Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-02-2024 16:14
Behavioral task
behavioral1
Sample
aeef12bd1dbb8885269868ed6d1c48ab.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
aeef12bd1dbb8885269868ed6d1c48ab.exe
Resource
win10v2004-20240226-en
General
-
Target
aeef12bd1dbb8885269868ed6d1c48ab.exe
-
Size
33KB
-
MD5
aeef12bd1dbb8885269868ed6d1c48ab
-
SHA1
4a52bd1786b19c855130e30df7429962ad3ad36d
-
SHA256
540fcb6674b0d7b91bc885782fd3c24c132d74db9ab0058af9b125fd5aa7f102
-
SHA512
4e5f52536b042c7625e676bf6cf4360205bfefd836d8d635176e68af5c6f50c4a03adf1aec4c2a8aba1e5470abfe0f7e602b5ee80fee5184643b9175f3908168
-
SSDEEP
768:cMuijtHf5g7/IIG3bGcYDBSvFIWuePQDGEsgCBiXvQZG:VNW71rcYDAWeoDrsDQ
Malware Config
Signatures
-
Detect XtremeRAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1936-3-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/1908-4-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/1936-5-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Processes:
resource yara_rule behavioral1/memory/1908-0-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/1936-3-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/1908-4-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/1936-5-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
aeef12bd1dbb8885269868ed6d1c48ab.exedescription pid process target process PID 1908 wrote to memory of 1936 1908 aeef12bd1dbb8885269868ed6d1c48ab.exe svchost.exe PID 1908 wrote to memory of 1936 1908 aeef12bd1dbb8885269868ed6d1c48ab.exe svchost.exe PID 1908 wrote to memory of 1936 1908 aeef12bd1dbb8885269868ed6d1c48ab.exe svchost.exe PID 1908 wrote to memory of 1936 1908 aeef12bd1dbb8885269868ed6d1c48ab.exe svchost.exe PID 1908 wrote to memory of 1936 1908 aeef12bd1dbb8885269868ed6d1c48ab.exe svchost.exe PID 1908 wrote to memory of 2984 1908 aeef12bd1dbb8885269868ed6d1c48ab.exe iexplore.exe PID 1908 wrote to memory of 2984 1908 aeef12bd1dbb8885269868ed6d1c48ab.exe iexplore.exe PID 1908 wrote to memory of 2984 1908 aeef12bd1dbb8885269868ed6d1c48ab.exe iexplore.exe PID 1908 wrote to memory of 2984 1908 aeef12bd1dbb8885269868ed6d1c48ab.exe iexplore.exe PID 1908 wrote to memory of 2984 1908 aeef12bd1dbb8885269868ed6d1c48ab.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aeef12bd1dbb8885269868ed6d1c48ab.exe"C:\Users\Admin\AppData\Local\Temp\aeef12bd1dbb8885269868ed6d1c48ab.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:1936
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵PID:2984