Analysis Overview
SHA256
b7da54fc653b6a932e7dcd386b553d2014c56be60f8e367b34afc750c1c68af9
Threat Level: Known bad
The file abfaec448463602043f960db23960e56 was found to be: Known bad.
Malicious Activity Summary
Detect XtremeRAT payload
XtremeRAT
UPX packed file
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-28 13:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-28 13:22
Reported
2024-02-28 13:24
Platform
win7-20240221-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Detect XtremeRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XtremeRAT
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2292 set thread context of 2472 | N/A | C:\Users\Admin\AppData\Local\Temp\abfaec448463602043f960db23960e56.exe | C:\Users\Admin\AppData\Local\Temp\abfaec448463602043f960db23960e56.exe |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\abfaec448463602043f960db23960e56.exe
"C:\Users\Admin\AppData\Local\Temp\abfaec448463602043f960db23960e56.exe"
C:\Users\Admin\AppData\Local\Temp\abfaec448463602043f960db23960e56.exe
C:\Users\Admin\AppData\Local\Temp\abfaec448463602043f960db23960e56.exe
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
Network
Files
memory/2472-0-0x0000000010000000-0x000000001004D000-memory.dmp
memory/2472-1-0x0000000010000000-0x000000001004D000-memory.dmp
memory/2472-3-0x0000000010000000-0x000000001004D000-memory.dmp
memory/2472-5-0x0000000010000000-0x000000001004D000-memory.dmp
memory/2472-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2472-12-0x0000000010000000-0x000000001004D000-memory.dmp
memory/2472-11-0x0000000010000000-0x000000001004D000-memory.dmp
memory/2472-10-0x0000000010000000-0x000000001004D000-memory.dmp
memory/2292-9-0x0000000000010000-0x000000000001D000-memory.dmp
memory/2536-15-0x0000000010000000-0x000000001004D000-memory.dmp
memory/2536-16-0x0000000010000000-0x000000001004D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-28 13:22
Reported
2024-02-28 13:24
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Detect XtremeRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XtremeRAT
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4800 set thread context of 3956 | N/A | C:\Users\Admin\AppData\Local\Temp\abfaec448463602043f960db23960e56.exe | C:\Users\Admin\AppData\Local\Temp\abfaec448463602043f960db23960e56.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\abfaec448463602043f960db23960e56.exe
"C:\Users\Admin\AppData\Local\Temp\abfaec448463602043f960db23960e56.exe"
C:\Users\Admin\AppData\Local\Temp\abfaec448463602043f960db23960e56.exe
C:\Users\Admin\AppData\Local\Temp\abfaec448463602043f960db23960e56.exe
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1680 -ip 1680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1680 -ip 1680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 488
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
memory/3956-0-0x0000000010000000-0x000000001004D000-memory.dmp
memory/3956-1-0x0000000010000000-0x000000001004D000-memory.dmp
memory/3956-2-0x0000000010000000-0x000000001004D000-memory.dmp
memory/3956-4-0x0000000010000000-0x000000001004D000-memory.dmp
memory/4800-5-0x0000000000010000-0x000000000001D000-memory.dmp
memory/3956-7-0x0000000010000000-0x000000001004D000-memory.dmp
memory/3956-6-0x0000000010000000-0x000000001004D000-memory.dmp
memory/1680-8-0x0000000010000000-0x000000001004D000-memory.dmp
memory/1680-9-0x0000000010000000-0x000000001004D000-memory.dmp