Overview

overview

10

Static

static

3

Chams Sudd...rs.exe

windows7-x64

10

Chams Sudd...rs.exe

windows10-2004-x64

10

Chams Sudd...no.dll

windows7-x64

3

Chams Sudd...no.dll

windows10-2004-x64

3

Perx Wall ...ed.exe

windows7-x64

3

Perx Wall ...ed.exe

windows10-2004-x64

3

Perx Wall ...no.dll

windows7-x64

3

Perx Wall ...no.dll

windows10-2004-x64

3

Siyanur la...ck.exe

windows7-x64

7

Siyanur la...ck.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-11-2024 13:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Chams Sudden + Mado,s Injectors/Mado,s Injectors.exe

  • Size

    199KB

  • MD5

    6f04b35e2ab8ef9b793aa3b6b21bd3f3

  • SHA1

    456d2013c9c9558153a073bff5666225cb2957e2

  • SHA256

    1829c3afcad6a480a1dccf4b33b4728cc731a2d2ad1a59b23566dd3497c80564

  • SHA512

    b03d28859a743a2ba45c26091b480c0d7784e41aa44d23751bcfccc0c2afeda6e520d485e692708ce3016a542a79c97f8b08994dbcbd1f7d8da195f45b1930a6

  • SSDEEP

    6144:QjbeiZ/rVBPKs27FbbMlIRf20vrtSQPUgXc:Qu8/QgIh/kQPUYc

Score
10/10
xtremeratdiscoverypersistenceratspywareupx

Malware Config

Extracted

Family

xtremerat

C2

cutosky.dyndns.org

Signatures

  • Detect XtremeRAT payload 3 IoCs
  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Xtremerat family
    xtremerat
  • Adds policy Run key to start application 2 TTPs 16 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 32 IoCs
  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • Drops file in System32 directory 11 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Chams Sudden + Mado,s Injectors\Mado,s Injectors.exe
    "C:\Users\Admin\AppData\Local\Temp\Chams Sudden + Mado,s Injectors\Mado,s Injectors.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MADO_S~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MADO_S~1.EXE
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1632
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Loader.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Loader.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Loader.exe
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Loader.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2744
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Loads dropped DLL
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:1860
          • C:\Windows\SysWOW64\igfxex.exe
            "C:\Windows\system32\igfxex.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:668
            • C:\Windows\SysWOW64\igfxex.exe
              "C:\Windows\SysWOW64\igfxex.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:1620
          • C:\Windows\SysWOW64\igfxex.exe
            "C:\Windows\system32\igfxex.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2452
            • C:\Windows\SysWOW64\igfxex.exe
              "C:\Windows\SysWOW64\igfxex.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:2272
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
            PID:2228
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:584
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              4⤵
                PID:1636
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                4⤵
                  PID:2628
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  4⤵
                    PID:2108
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    4⤵
                      PID:2340
                    • C:\Program Files\Internet Explorer\iexplore.exe
                      "C:\Program Files\Internet Explorer\iexplore.exe"
                      4⤵
                        PID:2044
                      • C:\Program Files\Internet Explorer\iexplore.exe
                        "C:\Program Files\Internet Explorer\iexplore.exe"
                        4⤵
                          PID:1688
                        • C:\Windows\SysWOW64\igfxex.exe
                          "C:\Windows\system32\igfxex.exe"
                          4⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          PID:2916
                          • C:\Windows\SysWOW64\igfxex.exe
                            "C:\Windows\SysWOW64\igfxex.exe"
                            5⤵
                            • Modifies WinLogon for persistence
                            • Adds policy Run key to start application
                            • Boot or Logon Autostart Execution: Active Setup
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Adds Run key to start application
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            PID:2020
                            • C:\Program Files\Internet Explorer\iexplore.exe
                              "C:\Program Files\Internet Explorer\iexplore.exe"
                              6⤵
                                PID:2980
                              • C:\Program Files\Internet Explorer\iexplore.exe
                                "C:\Program Files\Internet Explorer\iexplore.exe"
                                6⤵
                                  PID:2684
                                • C:\Program Files\Internet Explorer\iexplore.exe
                                  "C:\Program Files\Internet Explorer\iexplore.exe"
                                  6⤵
                                    PID:2268
                                  • C:\Program Files\Internet Explorer\iexplore.exe
                                    "C:\Program Files\Internet Explorer\iexplore.exe"
                                    6⤵
                                      PID:988
                                    • C:\Program Files\Internet Explorer\iexplore.exe
                                      "C:\Program Files\Internet Explorer\iexplore.exe"
                                      6⤵
                                        PID:2192
                                      • C:\Program Files\Internet Explorer\iexplore.exe
