Overview

overview

10

Static

static

02 SCRAP B...sx.exe

windows7_x64

10

02 SCRAP B...sx.exe

windows10_x64

1

Analysis

  • max time kernel
    54s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    24-06-2020 14:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02 SCRAP BIDDING INVITATION_xlsx.exe

  • Size

    301KB

  • MD5

    dd5e6e486e6facac99576ee8ebfe048b

  • SHA1

    05a7d384860296a1d5b5d53f908403a53ac7f8bd

  • SHA256

    ada06fa53bcebf55db1efd74571846489efb56f71f3e8283e157e78c69da8ee4

  • SHA512

    c0f19b2349ce51cc64dce57d28a60a4d40d570dd1bdefbcd23c85183700dfda876e8f3f6ff59934d26bfe76c536d2c8ec13ac89e7fce6a0053fa07aceddda5f5

Score
10/10
xpertratmsnevasionpersistencerattrojanupx

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

msn

C2

194.5.99.136:3135

79.134.225.85:3135
Mutex

G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core Payload 3 IoCs
  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 11 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\02 SCRAP BIDDING INVITATION_xlsx.exe
    "C:\Users\Admin\AppData\Local\Temp\02 SCRAP BIDDING INVITATION_xlsx.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1496
    • C:\Users\Admin\AppData\Local\Temp\02 SCRAP BIDDING INVITATION_xlsx.exe
      "{path}"
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1852
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\02 SCRAP BIDDING INVITATION_xlsx.exe
        3⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1872
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\zxczjxkch0.txt"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1940
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\zxczjxkch1.txt"
          4⤵
            PID:1960
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\zxczjxkch1.txt"
            4⤵
              PID:1992
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\zxczjxkch1.txt"
              4⤵
                PID:2000
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\zxczjxkch2.txt"
                4⤵
                  PID:2040
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  /stext "C:\Users\Admin\AppData\Roaming\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\zxczjxkch3.txt"
                  4⤵
                    PID:1200
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    /stext "C:\Users\Admin\AppData\Roaming\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\zxczjxkch4.txt"
                    4⤵
                      PID:1100

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Registry Run Keys / Startup Folder

              2
              T1060

              Privilege Escalation

              Bypass User Account Control

              1
              T1088

              Defense Evasion

              Bypass User Account Control

              1
              T1088

              Disabling Security Tools

              3
              T1089

              Modify Registry

              6
              T1112

              Credential Access

              Discovery

              System Information Discovery

              1
              T1082

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\zxczjxkch2.txt
                MD5

                f3b25701fe362ec84616a93a45ce9998

                SHA1

                d62636d8caec13f04e28442a0a6fa1afeb024bbb

                SHA256

                b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                SHA512

                98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                Download Submit
              • C:\Users\Admin\AppData\Roaming\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\zxczjxkch4.txt
                MD5

                f3b25701fe362ec84616a93a45ce9998

                SHA1

                d62636d8caec13f04e28442a0a6fa1afeb024bbb

                SHA256

                b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                SHA512

                98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                Download Submit
              • memory/1100-35-0x0000000000400000-0x0000000000415000-memory.dmp
                Filesize

                84KB

                Download
              • memory/1100-34-0x000000000040C2A8-mapping.dmp
                Download
              • memory/1100-33-0x0000000000400000-0x0000000000415000-memory.dmp
                Filesize

                84KB

                Download
              • memory/1200-32-0x0000000000400000-0x0000000000416000-memory.dmp
                Filesize

                88KB

                Download
              • memory/1200-31-0x0000000000400000-0x0000000000416000-memory.dmp
                Filesize

                88KB

                Download
              • memory/1200-30-0x0000000000413750-mapping.dmp
                Download
              • memory/1200-29-0x0000000000400000-0x0000000000416000-memory.dmp
                Filesize

                88KB

                Download
              • memory/1496-1-0x0000000000000000-0x0000000000000000-disk.dmp
                Download
              • memory/1852-13-0x0000000002720000-0x0000000002724000-memory.dmp
                Filesize

                16KB

                Download
              • memory/1852-12-0x0000000001170000-0x0000000001174000-memory.dmp
                Filesize

                16KB

                Download
              • memory/1852-2-0x0000000000400000-0x000000000042C000-memory.dmp
                Filesize

                176KB

                Download
              • memory/1852-3-0x00000000004010B8-mapping.dmp
                Download
              • memory/1872-7-0x0000000000400000-0x0000000000443000-memory.dmp
                Filesize

                268KB

                Download
              • memory/1872-8-0x0000000000401364-mapping.dmp
                Download
              • memory/1872-9-0x0000000000400000-0x0000000000443000-memory.dmp
                Filesize

                268KB

                Download
              • memory/1940-17-0x0000000000400000-0x0000000000426000-memory.dmp
                Filesize

                152KB

                Download
              • memory/1940-16-0x0000000000400000-0x0000000000426000-memory.dmp
                Filesize

                152KB

                Download
              • memory/1940-15-0x0000000000423BC0-mapping.dmp
                Download
              • memory/1940-14-0x0000000000400000-0x0000000000426000-memory.dmp
                Filesize

                152KB

                Download
              • memory/1960-19-0x0000000000411654-mapping.dmp
                Download
              • memory/1992-21-0x0000000000411654-mapping.dmp
                Download
              • memory/2000-23-0x0000000000411654-mapping.dmp
                Download
              • memory/2000-24-0x0000000000400000-0x000000000041B000-memory.dmp
                Filesize

                108KB

                Download
              • memory/2000-22-0x0000000000400000-0x000000000041B000-memory.dmp
                Filesize

                108KB

                Download
              • memory/2040-27-0x0000000000400000-0x0000000000459000-memory.dmp
                Filesize

                356KB

                Download
              • memory/2040-26-0x0000000000442F04-mapping.dmp
                Download
              • memory/2040-25-0x0000000000400000-0x0000000000459000-memory.dmp
                Filesize

                356KB

                Download