Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10_x64 -
resource
win10 -
submitted
17-08-2020 18:55
General
-
Target
Specification 788919754.pdf img ind.exe
-
Size
411KB
-
MD5
b93e8fe38d0df20ba517b9d531660a4e
-
SHA1
ebc70668346f27b9c31759b335c3f6cb619c71b5
-
SHA256
293bf5eeec6d5d30ee3b3d26f73d6cb81f4e080a449774fc8d2c3a724454f521
-
SHA512
fa07022ab0d2d48066017e8283a9adab2fa2f8aebac2113ec451bd5b339639d0771fd975a92072bdabb24c24f4f40c25707aa9ec3d906104db9c59ba6ddf675d
Score
10/10
Malware Config
Extracted
Family
xpertrat
Version
3.0.10
Botnet
special X
C2
sandshoe.myfirewall.org:4000
79.134.225.85:4000
Mutex
F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5
Signatures
-
UAC bypass 3 TTPs
-
Windows security bypass 2 TTPs
-
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
-
XpertRAT Core Payload 3 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Specification 788919754.pdf img ind.exe"C:\Users\Admin\AppData\Local\Temp\Specification 788919754.pdf img ind.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Specification 788919754.pdf img ind.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Specification 788919754.pdf img ind.exe"{path}"2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\Specification 788919754.pdf img ind.exe3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1552-15-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/1552-17-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/1552-16-0x0000000000401364-mapping.dmp
-
memory/3676-7-0x0000000007850000-0x0000000007854000-memory.dmpFilesize
16KB
-
memory/3676-5-0x0000000007840000-0x0000000007841000-memory.dmpFilesize
4KB
-
memory/3676-6-0x0000000007B30000-0x0000000007B31000-memory.dmpFilesize
4KB
-
memory/3676-0-0x0000000073BA0000-0x000000007428E000-memory.dmpFilesize
6.9MB
-
memory/3676-8-0x0000000008400000-0x000000000844D000-memory.dmpFilesize
308KB
-
memory/3676-9-0x0000000002C40000-0x0000000002C6C000-memory.dmpFilesize
176KB
-
memory/3676-4-0x0000000007880000-0x0000000007881000-memory.dmpFilesize
4KB
-
memory/3676-3-0x0000000007CA0000-0x0000000007CA1000-memory.dmpFilesize
4KB
-
memory/3676-1-0x0000000000AD0000-0x0000000000AD1000-memory.dmpFilesize
4KB
-
memory/4016-10-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/4016-11-0x00000000004010B8-mapping.dmp
-
memory/4016-12-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB