Analysis
-
max time kernel
146s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
03-11-2024 13:15
General
-
Target
Chams Sudden + Mado,s Injectors/Mado,s Injectors.exe
-
Size
199KB
-
MD5
6f04b35e2ab8ef9b793aa3b6b21bd3f3
-
SHA1
456d2013c9c9558153a073bff5666225cb2957e2
-
SHA256
1829c3afcad6a480a1dccf4b33b4728cc731a2d2ad1a59b23566dd3497c80564
-
SHA512
b03d28859a743a2ba45c26091b480c0d7784e41aa44d23751bcfccc0c2afeda6e520d485e692708ce3016a542a79c97f8b08994dbcbd1f7d8da195f45b1930a6
-
SSDEEP
6144:QjbeiZ/rVBPKs27FbbMlIRf20vrtSQPUgXc:Qu8/QgIh/kQPUYc
Malware Config
Extracted
xtremerat
cutosky.dyndns.org
Signatures
-
Detect XtremeRAT payload 7 IoCs
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Adds policy Run key to start application 2 TTPs 16 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 11 IoCs
-
Adds Run key to start application 2 TTPs 9 IoCs
-
Drops file in System32 directory 9 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
UPX packed file 12 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 4 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chams Sudden + Mado,s Injectors\Mado,s Injectors.exe"C:\Users\Admin\AppData\Local\Temp\Chams Sudden + Mado,s Injectors\Mado,s Injectors.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MADO_S~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MADO_S~1.EXE2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Loader.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Loader.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Loader.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Loader.exe"3⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵
-
-
C:\Windows\SysWOW64\igfxex.exe"C:\Windows\system32\igfxex.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxex.exe"C:\Windows\SysWOW64\igfxex.exe"5⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\system32\igfxex.exe"C:\Users\Admin\AppData\Roaming\system32\igfxex.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\system32\igfxex.exe"C:\Users\Admin\AppData\Roaming\system32\igfxex.exe"8⤵
- Executes dropped EXE
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵
-
-
C:\Users\Admin\AppData\Roaming\system32\igfxex.exe"C:\Users\Admin\AppData\Roaming\system32\igfxex.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\system32\igfxex.exe"C:\Users\Admin\AppData\Roaming\system32\igfxex.exe"7⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵
-
-
C:\Windows\SysWOW64\igfxex.exe"C:\Windows\system32\igfxex.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\igfxex.exe"C:\Windows\SysWOW64\igfxex.exe"9⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD5cb275238e6c08192075e261eecdbc0c8
SHA1d1d7a89ae800bede57ef509de76dce39aff5f84d
SHA2562dce79436d9b5235d04c6e1d0318d2deb2dca03d1decc704cf58fabdff171578
SHA51237940f1f3e8f9f3b7969b9c3410a53102255b6f227ea0ab94d6d7aef541509025c5bdfd0948334fa471a07e7e11a4a57b2f8e7b1191a7113f87ccdd9b00e36de
-
Filesize
420KB
MD52efd4a79ced9c8760b7341199b306e43
SHA1d4addcbb0b769ceb93fb8bd6a0d806137f3e3e05
SHA25664d4c916b2f76cb14c481f8656d04d175fe4520632a97509de1ad320e95f8216
SHA5126e0421c6f298a6ed0182f982ae634eca2b6ace5aae47bf97a626a9dde6ae7db613791a7b0d503334738456dc4ad718eaf21d9b9e69c0a5ee414a75aec372c74f
-
Filesize
1KB
MD5514468d945ec5abfc0f92cc933b8eb12
SHA15c82a888e771ebdf168bd78a1e99b6fbbae8e3eb
SHA256292056d2a81831a7159dd9b61d87232df8f3de5b0150bf48890b5e13db36944b
SHA5123da97b90763a038e0a192a0fefb35eedd8f601689974d23e1ec7f1ded2ebaa7f4fd34d1d2c839f18b770a8e920e00062f04566d016eef628386de331cdaa5a74
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
344KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
448KB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB