Analysis

  • max time kernel
    95s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-02-2024 16:34

General

  • Target

    ac581b09eee4b97dcf18144202c732ef.exe

  • Size

    62KB

  • MD5

    ac581b09eee4b97dcf18144202c732ef

  • SHA1

    135b6d20769939253fea76b666e9b0528048d0d2

  • SHA256

    853890c8360ab0aa68f8bf9c63f87019b2ca574e3b600f0dec678d3fb250dc80

  • SHA512

    893afcd6b27d4f28800baa19cfbce7d8c75d6bf7d4342c8a786341d37a25f06d5cf42a0f3d127153c023d2da500104d60940d430b378e170532808d0781376a2

  • SSDEEP

    1536:sT8qDqQ8K9MK3tGHbNwPZ6oIeXHWTl5NX3F:SqMyKdsPeXHW5R

Malware Config

Extracted

Family

xtremerat

C2

11hack11.no-ip.biz

11hack1.no-ip.biz

耀ǖڊڊڊڊ夰3ۃ镈ڈ졀jouba.no-ip.biz

Signatures

  • Detect XtremeRAT payload 3 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac581b09eee4b97dcf18144202c732ef.exe
    "C:\Users\Admin\AppData\Local\Temp\ac581b09eee4b97dcf18144202c732ef.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4624
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
        PID:3836
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 480
          3⤵
          • Program crash
          PID:3368
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 488
          3⤵
          • Program crash
          PID:4568
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        2⤵
          PID:3872
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3836 -ip 3836
        1⤵
          PID:2052
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3836 -ip 3836
          1⤵
            PID:4816

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/3836-0-0x0000000010000000-0x0000000010047000-memory.dmp

            Filesize

            284KB

          • memory/3836-2-0x0000000010000000-0x0000000010047000-memory.dmp

            Filesize

            284KB

          • memory/4624-1-0x0000000010000000-0x0000000010047000-memory.dmp

            Filesize

            284KB