Overview

overview

10

Static

static

8

Orden de c...6.xlsm

windows7_x64

10

Orden de c...6.xlsm

windows10_x64

1

Analysis

  • max time kernel
    137s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    23-04-2021 11:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Orden de compra 1910003976.xlsm

  • Size

    71KB

  • MD5

    8273a0b7226e7cceeab9c08cf12cbf9a

  • SHA1

    1eccef99ee7b62212a4e2a8bcb1bde71095af728

  • SHA256

    6994d0049b0cf4f69b76d397e421110d95f1408aaedfd827bd3906973e85f2fe

  • SHA512

    b65ca73d6badf1d28e164388e096a0a3a06c2a6d29e11132242bee158b410c3b20b1db4dec976c2008f1b2d046a3f769f854ffdd33b733d650c532bdb67adcfd

Score
10/10
xpertratspecial xevasionpersistencerattrojanupx

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

special X

C2

ghytrty.duckdns.org:4145

spapertyy.duckdns.org:4145
Mutex

L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core Payload 2 IoCs
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Orden de compra 1910003976.xlsm"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1992
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Windows\SysWOW64\cmD.exe
      cmD /c ReN %TMp%\x x& WSCrIpT %tmp%\x?..wsf  C
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Windows\SysWOW64\wscript.exe
        WSCrIpT C:\Users\Admin\AppData\Local\Temp\x?..wsf  C
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:740
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1064
          • C:\Windows\SysWOW64\cscript.exe
            cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
            5⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:296
            • C:\ProgramData\xpertee.exe
              "C:\ProgramData\xpertee.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:1328
              • C:\ProgramData\xpertee.exe
                "{path}"
                7⤵
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:1012
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  C:\ProgramData\xpertee.exe
                  8⤵
                  • Adds policy Run key to start application
                  • Adds Run key to start application
                  • Suspicious use of SetThreadContext
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:1644
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    /stext "C:\Users\Admin\AppData\Roaming\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\gxmpjpodq0.txt"
                    9⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:108
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    /stext "C:\Users\Admin\AppData\Roaming\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\gxmpjpodq1.txt"
                    9⤵
                      PID:1844
                    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                      /stext "C:\Users\Admin\AppData\Roaming\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\gxmpjpodq2.txt"
                      9⤵
                        PID:1672
                      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                        /stext "C:\Users\Admin\AppData\Roaming\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\gxmpjpodq3.txt"
                        9⤵
                          PID:1892
                        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                          /stext "C:\Users\Admin\AppData\Roaming\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\gxmpjpodq4.txt"
                          9⤵
                            PID:764

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Exploitation for Client Execution

          1
          T1203

          Persistence

          Registry Run Keys / Startup Folder

          2
          T1060

          Privilege Escalation

          Bypass User Account Control

          1
          T1088

          Defense Evasion

          Bypass User Account Control

          1
          T1088

          Disabling Security Tools

          3
          T1089

          Modify Registry

          7
          T1112

          Credential Access

          Discovery

          System Information Discovery

          3
          T1082

          Query Registry

          1
          T1012

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\xpertee.exe
            MD5

            47eb0c8afe69369e294c97c91d1867e8

            SHA1

            eefb321afb609d01531be6719900aeb1f3bb9f06

            SHA256

            c9717d2b9c4eb9e99cfabeca61561f4fa1cd91c19a76f97a104010cb601f3553

            SHA512

            48dd8657c569627d149ac2a88e30a9f3fb166eb67e06d5afc0de69c3b427699698cebea6212209e76057ce2163d20cd05965f595de6692431be31db814eba769

            Download Submit
          • C:\ProgramData\xpertee.exe
            MD5

            47eb0c8afe69369e294c97c91d1867e8

            SHA1

            eefb321afb609d01531be6719900aeb1f3bb9f06

            SHA256

            c9717d2b9c4eb9e99cfabeca61561f4fa1cd91c19a76f97a104010cb601f3553

            SHA512

            48dd8657c569627d149ac2a88e30a9f3fb166eb67e06d5afc0de69c3b427699698cebea6212209e76057ce2163d20cd05965f595de6692431be31db814eba769

            Download Submit
          • C:\ProgramData\xpertee.exe
            MD5

            47eb0c8afe69369e294c97c91d1867e8

            SHA1

            eefb321afb609d01531be6719900aeb1f3bb9f06

            SHA256

            c9717d2b9c4eb9e99cfabeca61561f4fa1cd91c19a76f97a104010cb601f3553

            SHA512

            48dd8657c569627d149ac2a88e30a9f3fb166eb67e06d5afc0de69c3b427699698cebea6212209e76057ce2163d20cd05965f595de6692431be31db814eba769

