xpertrat | ada06fa53bcebf55db1efd74571846489efb56f71f3e8283e157e78c69da8ee4

Analysis

max time kernel
54s
max time network
130s
platform
windows7_x64
resource
win7
submitted
24-06-2020 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02 SCRAP BIDDING INVITATION_xlsx.exe
Size

301KB
MD5

dd5e6e486e6facac99576ee8ebfe048b
SHA1

05a7d384860296a1d5b5d53f908403a53ac7f8bd
SHA256

ada06fa53bcebf55db1efd74571846489efb56f71f3e8283e157e78c69da8ee4
SHA512

c0f19b2349ce51cc64dce57d28a60a4d40d570dd1bdefbcd23c85183700dfda876e8f3f6ff59934d26bfe76c536d2c8ec13ac89e7fce6a0053fa07aceddda5f5

Score

10^/10

xpertrat msn evasion persistence rat trojan upx

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

msn

194.5.99.136:3135

79.134.225.85:3135

Mutex

G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core Payload 3 IoCs

resource	yara_rule
behavioral1/memory/1872-7-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat
behavioral1/memory/1872-8-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/1872-9-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2000-22-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2000-23-0x0000000000411654-mapping.dmp	MailPassView
behavioral1/memory/2000-24-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2040-25-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral1/memory/2040-26-0x0000000000442F04-mapping.dmp	WebBrowserPassView
behavioral1/memory/2040-27-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView

Nirsoft 11 IoCs

resource	yara_rule
behavioral1/memory/1940-17-0x0000000000400000-0x0000000000426000-memory.dmp	Nirsoft
behavioral1/memory/2000-22-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2000-23-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/2000-24-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2040-25-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral1/memory/2040-26-0x0000000000442F04-mapping.dmp	Nirsoft
behavioral1/memory/2040-27-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral1/memory/1200-32-0x0000000000400000-0x0000000000416000-memory.dmp	Nirsoft
behavioral1/memory/1100-33-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral1/memory/1100-34-0x000000000040C2A8-mapping.dmp	Nirsoft
behavioral1/memory/1100-35-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8 = "C:\\Users\\Admin\\AppData\\Roaming\\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8.exe"	iexplore.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1940-14-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/1940-16-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/1940-17-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/1200-29-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1200-31-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1200-32-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	02 SCRAP BIDDING INVITATION_xlsx.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8 = "C:\\Users\\Admin\\AppData\\Roaming\\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8.exe"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8 = "C:\\Users\\Admin\\AppData\\Roaming\\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	02 SCRAP BIDDING INVITATION_xlsx.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 1496 set thread context of 1852	1496	02 SCRAP BIDDING INVITATION_xlsx.exe	24
PID 1852 set thread context of 1872	1852	02 SCRAP BIDDING INVITATION_xlsx.exe	25
PID 1872 set thread context of 1940	1872	iexplore.exe	26
PID 1872 set thread context of 1960	1872	iexplore.exe	27
PID 1872 set thread context of 1992	1872	iexplore.exe	28
PID 1872 set thread context of 2000	1872	iexplore.exe	29
PID 1872 set thread context of 2040	1872	iexplore.exe	30
PID 1872 set thread context of 1200	1872	iexplore.exe	31
PID 1872 set thread context of 1100	1872	iexplore.exe	32