                                        "C:\Program Files\Internet Explorer\iexplore.exe"
                                        6⤵
                                          PID:2176
                                        • C:\Program Files\Internet Explorer\iexplore.exe
                                          "C:\Program Files\Internet Explorer\iexplore.exe"
                                          6⤵
                                            PID:1872
                                          • C:\Program Files\Internet Explorer\iexplore.exe
                                            "C:\Program Files\Internet Explorer\iexplore.exe"
                                            6⤵
                                              PID:2216
                                            • C:\Users\Admin\AppData\Roaming\system32\igfxex.exe
                                              "C:\Users\Admin\AppData\Roaming\system32\igfxex.exe"
                                              6⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Suspicious use of SetThreadContext
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of SetWindowsHookEx
                                              PID:664
                                              • C:\Users\Admin\AppData\Roaming\system32\igfxex.exe
                                                "C:\Users\Admin\AppData\Roaming\system32\igfxex.exe"
                                                7⤵
                                                • Modifies WinLogon for persistence
                                                • Adds policy Run key to start application
                                                • Boot or Logon Autostart Execution: Active Setup
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • Adds Run key to start application
                                                • Drops file in System32 directory
                                                • System Location Discovery: System Language Discovery
                                                PID:2968
                                                • C:\Program Files\Internet Explorer\iexplore.exe
                                                  "C:\Program Files\Internet Explorer\iexplore.exe"
                                                  8⤵
                                                    PID:352
                                                  • C:\Program Files\Internet Explorer\iexplore.exe
                                                    "C:\Program Files\Internet Explorer\iexplore.exe"
                                                    8⤵
                                                      PID:1284
                                                    • C:\Program Files\Internet Explorer\iexplore.exe
                                                      "C:\Program Files\Internet Explorer\iexplore.exe"
                                                      8⤵
                                                        PID:2448
                                                      • C:\Program Files\Internet Explorer\iexplore.exe
                                                        "C:\Program Files\Internet Explorer\iexplore.exe"
                                                        8⤵
                                                          PID:1660
                                                        • C:\Program Files\Internet Explorer\iexplore.exe
                                                          "C:\Program Files\Internet Explorer\iexplore.exe"
                                                          8⤵
                                                            PID:2464
                                                          • C:\Program Files\Internet Explorer\iexplore.exe
                                                            "C:\Program Files\Internet Explorer\iexplore.exe"
                                                            8⤵
                                                              PID:3012
                                                            • C:\Program Files\Internet Explorer\iexplore.exe
                                                              "C:\Program Files\Internet Explorer\iexplore.exe"
                                                              8⤵
                                                                PID:324
                                                              • C:\Program Files\Internet Explorer\iexplore.exe
                                                                "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                8⤵
                                                                  PID:888
                                                                • C:\Windows\SysWOW64\igfxex.exe
                                                                  "C:\Windows\system32\igfxex.exe"
                                                                  8⤵
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  • Drops file in System32 directory
                                                                  • Suspicious use of SetThreadContext
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:2376
                                                                  • C:\Windows\SysWOW64\igfxex.exe
                                                                    "C:\Windows\SysWOW64\igfxex.exe"
                                                                    9⤵
                                                                    • Executes dropped EXE
                                                                    • Loads dropped DLL
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:1772

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\UQRHDH9l0.cfg
                                                    Filesize

