Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
08-10-2020 13:24
General
-
Target
SecuriteInfo.com.Trojan.Siggen10.31344.29315.6962.exe
-
Size
932KB
-
MD5
ff05aef9ab76c8f7c5983a2ce3d4e02d
-
SHA1
953459a3a1e598c1d7c28f5a2e52b7c982bc904b
-
SHA256
5183105aacaf926e7358ff33a1503e58d712a9fc97800bbe8e26132284acb414
-
SHA512
b9749ae87e74ac1f591e1fb2eca66dba4f7ee2836424de28c92fd9bed5a85408b1ea7c483e4793c4f50d823ba1dd6ddd60e321d201f31c3388c411aec65903b2
Score
10/10
Malware Config
Extracted
Family
xpertrat
Version
3.0.10
Botnet
xbox
C2
91.193.75.200:4726
79.134.225.97:4726
Mutex
P4U8N5X3-N0E7-P7T5-M113-K7R6K4S0G6G6
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
UAC bypass 3 TTPs
-
Windows security bypass 2 TTPs
-
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
-
XpertRAT Core Payload 3 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Deletes itself 1 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.31344.29315.6962.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.31344.29315.6962.exe"1⤵
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.31344.29315.6962.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.31344.29315.6962.exe"2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.31344.29315.6962.exe3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe4⤵
- Deletes itself
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
204KB
-
Filesize
4KB
-
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
300KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
308KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
12KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
268KB
-
-
Filesize
268KB
-
Filesize
176KB
-
-
Filesize
176KB
-