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1852	02 SCRAP BIDDING INVITATION_xlsx.exe
1852	02 SCRAP BIDDING INVITATION_xlsx.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	iexplore.exe
Token: SeDebugPrivilege	1940	iexplore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1852	02 SCRAP BIDDING INVITATION_xlsx.exe
1872	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 1852	1496	02 SCRAP BIDDING INVITATION_xlsx.exe	24
PID 1496 wrote to memory of 1852	1496	02 SCRAP BIDDING INVITATION_xlsx.exe	24
PID 1496 wrote to memory of 1852	1496	02 SCRAP BIDDING INVITATION_xlsx.exe	24
PID 1496 wrote to memory of 1852	1496	02 SCRAP BIDDING INVITATION_xlsx.exe	24
PID 1496 wrote to memory of 1852	1496	02 SCRAP BIDDING INVITATION_xlsx.exe	24
PID 1496 wrote to memory of 1852	1496	02 SCRAP BIDDING INVITATION_xlsx.exe	24
PID 1496 wrote to memory of 1852	1496	02 SCRAP BIDDING INVITATION_xlsx.exe	24
PID 1496 wrote to memory of 1852	1496	02 SCRAP BIDDING INVITATION_xlsx.exe	24
PID 1852 wrote to memory of 1872	1852	02 SCRAP BIDDING INVITATION_xlsx.exe	25
PID 1852 wrote to memory of 1872	1852	02 SCRAP BIDDING INVITATION_xlsx.exe	25
PID 1852 wrote to memory of 1872	1852	02 SCRAP BIDDING INVITATION_xlsx.exe	25
PID 1852 wrote to memory of 1872	1852	02 SCRAP BIDDING INVITATION_xlsx.exe	25
PID 1852 wrote to memory of 1872	1852	02 SCRAP BIDDING INVITATION_xlsx.exe	25
PID 1852 wrote to memory of 1872	1852	02 SCRAP BIDDING INVITATION_xlsx.exe	25
PID 1852 wrote to memory of 1872	1852	02 SCRAP BIDDING INVITATION_xlsx.exe	25
PID 1852 wrote to memory of 1872	1852	02 SCRAP BIDDING INVITATION_xlsx.exe	25
PID 1852 wrote to memory of 1872	1852	02 SCRAP BIDDING INVITATION_xlsx.exe	25
PID 1872 wrote to memory of 1940	1872	iexplore.exe	26
PID 1872 wrote to memory of 1940	1872	iexplore.exe	26
PID 1872 wrote to memory of 1940	1872	iexplore.exe	26
PID 1872 wrote to memory of 1940	1872	iexplore.exe	26
PID 1872 wrote to memory of 1940	1872	iexplore.exe	26
PID 1872 wrote to memory of 1940	1872	iexplore.exe	26
PID 1872 wrote to memory of 1940	1872	iexplore.exe	26
PID 1872 wrote to memory of 1940	1872	iexplore.exe	26
PID 1872 wrote to memory of 1940	1872	iexplore.exe	26
PID 1872 wrote to memory of 1960	1872	iexplore.exe	27
PID 1872 wrote to memory of 1960	1872	iexplore.exe	27
PID 1872 wrote to memory of 1960	1872	iexplore.exe	27
PID 1872 wrote to memory of 1960	1872	iexplore.exe	27
PID 1872 wrote to memory of 1960	1872	iexplore.exe	27
PID 1872 wrote to memory of 1960	1872	iexplore.exe	27
PID 1872 wrote to memory of 1960	1872	iexplore.exe	27
PID 1872 wrote to memory of 1960	1872	iexplore.exe	27
PID 1872 wrote to memory of 1960	1872	iexplore.exe	27
PID 1872 wrote to memory of 1960	1872	iexplore.exe	27
PID 1872 wrote to memory of 1992	1872	iexplore.exe	28
PID 1872 wrote to memory of 1992	1872	iexplore.exe	28
PID 1872 wrote to memory of 1992	1872	iexplore.exe	28
PID 1872 wrote to memory of 1992	1872	iexplore.exe	28
PID 1872 wrote to memory of 1992	1872	iexplore.exe	28
PID 1872 wrote to memory of 1992	1872	iexplore.exe	28
PID 1872 wrote to memory of 1992	1872	iexplore.exe	28
PID 1872 wrote to memory of 1992	1872	iexplore.exe	28
PID 1872 wrote to memory of 1992	1872	iexplore.exe	28
PID 1872 wrote to memory of 1992	1872	iexplore.exe	28
PID 1872 wrote to memory of 2000	1872	iexplore.exe	29
PID 1872 wrote to memory of 2000	1872	iexplore.exe	29
PID 1872 wrote to memory of 2000	1872	iexplore.exe	29
PID 1872 wrote to memory of 2000	1872	iexplore.exe	29
PID 1872 wrote to memory of 2000	1872	iexplore.exe	29
PID 1872 wrote to memory of 2000	1872	iexplore.exe	29
PID 1872 wrote to memory of 2000	1872	iexplore.exe	29
PID 1872 wrote to memory of 2000	1872	iexplore.exe	29
PID 1872 wrote to memory of 2000	1872	iexplore.exe	29
PID 1872 wrote to memory of 2000	1872	iexplore.exe	29
PID 1872 wrote to memory of 2040	1872	iexplore.exe	30
PID 1872 wrote to memory of 2040	1872	iexplore.exe	30
PID 1872 wrote to memory of 2040	1872	iexplore.exe	30
PID 1872 wrote to memory of 2040	1872	iexplore.exe	30
PID 1872 wrote to memory of 2040	1872	iexplore.exe	30
PID 1872 wrote to memory of 2040	1872	iexplore.exe	30
PID 1872 wrote to memory of 2040	1872	iexplore.exe	30
PID 1872 wrote to memory of 2040	1872	iexplore.exe	30

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	02 SCRAP BIDDING INVITATION_xlsx.exe

C:\Users\Admin\AppData\Local\Temp\02 SCRAP BIDDING INVITATION_xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\02 SCRAP BIDDING INVITATION_xlsx.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Admin\AppData\Local\Temp\02 SCRAP BIDDING INVITATION_xlsx.exe
  "{path}"
  2⤵
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1852
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\02 SCRAP BIDDING INVITATION_xlsx.exe
    3⤵
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\zxczjxkch0.txt"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1940
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\zxczjxkch1.txt"
      4⤵
      PID:1960
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\zxczjxkch1.txt"
      4⤵
      PID:1992
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\zxczjxkch1.txt"
      4⤵
      PID:2000
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\zxczjxkch2.txt"
      4⤵
      PID:2040
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\zxczjxkch3.txt"
      4⤵
      PID:1200
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\zxczjxkch4.txt"
      4⤵
      PID:1100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1100-35-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1100-33-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1200-32-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1200-31-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1200-29-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1852-13-0x0000000002720000-0x0000000002724000-memory.dmp

Filesize
16KB

Download
memory/1852-12-0x0000000001170000-0x0000000001174000-memory.dmp

Filesize
16KB

Download
memory/1852-2-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1872-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1872-9-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1940-17-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1940-16-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1940-14-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2000-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2000-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2040-27-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2040-25-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download