                                                    1KB

                                                    MD5

                                                    514468d945ec5abfc0f92cc933b8eb12

                                                    SHA1

                                                    5c82a888e771ebdf168bd78a1e99b6fbbae8e3eb

                                                    SHA256

                                                    292056d2a81831a7159dd9b61d87232df8f3de5b0150bf48890b5e13db36944b

                                                    SHA512

                                                    3da97b90763a038e0a192a0fefb35eedd8f601689974d23e1ec7f1ded2ebaa7f4fd34d1d2c839f18b770a8e920e00062f04566d016eef628386de331cdaa5a74

                                                    Download Submit

                                                  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\Loader.exe
                                                    Filesize

                                                    77KB

                                                    MD5

                                                    cb275238e6c08192075e261eecdbc0c8

                                                    SHA1

                                                    d1d7a89ae800bede57ef509de76dce39aff5f84d

                                                    SHA256

                                                    2dce79436d9b5235d04c6e1d0318d2deb2dca03d1decc704cf58fabdff171578

                                                    SHA512

                                                    37940f1f3e8f9f3b7969b9c3410a53102255b6f227ea0ab94d6d7aef541509025c5bdfd0948334fa471a07e7e11a4a57b2f8e7b1191a7113f87ccdd9b00e36de

                                                    Download Submit

                                                  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\MADO_S~1.EXE
                                                    Filesize

                                                    420KB

                                                    MD5

                                                    2efd4a79ced9c8760b7341199b306e43

                                                    SHA1

                                                    d4addcbb0b769ceb93fb8bd6a0d806137f3e3e05

                                                    SHA256

                                                    64d4c916b2f76cb14c481f8656d04d175fe4520632a97509de1ad320e95f8216

                                                    SHA512

                                                    6e0421c6f298a6ed0182f982ae634eca2b6ace5aae47bf97a626a9dde6ae7db613791a7b0d503334738456dc4ad718eaf21d9b9e69c0a5ee414a75aec372c74f

                                                    Download Submit

                                                  • memory/1632-10-0x0000000000F30000-0x0000000000FA0000-memory.dmp

                                                    Filesize

                                                    448KB

                                                    Download

                                                  • memory/1632-11-0x0000000005300000-0x0000000005340000-memory.dmp

                                                    Filesize

                                                    256KB

                                                    Download

                                                  • memory/1632-12-0x0000000005300000-0x0000000005340000-memory.dmp

                                                    Filesize

                                                    256KB

                                                    Download

                                                  • memory/1632-13-0x0000000005300000-0x0000000005340000-memory.dmp

                                                    Filesize

                                                    256KB

                                                    Download

                                                  • memory/1860-47-0x0000000000C80000-0x0000000000C96000-memory.dmp

                                                    Filesize

                                                    88KB

                                                    Download

                                                  • memory/2020-68-0x0000000000C80000-0x0000000000C96000-memory.dmp

                                                    Filesize

                                                    88KB

                                                    Download

                                                  • memory/2744-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/2744-26-0x0000000000C80000-0x0000000000C96000-memory.dmp

                                                    Filesize

                                                    88KB

                                                    Download

                                                  • memory/2744-38-0x0000000000C80000-0x0000000000C96000-memory.dmp

                                                    Filesize

                                                    88KB

                                                    Download

                                                  • memory/2744-37-0x0000000000C80000-0x0000000000C96000-memory.dmp

                                                    Filesize

                                                    88KB

                                                    Download

                                                  • memory/2744-35-0x0000000000C80000-0x0000000000C96000-memory.dmp

                                                    Filesize

                                                    88KB

                                                    Download

                                                  • memory/2744-30-0x0000000000C80000-0x0000000000C96000-memory.dmp

                                                    Filesize

                                                    88KB

                                                    Download

                                                  • memory/2744-33-0x0000000000C80000-0x0000000000C96000-memory.dmp

                                                    Filesize

                                                    88KB

                                                    Download

                                                  • memory/2744-28-0x0000000000C80000-0x0000000000C96000-memory.dmp

                                                    Filesize

                                                    88KB

                                                    Download