Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2024 14:48
Static task
static1
Behavioral task
behavioral1
Sample
32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe
Resource
win10v2004-20241007-en
General
-
Target
32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe
-
Size
809KB
-
MD5
4a06d9989a8c3a9967c2011e5baf3010
-
SHA1
d049b12303d0aad48a5868a1050d82ded68272d4
-
SHA256
32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2
-
SHA512
09d6140a6781d700b6c5d0454add34a3d655eedc1615331d8362692059aff186da4b3543f96699ff0071ea185e81c5c4971e0d3b394ed970ed49651b38184686
-
SSDEEP
12288:fxaVAh64U5lwEO6MlJpy5RP5kOn9KdyYUkdve8LUj8dDwZX4ofxYlp0+EudGw9MZ:fxaVxr5+EkybBb4U028dDwjeDdT9NQ
Malware Config
Extracted
xtremerat
good.zapto.org
Signatures
-
Detect XtremeRAT payload 8 IoCs
resource yara_rule behavioral2/memory/2956-63-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/2956-71-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/2956-75-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/2956-73-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/2956-69-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/2956-65-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/2956-67-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/2956-79-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .lnk 32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe -
Executes dropped EXE 2 IoCs
pid Process 2560 Micrsoft Word.exe 2956 Micrsoft Word.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2560 Micrsoft Word.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2560 set thread context of 2956 2560 Micrsoft Word.exe 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Micrsoft Word.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Micrsoft Word.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1952 WINWORD.EXE 1952 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 1952 WINWORD.EXE 1952 WINWORD.EXE 1952 WINWORD.EXE 2560 Micrsoft Word.exe 1952 WINWORD.EXE 1952 WINWORD.EXE 1952 WINWORD.EXE 1952 WINWORD.EXE 1952 WINWORD.EXE 2956 Micrsoft Word.exe 1952 WINWORD.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4464 wrote to memory of 1952 4464 32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe 88 PID 4464 wrote to memory of 1952 4464 32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe 88 PID 4464 wrote to memory of 2560 4464 32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe 92 PID 4464 wrote to memory of 2560 4464 32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe 92 PID 4464 wrote to memory of 2560 4464 32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe 92 PID 2560 wrote to memory of 2956 2560 Micrsoft Word.exe 94 PID 2560 wrote to memory of 2956 2560 Micrsoft Word.exe 94 PID 2560 wrote to memory of 2956 2560 Micrsoft Word.exe 94 PID 2560 wrote to memory of 2956 2560 Micrsoft Word.exe 94 PID 2560 wrote to memory of 2956 2560 Micrsoft Word.exe 94 PID 2560 wrote to memory of 2956 2560 Micrsoft Word.exe 94 PID 2560 wrote to memory of 2956 2560 Micrsoft Word.exe 94 PID 2560 wrote to memory of 2956 2560 Micrsoft Word.exe 94 PID 2560 wrote to memory of 2956 2560 Micrsoft Word.exe 94 PID 2560 wrote to memory of 2956 2560 Micrsoft Word.exe 94 PID 2560 wrote to memory of 2956 2560 Micrsoft Word.exe 94 PID 2560 wrote to memory of 2956 2560 Micrsoft Word.exe 94 PID 2560 wrote to memory of 2956 2560 Micrsoft Word.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe"C:\Users\Admin\AppData\Local\Temp\32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe"1⤵
- Checks computer location settings
- Drops startup file
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\temp\Word.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1952
-
-
C:\temp\Micrsoft Word.exe"C:\temp\Micrsoft Word.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\temp\Micrsoft Word.exe"C:\temp\Micrsoft Word.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2956
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
440B
MD58ba5bc9de3fa0db40c10d31687f07ecd
SHA11d985741732e4bbe47c19aa8c04b4412946b6b6b
SHA256f0e78a1bb6b50841277ba58aca57d72fe25f16defed6b046a030ca6658d7c69f
SHA51261f00683ecd633e4b2a250e733b9fcbb4e4b802dd6f7ff13030636e58f490101a9878de164ca800a435f48186949778d76ede02545e57701217ef77e046a1a14
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD55a2f77aa2dd20ddc7eaf2337a3bd8b92
SHA16fbd7889e27ccbc0bcb6b168d907a6f6d8269d82
SHA256db117393063264e5949dbc61c118c0cc16444a6601dd1c940eedaa5c5435e817
SHA512c1b955ee5b39e986197f157463f119d323042f97c7cc7f8095f0b6ef35c2d4ee43d9a7dd0e58a7aa194909150b1218d29041831afafaffa189cea6730fb4ddcf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5c7825cff34a2d8917c5c087bc3b72750
SHA18e64f83100aeb1a634b6484f8b78751da89d5e09
SHA2567e3129657b40a7dd58454ec748eb855d5d0deb2edab7cc57319723a533ac73d5
SHA512445db51f80321ed0066b3ceec8b56f982aa6cc1e709924df73fd3418f9e2e8da993d79bbd2aff5037450025fa9c8536282532fc395a226abee8058a2c14183a4
-
Filesize
700KB
MD54dc0bcdcfb3f3d794175b21872a76079
SHA1148aa40c7a14c87fc9c326396b2041223a27308a
SHA256533ef10438f29b8f38bbe15f14e7377edfd530b15d41e2f001859ed00fdc9054
SHA512c1953b4198bf046a83d8c0fab0faf0539be8615524b6842b2ce8d51f3e6757e69b71e374c763bae4f610d1e60cce12dfb1fc1118e9095a90b8d519a6a1bcab8f
-
Filesize
54KB
MD52884d2ac372fd9dce678e539f247b18d
SHA1f391f40f04f44326450a274867c1987ab7da2765
SHA256230c808c8e60d25423da6a814430f40af90eaca995cd4f985191ad0356e6e00a
SHA512d9328beb0e708f18e029b4f6dcd6ff6f5b2994efe5c31a01c185c55597542943230871a636d491c87c2b801fe4597796cf29dc8c50c0ed1b1b78c2610cfd3b5e