fc3784a.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
aa2cb15a973424af10b43d595fc3784a.exedescription pid process target process PID 1248 set thread context of 2752 1248 aa2cb15a973424af10b43d595fc3784a.exe aa2cb15a973424af10b43d595fc3784a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
aa2cb15a973424af10b43d595fc3784a.exepid process 1248 aa2cb15a973424af10b43d595fc3784a.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
aa2cb15a973424af10b43d595fc3784a.exeaa2cb15a973424af10b43d595fc3784a.exedescription pid process target process PID 1248 wrote to memory of 2752 1248 aa2cb15a973424af10b43d595fc3784a.exe aa2cb15a973424af10b43d595fc3784a.exe PID 1248 wrote to memory of 2752 1248 aa2cb15a973424af10b43d595fc3784a.exe aa2cb15a973424af10b43d595fc3784a.exe PID 1248 wrote to memory of 2752 1248 aa2cb15a973424af10b43d595fc3784a.exe aa2cb15a973424af10b43d595fc3784a.exe PID 1248 wrote to memory of 2752 1248 aa2cb15a973424af10b43d595fc3784a.exe aa2cb15a973424af10b43d595fc3784a.exe PID 1248 wrote to memory of 2752 1248 aa2cb15a973424af10b43d595fc3784a.exe aa2cb15a973424af10b43d595fc3784a.exe PID 1248 wrote to memory of 2752 1248 aa2cb15a973424af10b43d595fc3784a.exe aa2cb15a973424af10b43d595fc3784a.exe PID 1248 wrote to memory of 2752 1248 aa2cb15a973424af10b43d595fc3784a.exe aa2cb15a973424af10b43d595fc3784a.exe PID 1248 wrote to memory of 2752 1248 aa2cb15a973424af10b43d595fc3784a.exe aa2cb15a973424af10b43d595fc3784a.exe PID 1248 wrote to memory of 2752 1248 aa2cb15a973424af10b43d595fc3784a.exe aa2cb15a973424af10b43d595fc3784a.exe PID 2752 wrote to memory of 2556 2752 aa2cb15a973424af10b43d595fc3784a.exe svchost.exe PID 2752 wrote to memory of 2556 2752 aa2cb15a973424af10b43d595fc3784a.exe svchost.exe PID 2752 wrote to memory of 2556 2752 aa2cb15a973424af10b43d595fc3784a.exe svchost.exe PID 2752 wrote to memory of 2556 2752 aa2cb15a973424af10b43d595fc3784a.exe svchost.exe PID 2752 wrote to memory of 2556 2752 aa2cb15a973424af10b43d595fc3784a.exe svchost.exe PID 2752 wrote to memory of 2668 2752 aa2cb15a973424af10b43d595fc3784a.exe iexplore.exe PID 2752 wrote to memory of 2668 2752 aa2cb15a973424af10b43d595fc3784a.exe iexplore.exe PID 2752 wrote to memory of 2668 2752 aa2cb15a973424af10b43d595fc3784a.exe iexplore.exe PID 2752 wrote to memory of 2668 2752 aa2cb15a973424af10b43d595fc3784a.exe iexplore.exe PID 2752 wrote to memory of 2668 2752 aa2cb15a973424af10b43d595fc3784a.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa2cb15a973424af10b43d595fc3784a.exe"C:\Users\Admin\AppData\Local\Temp\aa2cb15a973424af10b43d595fc3784a.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\aa2cb15a973424af10b43d595fc3784a.exeC:\Users\Admin\AppData\Local\Temp\aa2cb15a973424af10b43d595fc3784a.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:2556
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2668