Analysis
-
max time kernel
12s -
max time network
14s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2024 20:42
Behavioral task
behavioral1
Sample
server.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
server.exe
-
Size
62KB
-
MD5
19a77f3d8e4cdb9c961bea7dd9a85ac8
-
SHA1
e79423d3798ebde9f5bce660e82747f6e48b7a46
-
SHA256
444b623214a35b2c172e5235212e84e16d05ef82d619014d65e1892fc0b246c5
-
SHA512
bad64396ea861757f522ec904501b5a341dcc8d3a9afeb675a7324863d2b16f6baf13476f46be297ffc0dfd5c3b4f2f21a5e65bcc1b6caef51a6b409e45a9cda
-
SSDEEP
1536:sT8qDqQ8K9MK3tGjbNwPZ6oIeXHWTl5NX33:SqMyKdcPeXHW5j
Score
10/10
Malware Config
Signatures
-
Detect XtremeRAT payload 1 IoCs
resource yara_rule behavioral1/memory/1468-0-0x0000000010000000-0x0000000010047000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1468 wrote to memory of 3668 1468 server.exe 83 PID 1468 wrote to memory of 3668 1468 server.exe 83 PID 1468 wrote to memory of 3668 1468 server.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:3668
-