Overview

overview

10

Static

static

11_07_2020...47.exe

windows7_x64

10

11_07_2020...47.exe

windows10_x64

10

Analysis

  • max time kernel
    110s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    15-10-2020 11:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11_07_2020 PO_INVOICE #3309247.exe

  • Size

    172KB

  • MD5

    ed21990ff9e29addfd9252f1ba0b30d4

  • SHA1

    1f34df7a5cd551dcb5ec24227fbd1a985cbbe4ef

  • SHA256

    8963180e8b2e7e51c5abd716e7a562ad010f663c41a38015ad2566231a7da9af

  • SHA512

    c22f99e61f7b823f412f5c5ad5173096c38aab57833ab2ac61a5a38b173cc97b154a7b90d0d94fa6844eb8c371057429ba22a63533fcf4487e3eb19c0291dc06

Score
10/10
xpertratspecial xevasionpersistencerattrojanupx

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

special X

C2

sandshoe.myfirewall.org:4000

Mutex

K8Q3I007-I4H2-R2V0-W0G8-T1Q3K5W771L5

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core Payload 3 IoCs
  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 11 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\11_07_2020 PO_INVOICE #3309247.exe
    "C:\Users\Admin\AppData\Local\Temp\11_07_2020 PO_INVOICE #3309247.exe"
    1⤵
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1080
    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
      C:\Users\Admin\AppData\Local\Temp\11_07_2020 PO_INVOICE #3309247.exe
      2⤵
        PID:788
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\11_07_2020 PO_INVOICE #3309247.exe
        2⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1576
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\K8Q3I007-I4H2-R2V0-W0G8-T1Q3K5W771L5\kvosxihiy0.txt"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1624
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\K8Q3I007-I4H2-R2V0-W0G8-T1Q3K5W771L5\kvosxihiy1.txt"
          3⤵
            PID:1884
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\K8Q3I007-I4H2-R2V0-W0G8-T1Q3K5W771L5\kvosxihiy2.txt"
            3⤵
              PID:1956
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\K8Q3I007-I4H2-R2V0-W0G8-T1Q3K5W771L5\kvosxihiy3.txt"
              3⤵
                PID:1924
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\K8Q3I007-I4H2-R2V0-W0G8-T1Q3K5W771L5\kvosxihiy4.txt"
                3⤵
                  PID:2036

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Registry Run Keys / Startup Folder

            2
            T1060

            Privilege Escalation

            Bypass User Account Control

            1
            T1088

            Defense Evasion

            Bypass User Account Control

            1
            T1088

            Disabling Security Tools

            3
            T1089

            Modify Registry

            6
            T1112

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\K8Q3I007-I4H2-R2V0-W0G8-T1Q3K5W771L5\kvosxihiy2.txt
              MD5

              f3b25701fe362ec84616a93a45ce9998

              SHA1

              d62636d8caec13f04e28442a0a6fa1afeb024bbb

              SHA256

              b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

              SHA512

              98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

              Download Submit
            • C:\Users\Admin\AppData\Roaming\K8Q3I007-I4H2-R2V0-W0G8-T1Q3K5W771L5\kvosxihiy4.txt
              MD5

              f3b25701fe362ec84616a93a45ce9998

              SHA1

              d62636d8caec13f04e28442a0a6fa1afeb024bbb

              SHA256

              b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

              SHA512

              98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

              Download Submit
            • memory/788-3-0x0000000000401364-mapping.dmp
              Download
            • memory/1080-9-0x0000000000380000-0x0000000000384000-memory.dmp
              Filesize

              16KB

              Download
            • memory/1080-10-0x0000000002890000-0x0000000002894000-memory.dmp
              Filesize

              16KB

              Download
            • memory/1576-4-0x0000000000400000-0x0000000000443000-memory.dmp
              Filesize

              268KB

              Download
            • memory/1576-5-0x0000000000401364-mapping.dmp
              Download
            • memory/1576-6-0x0000000000400000-0x0000000000443000-memory.dmp
              Filesize

              268KB

              Download
            • memory/1624-11-0x0000000000400000-0x0000000000426000-memory.dmp
              Filesize

              152KB

              Download
            • memory/1624-14-0x0000000000400000-0x0000000000426000-memory.dmp
              Filesize

              152KB

              Download
            • memory/1624-15-0x0000000000400000-0x0000000000426000-memory.dmp
              Filesize

              152KB

              Download
            • memory/1624-13-0x0000000000400000-0x0000000000426000-memory.dmp
              Filesize

              152KB

              Download
            • memory/1624-12-0x0000000000423BC0-mapping.dmp
              Download
            • memory/1884-17-0x0000000000411654-mapping.dmp
              Download
            • memory/1884-18-0x0000000000400000-0x000000000041B000-memory.dmp
              Filesize

              108KB

              Download
            • memory/1884-16-0x0000000000400000-0x000000000041B000-memory.dmp
              Filesize

              108KB

              Download
            • memory/1924-25-0x0000000000400000-0x0000000000416000-memory.dmp
              Filesize

              88KB

              Download
            • memory/1924-23-0x0000000000400000-0x0000000000416000-memory.dmp
              Filesize

              88KB

              Download
            • memory/1924-24-0x0000000000413750-mapping.dmp
              Download
            • memory/1924-26-0x0000000000400000-0x0000000000416000-memory.dmp
              Filesize

              88KB

              Download
            • memory/1924-27-0x0000000000400000-0x0000000000416000-memory.dmp
              Filesize

              88KB

              Download
            • memory/1956-21-0x0000000000400000-0x0000000000459000-memory.dmp
              Filesize

              356KB

              Download
            • memory/1956-19-0x0000000000400000-0x0000000000459000-memory.dmp
              Filesize

              356KB

              Download
            • memory/1956-20-0x0000000000442F04-mapping.dmp
              Download
            • memory/2036-28-0x0000000000400000-0x0000000000415000-memory.dmp
              Filesize

              84KB

              Download
            • memory/2036-29-0x000000000040C2A8-mapping.dmp
              Download
            • memory/2036-30-0x0000000000400000-0x0000000000415000-memory.dmp
              Filesize

              84KB

              Download