xpertrat | d5325b0dfdd73327d48c0e069567ce843a68f10d7fe0301a74dad13d6422eee2

General

Target

d76c5a676e641b431ac0a9dded9c505d.exe
Size

823KB
MD5

d76c5a676e641b431ac0a9dded9c505d
SHA1

62bc6251747312cc7307c2c49cf14d511d0bfcdd
SHA256

d5325b0dfdd73327d48c0e069567ce843a68f10d7fe0301a74dad13d6422eee2
SHA512

0c4c8206529fe1469476e2e51c01a6bf3d6a5444c223ed074925c324fe235214272d010ab42ce9478f2e31a7f7aff6d7eb885f569d7cc7ac67c27aa6c49b73c9

Score

10^/10

xpertrat xxx evasion persistence rat trojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

XXX

C2

kapasky-antivirus.firewall-gateway.net:2054

kapasky-antivirus.firewall-gateway.net:4000

Mutex

U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1460-71-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat
behavioral1/memory/1460-72-0x0000000000401364-mapping.dmp	xpertrat

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7 = "C:\\Users\\Admin\\AppData\\Roaming\\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe"	iexplore.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

d76c5a676e641b431ac0a9dded9c505d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	d76c5a676e641b431ac0a9dded9c505d.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7 = "C:\\Users\\Admin\\AppData\\Roaming\\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7 = "C:\\Users\\Admin\\AppData\\Roaming\\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7\\U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

d76c5a676e641b431ac0a9dded9c505d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d76c5a676e641b431ac0a9dded9c505d.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

d76c5a676e641b431ac0a9dded9c505d.exed76c5a676e641b431ac0a9dded9c505d.exe

description	pid	process	target process
PID 1996 set thread context of 304	1996	d76c5a676e641b431ac0a9dded9c505d.exe	d76c5a676e641b431ac0a9dded9c505d.exe
PID 304 set thread context of 1460	304	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

d76c5a676e641b431ac0a9dded9c505d.exed76c5a676e641b431ac0a9dded9c505d.exe

pid	process
1996	d76c5a676e641b431ac0a9dded9c505d.exe
1996	d76c5a676e641b431ac0a9dded9c505d.exe
304	d76c5a676e641b431ac0a9dded9c505d.exe
304	d76c5a676e641b431ac0a9dded9c505d.exe
304	d76c5a676e641b431ac0a9dded9c505d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d76c5a676e641b431ac0a9dded9c505d.exeiexplore.exe

description pid process

Token: SeDebugPrivilege 1996 d76c5a676e641b431ac0a9dded9c505d.exe
Token: SeDebugPrivilege 1460 iexplore.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

d76c5a676e641b431ac0a9dded9c505d.exeiexplore.exe

pid process

304 d76c5a676e641b431ac0a9dded9c505d.exe
1460 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	1996	d76c5a676e641b431ac0a9dded9c505d.exe
Token: SeDebugPrivilege	1460	iexplore.exe

pid	process
304	d76c5a676e641b431ac0a9dded9c505d.exe
1460	iexplore.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

d76c5a676e641b431ac0a9dded9c505d.exed76c5a676e641b431ac0a9dded9c505d.exe

description	pid	process	target process
PID 1996 wrote to memory of 892	1996	d76c5a676e641b431ac0a9dded9c505d.exe	d76c5a676e641b431ac0a9dded9c505d.exe
PID 1996 wrote to memory of 892	1996	d76c5a676e641b431ac0a9dded9c505d.exe	d76c5a676e641b431ac0a9dded9c505d.exe
PID 1996 wrote to memory of 892	1996	d76c5a676e641b431ac0a9dded9c505d.exe	d76c5a676e641b431ac0a9dded9c505d.exe
PID 1996 wrote to memory of 892	1996	d76c5a676e641b431ac0a9dded9c505d.exe	d76c5a676e641b431ac0a9dded9c505d.exe
PID 1996 wrote to memory of 304	1996	d76c5a676e641b431ac0a9dded9c505d.exe	d76c5a676e641b431ac0a9dded9c505d.exe
PID 1996 wrote to memory of 304	1996	d76c5a676e641b431ac0a9dded9c505d.exe	d76c5a676e641b431ac0a9dded9c505d.exe
PID 1996 wrote to memory of 304	1996	d76c5a676e641b431ac0a9dded9c505d.exe	d76c5a676e641b431ac0a9dded9c505d.exe
PID 1996 wrote to memory of 304	1996	d76c5a676e641b431ac0a9dded9c505d.exe	d76c5a676e641b431ac0a9dded9c505d.exe
PID 1996 wrote to memory of 304	1996	d76c5a676e641b431ac0a9dded9c505d.exe	d76c5a676e641b431ac0a9dded9c505d.exe
PID 1996 wrote to memory of 304	1996	d76c5a676e641b431ac0a9dded9c505d.exe	d76c5a676e641b431ac0a9dded9c505d.exe
PID 1996 wrote to memory of 304	1996	d76c5a676e641b431ac0a9dded9c505d.exe	d76c5a676e641b431ac0a9dded9c505d.exe
PID 1996 wrote to memory of 304	1996	d76c5a676e641b431ac0a9dded9c505d.exe	d76c5a676e641b431ac0a9dded9c505d.exe
PID 304 wrote to memory of 1460	304	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 304 wrote to memory of 1460	304	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 304 wrote to memory of 1460	304	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 304 wrote to memory of 1460	304	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 304 wrote to memory of 1460	304	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 304 wrote to memory of 1460	304	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 304 wrote to memory of 1460	304	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 304 wrote to memory of 1460	304	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 304 wrote to memory of 1460	304	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

d76c5a676e641b431ac0a9dded9c505d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d76c5a676e641b431ac0a9dded9c505d.exe

C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
"C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
"{path}"
2⤵
PID:892

C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
"{path}"
2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:304

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Modify Registry

6

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/304-66-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/304-67-0x00000000004010B8-mapping.dmp

Download
memory/1460-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1460-72-0x0000000000401364-mapping.dmp

Download
memory/1460-73-0x0000000000590000-0x00000000006E3000-memory.dmp

Filesize
1.3MB

Download
memory/1460-76-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/1996-60-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/1996-62-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/1996-63-0x0000000000640000-0x000000000064E000-memory.dmp

Filesize
56KB

Download
memory/1996-64-0x0000000007F00000-0x0000000007FC4000-memory.dmp

Filesize
784KB

Download
memory/1996-65-0x0000000004990000-0x0000000004A07000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads