Overview

overview

10

Static

static

63a7dd2640...a6.exe

windows7_x64

10

63a7dd2640...a6.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    24-04-2021 07:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63a7dd2640491df5075a08bf335545a6.exe

  • Size

    1.9MB

  • MD5

    63a7dd2640491df5075a08bf335545a6

  • SHA1

    6bcdaa6627936d1c438d47016ad12ff018895fa6

  • SHA256

    5c32fd3de4bce60a2529cebc5f47b8a1562ea9bd22549f829b22b0533b32f79b

  • SHA512

    4e728c1d4d39efddc736c309fd5654cae0106ccaed8d40b9fc395a40576526e8e67afb6f974944c30ecf96476fe233aeeae56581d0647cb7d162ffbfeae0d756

Score
10/10
xpertratspecial xevasionpersistencerattrojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

special X

C2

ghytrty.duckdns.org:4145

spapertyy.duckdns.org:4145
Mutex

L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core Payload 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\63a7dd2640491df5075a08bf335545a6.exe
    "C:\Users\Admin\AppData\Local\Temp\63a7dd2640491df5075a08bf335545a6.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Users\Admin\AppData\Local\Temp\63a7dd2640491df5075a08bf335545a6.exe
      "{path}"
      2⤵
        PID:1612
      • C:\Users\Admin\AppData\Local\Temp\63a7dd2640491df5075a08bf335545a6.exe
        "{path}"
        2⤵
        • Windows security modification
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1656
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\63a7dd2640491df5075a08bf335545a6.exe
          3⤵
          • Adds policy Run key to start application
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1252

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    2
    T1060

    Privilege Escalation

    Bypass User Account Control

    1
    T1088

    Defense Evasion

    Bypass User Account Control

    1
    T1088

    Disabling Security Tools

    3
    T1089

    Modify Registry

    6
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1056-59-0x0000000001380000-0x0000000001381000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1056-61-0x0000000001340000-0x0000000001341000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1056-62-0x0000000000610000-0x000000000061E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1056-63-0x0000000008F00000-0x0000000008F7D000-memory.dmp
      Filesize

      500KB

      Download
    • memory/1056-64-0x0000000008E50000-0x0000000008E7D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1252-70-0x0000000000401364-mapping.dmp
      Download
    • memory/1252-69-0x0000000000400000-0x0000000000443000-memory.dmp
      Filesize

      268KB

      Download
    • memory/1252-71-0x0000000000450000-0x00000000005A3000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1252-75-0x00000000766D1000-0x00000000766D3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1656-65-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1656-66-0x00000000004010B8-mapping.dmp
      Download