Analysis
-
max time kernel
93s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 16:14
Behavioral task
behavioral1
Sample
aeef12bd1dbb8885269868ed6d1c48ab.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
aeef12bd1dbb8885269868ed6d1c48ab.exe
Resource
win10v2004-20240226-en
General
-
Target
aeef12bd1dbb8885269868ed6d1c48ab.exe
-
Size
33KB
-
MD5
aeef12bd1dbb8885269868ed6d1c48ab
-
SHA1
4a52bd1786b19c855130e30df7429962ad3ad36d
-
SHA256
540fcb6674b0d7b91bc885782fd3c24c132d74db9ab0058af9b125fd5aa7f102
-
SHA512
4e5f52536b042c7625e676bf6cf4360205bfefd836d8d635176e68af5c6f50c4a03adf1aec4c2a8aba1e5470abfe0f7e602b5ee80fee5184643b9175f3908168
-
SSDEEP
768:cMuijtHf5g7/IIG3bGcYDBSvFIWuePQDGEsgCBiXvQZG:VNW71rcYDAWeoDrsDQ
Malware Config
Signatures
-
Detect XtremeRAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4692-1-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/4496-2-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/4692-3-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Processes:
resource yara_rule behavioral2/memory/4496-0-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/4692-1-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/4496-2-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/4692-3-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4360 4692 WerFault.exe svchost.exe 2256 4692 WerFault.exe svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
aeef12bd1dbb8885269868ed6d1c48ab.exedescription pid process target process PID 4496 wrote to memory of 4692 4496 aeef12bd1dbb8885269868ed6d1c48ab.exe svchost.exe PID 4496 wrote to memory of 4692 4496 aeef12bd1dbb8885269868ed6d1c48ab.exe svchost.exe PID 4496 wrote to memory of 4692 4496 aeef12bd1dbb8885269868ed6d1c48ab.exe svchost.exe PID 4496 wrote to memory of 4692 4496 aeef12bd1dbb8885269868ed6d1c48ab.exe svchost.exe PID 4496 wrote to memory of 1868 4496 aeef12bd1dbb8885269868ed6d1c48ab.exe msedge.exe PID 4496 wrote to memory of 1868 4496 aeef12bd1dbb8885269868ed6d1c48ab.exe msedge.exe PID 4496 wrote to memory of 1868 4496 aeef12bd1dbb8885269868ed6d1c48ab.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aeef12bd1dbb8885269868ed6d1c48ab.exe"C:\Users\Admin\AppData\Local\Temp\aeef12bd1dbb8885269868ed6d1c48ab.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:4692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 4803⤵
- Program crash
PID:4360 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 4883⤵
- Program crash
PID:2256 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:1868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4692 -ip 46921⤵PID:2584
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4692 -ip 46921⤵PID:3328