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\x
            MD5

            0ab52e21d3c1a5f5e3cb43d18626d20b

            SHA1

            dc760533e54978f6e21a16f902cb0bf4c1931eaa

            SHA256

            1bd644e26916660b7cf18d4f93793f79eea6dcf5988af427e7c8b60eb84cc90b

            SHA512

            1db34001656eb5e00ddcb71b057d567f751333a58e9f4a120f4645c05cb3d02969bcad8f2e6c317074ec2ad4af76d37ac778bc1a3a4f3387016893462975040a

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\xx
            MD5

            1ba140c23eacb39108e7eb3e33843fd9

            SHA1

            952fa4c1ae57ef16b92515f465a2bb001859b9ff

            SHA256

            e02242e5b868bedd0664ff75761b008b2d585a41c6754cdc4805142681c76903

            SHA512

            8039ca3b5099d485736772c6d69265ade0170c68181da83cf8ceb055e15a1234d0eb12cc21569cde8db3a882fa098c36fec34b04a934af235e31c79168a29624

            Download Submit
          • C:\Users\Admin\AppData\Roaming\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\gxmpjpodq2.txt
            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

            Download Submit
          • C:\Users\Admin\AppData\Roaming\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\gxmpjpodq4.txt
            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

            Download Submit
          • \ProgramData\xpertee.exe
            MD5

            47eb0c8afe69369e294c97c91d1867e8

            SHA1

            eefb321afb609d01531be6719900aeb1f3bb9f06

            SHA256

            c9717d2b9c4eb9e99cfabeca61561f4fa1cd91c19a76f97a104010cb601f3553

            SHA512

            48dd8657c569627d149ac2a88e30a9f3fb166eb67e06d5afc0de69c3b427699698cebea6212209e76057ce2163d20cd05965f595de6692431be31db814eba769

            Download Submit
          • memory/108-95-0x0000000000423BC0-mapping.dmp
            Download
          • memory/108-94-0x0000000000400000-0x0000000000426000-memory.dmp
            Filesize

            152KB

            Download
          • memory/296-70-0x0000000000000000-mapping.dmp
            Download
          • memory/740-66-0x0000000000000000-mapping.dmp
            Download
          • memory/764-108-0x000000000040C2A8-mapping.dmp
            Download
          • memory/764-107-0x0000000000400000-0x0000000000415000-memory.dmp
            Filesize

            84KB

            Download
          • memory/1012-82-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

            Download
          • memory/1012-83-0x00000000004010B8-mapping.dmp
            Download
          • memory/1064-69-0x0000000000000000-mapping.dmp
            Download
          • memory/1328-81-0x00000000048A0000-0x00000000048FC000-memory.dmp
            Filesize

            368KB

            Download
          • memory/1328-76-0x0000000000880000-0x0000000000881000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1328-80-0x0000000005ED0000-0x0000000005F7B000-memory.dmp
            Filesize

            684KB

            Download
          • memory/1328-79-0x0000000000320000-0x000000000032E000-memory.dmp
            Filesize

            56KB

            Download
          • memory/1328-78-0x0000000004860000-0x0000000004861000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1328-73-0x0000000000000000-mapping.dmp
            Download
          • memory/1644-87-0x0000000000400000-0x0000000000443000-memory.dmp
            Filesize

            268KB

            Download
          • memory/1644-88-0x0000000000401364-mapping.dmp
            Download
          • memory/1644-89-0x0000000000450000-0x00000000005A3000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/1672-101-0x0000000000442F04-mapping.dmp
            Download
          • memory/1672-100-0x0000000000400000-0x0000000000459000-memory.dmp
            Filesize

            356KB

            Download
          • memory/1776-63-0x0000000075B31000-0x0000000075B33000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1780-64-0x0000000000000000-mapping.dmp
            Download
          • memory/1844-97-0x0000000000400000-0x000000000041B000-memory.dmp
            Filesize

            108KB

            Download
          • memory/1844-98-0x0000000000411654-mapping.dmp
            Download
          • memory/1892-104-0x0000000000400000-0x0000000000416000-memory.dmp
            Filesize

            88KB

            Download
          • memory/1892-105-0x0000000000413750-mapping.dmp
            Download
          • memory/1992-60-0x000000002F0F1000-0x000000002F0F4000-memory.dmp
            Filesize

            12KB

            Download
          • memory/1992-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1992-61-0x0000000071B91000-0x0000000071B93000-memory.dmp
            Filesize

            8KB

            Download