Overview

overview

10

Static

static

0998035783...18.exe

windows7_x64

10

0998035783...18.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    17-11-2020 15:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    099803578388c6f4a6a4904fdb0b8b8e77e7ee9c14eccbda79272baf92093e18.exe

  • Size

    28KB

  • MD5

    13d84033f65345d8a87391ec0eb6b482

  • SHA1

    b6354b17def07e0ead0f90a30b50c9090e720e5f

  • SHA256

    099803578388c6f4a6a4904fdb0b8b8e77e7ee9c14eccbda79272baf92093e18

  • SHA512

    5093353181b2c6cb0ec0c421e7e5b87e3e222fd6fb5e250bed960ebad1a0041be4e7ba412067e1c6d4eba6e1248c59022eef87c281346c507aa0ae8990fe285f

Score
10/10
xpertratspecial xevasionpersistencerattrojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

special X

C2

sandshoe.myfirewall.org:2054

sandshoe.myfirewall.org:4000
Mutex

C7H2A8R6-A3X1-J1N8-N887-L0I1C4O6U0D4

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core Payload 3 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\099803578388c6f4a6a4904fdb0b8b8e77e7ee9c14eccbda79272baf92093e18.exe
    "C:\Users\Admin\AppData\Local\Temp\099803578388c6f4a6a4904fdb0b8b8e77e7ee9c14eccbda79272baf92093e18.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:848
    • C:\Windows\SysWOW64\timeout.exe
      timeout 5
      2⤵
      • Delays execution with timeout.exe
      PID:1996
    • C:\Users\Admin\AppData\Local\Temp\099803578388c6f4a6a4904fdb0b8b8e77e7ee9c14eccbda79272baf92093e18.exe
      "C:\Users\Admin\AppData\Local\Temp\099803578388c6f4a6a4904fdb0b8b8e77e7ee9c14eccbda79272baf92093e18.exe"
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1536
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\099803578388c6f4a6a4904fdb0b8b8e77e7ee9c14eccbda79272baf92093e18.exe
        3⤵
          PID:396
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\099803578388c6f4a6a4904fdb0b8b8e77e7ee9c14eccbda79272baf92093e18.exe
          3⤵
          • Adds policy Run key to start application
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:556

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    2
    T1060

    Privilege Escalation

    Bypass User Account Control

    1
    T1088

    Defense Evasion

    Bypass User Account Control

    1
    T1088

    Disabling Security Tools

    3
    T1089

    Modify Registry

    6
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/396-12-0x0000000000401364-mapping.dmp
      Download
    • memory/556-13-0x0000000000400000-0x0000000000443000-memory.dmp
      Filesize

      268KB

      Download
    • memory/556-14-0x0000000000401364-mapping.dmp
      Download
    • memory/556-15-0x0000000000400000-0x0000000000443000-memory.dmp
      Filesize

      268KB

      Download
    • memory/848-0-0x00000000748D0000-0x0000000074FBE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/848-1-0x000000000F9A0000-0x000000000F9A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/848-4-0x0000000001DF0000-0x0000000001E29000-memory.dmp
      Filesize

      228KB

      Download
    • memory/1536-5-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1536-6-0x00000000004010B8-mapping.dmp
      Download
    • memory/1536-18-0x0000000000150000-0x0000000000154000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1536-19-0x0000000002840000-0x0000000002844000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1996-3-0x0000000000000000-mapping.dmp
      Download