Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
17-08-2020 18:55
Static task
static1
Behavioral task
behavioral1
Sample
Specification 788919754.pdf img ind.exe
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
General
-
Target
Specification 788919754.pdf img ind.exe
-
Size
411KB
-
MD5
b93e8fe38d0df20ba517b9d531660a4e
-
SHA1
ebc70668346f27b9c31759b335c3f6cb619c71b5
-
SHA256
293bf5eeec6d5d30ee3b3d26f73d6cb81f4e080a449774fc8d2c3a724454f521
-
SHA512
fa07022ab0d2d48066017e8283a9adab2fa2f8aebac2113ec451bd5b339639d0771fd975a92072bdabb24c24f4f40c25707aa9ec3d906104db9c59ba6ddf675d
Malware Config
Extracted
Family
xpertrat
Version
3.0.10
Botnet
special X
C2
sandshoe.myfirewall.org:4000
79.134.225.85:4000
Mutex
F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5
Signatures
-
XpertRAT Core Payload 3 IoCs
resource yara_rule behavioral1/memory/1824-12-0x0000000000400000-0x0000000000443000-memory.dmp xpertrat behavioral1/memory/1824-13-0x0000000000401364-mapping.dmp xpertrat behavioral1/memory/1824-14-0x0000000000400000-0x0000000000443000-memory.dmp xpertrat -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5 = "C:\\Users\\Admin\\AppData\\Roaming\\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5\\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5.exe" iexplore.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" Specification 788919754.pdf img ind.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5 = "C:\\Users\\Admin\\AppData\\Roaming\\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5\\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5.exe" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5 = "C:\\Users\\Admin\\AppData\\Roaming\\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5\\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5.exe" iexplore.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Specification 788919754.pdf img ind.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1436 set thread context of 1864 1436 Specification 788919754.pdf img ind.exe 26 PID 1864 set thread context of 1824 1864 Specification 788919754.pdf img ind.exe 27 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1436 Specification 788919754.pdf img ind.exe 1436 Specification 788919754.pdf img ind.exe 1864 Specification 788919754.pdf img ind.exe 1864 Specification 788919754.pdf img ind.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1436 Specification 788919754.pdf img ind.exe Token: SeDebugPrivilege 1824 iexplore.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1864 Specification 788919754.pdf img ind.exe 1824 iexplore.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1436 wrote to memory of 1864 1436 Specification 788919754.pdf img ind.exe 26 PID 1436 wrote to memory of 1864 1436 Specification 788919754.pdf img ind.exe 26 PID 1436 wrote to memory of 1864 1436 Specification 788919754.pdf img ind.exe 26 PID 1436 wrote to memory of 1864 1436 Specification 788919754.pdf img ind.exe 26 PID 1436 wrote to memory of 1864 1436 Specification 788919754.pdf img ind.exe 26 PID 1436 wrote to memory of 1864 1436 Specification 788919754.pdf img ind.exe 26 PID 1436 wrote to memory of 1864 1436 Specification 788919754.pdf img ind.exe 26 PID 1436 wrote to memory of 1864 1436 Specification 788919754.pdf img ind.exe 26 PID 1864 wrote to memory of 1824 1864 Specification 788919754.pdf img ind.exe 27 PID 1864 wrote to memory of 1824 1864 Specification 788919754.pdf img ind.exe 27 PID 1864 wrote to memory of 1824 1864 Specification 788919754.pdf img ind.exe 27 PID 1864 wrote to memory of 1824 1864 Specification 788919754.pdf img ind.exe 27 PID 1864 wrote to memory of 1824 1864 Specification 788919754.pdf img ind.exe 27 PID 1864 wrote to memory of 1824 1864 Specification 788919754.pdf img ind.exe 27 PID 1864 wrote to memory of 1824 1864 Specification 788919754.pdf img ind.exe 27 PID 1864 wrote to memory of 1824 1864 Specification 788919754.pdf img ind.exe 27 PID 1864 wrote to memory of 1824 1864 Specification 788919754.pdf img ind.exe 27 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Specification 788919754.pdf img ind.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Specification 788919754.pdf img ind.exe"C:\Users\Admin\AppData\Local\Temp\Specification 788919754.pdf img ind.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\Specification 788919754.pdf img ind.exe"{path}"2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1864 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\Specification 788919754.pdf img ind.exe3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1824
-
-