Analysis
-
max time kernel
120s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
25-10-2024 19:07
General
-
Target
0f33a9d0abe2c1c7902d861e4bd8b4f419cbd431a2048cb7a17827ac7dec2e61N.exe
-
Size
2.4MB
-
MD5
5f4e35a011f3717d5ada9865d8867fb0
-
SHA1
cae012e3dcffac07162c72d48f32b62db71b8759
-
SHA256
0f33a9d0abe2c1c7902d861e4bd8b4f419cbd431a2048cb7a17827ac7dec2e61
-
SHA512
7ec2493933cc700c216574f60070f0baaed2ce24c306ce123556bc7c149c573083290cc6f1a7e1b3ed33851a28fdcd5716a0c806d8dbe1d7d2c43a226b19182e
-
SSDEEP
49152:VdAKs1ZTeWKH7qC2huWZYz827+doDBfEzbsDDS/BsuPYfq7DTAQ:wKs1ZTc7uQWZKb7goFfEzbsDDS/CkOuH
Score
10/10
Malware Config
Signatures
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Adds policy Run key to start application 2 TTPs 8 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 15 IoCs
-
Loads dropped DLL 17 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
UPX packed file 18 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f33a9d0abe2c1c7902d861e4bd8b4f419cbd431a2048cb7a17827ac7dec2e61N.exe"C:\Users\Admin\AppData\Local\Temp\0f33a9d0abe2c1c7902d861e4bd8b4f419cbd431a2048cb7a17827ac7dec2e61N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0f33a9d0abe2c1c7902d861e4bd8b4f419cbd431a2048cb7a17827ac7dec2e61N.exe"C:\Users\Admin\AppData\Local\Temp\0f33a9d0abe2c1c7902d861e4bd8b4f419cbd431a2048cb7a17827ac7dec2e61N.exe"2⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
-
C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"C:\Users\Admin\AppData\Roaming\VMware vCenter3\vmvctr3.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1018KB
MD5bc9b20d15be56588dc1716ce4b0aedee
SHA1054a2970bc0c453b656d0ef2bd1a4f4c97707145
SHA25635b282de1c0bd77fac64a1b1f692f521a37a706d9f110a696d428a81e3035120
SHA5120620e13687e7d3441ad0c11f30e5d2345b26da00f38ef299eb624f338f900b24b403600c2b153faa6e22d98a2ca0e2cd1307997e62052f04d2fa2176fe5648cb
-
Filesize
2.4MB
MD55f4e35a011f3717d5ada9865d8867fb0
SHA1cae012e3dcffac07162c72d48f32b62db71b8759
SHA2560f33a9d0abe2c1c7902d861e4bd8b4f419cbd431a2048cb7a17827ac7dec2e61
SHA5127ec2493933cc700c216574f60070f0baaed2ce24c306ce123556bc7c149c573083290cc6f1a7e1b3ed33851a28fdcd5716a0c806d8dbe1d7d2c43a226b19182e
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
1.1MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
1.1MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
1.1MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
1.1MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
4KB