xpertrat | 29a4c9380a91012be5a2b3659f9a4c46d0eca15c689a95707f78ccde9cd11f02

General

Target

1f609ed72b74f23379e8d7636b5faa13.exe
Size

25KB
MD5

1f609ed72b74f23379e8d7636b5faa13
SHA1

439d50691f585b1a3cd674a0852834a97d9fc9cb
SHA256

29a4c9380a91012be5a2b3659f9a4c46d0eca15c689a95707f78ccde9cd11f02
SHA512

15eb37df42c5747aad644844b7ed3a7da98855e443e5293a64ebf092025e9210e99dbc7889c92854bcbfbf1840004a6c0b2c086a20d6a968f22354f0cd1161b4

Score

10^/10

xpertrat special x evasion persistence rat trojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

special X

C2

ghytrty.duckdns.org:4145

spapertyy.duckdns.org:4145

Mutex

L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3736-126-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat
behavioral2/memory/3736-127-0x0000000000401364-mapping.dmp	xpertrat

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0.exe"	iexplore.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

1f609ed72b74f23379e8d7636b5faa13.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	1f609ed72b74f23379e8d7636b5faa13.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0.exe"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

1f609ed72b74f23379e8d7636b5faa13.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1f609ed72b74f23379e8d7636b5faa13.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

Processes:

1f609ed72b74f23379e8d7636b5faa13.exe

pid	process
2116	1f609ed72b74f23379e8d7636b5faa13.exe
2116	1f609ed72b74f23379e8d7636b5faa13.exe
2116	1f609ed72b74f23379e8d7636b5faa13.exe
2116	1f609ed72b74f23379e8d7636b5faa13.exe
2116	1f609ed72b74f23379e8d7636b5faa13.exe
2116	1f609ed72b74f23379e8d7636b5faa13.exe
2116	1f609ed72b74f23379e8d7636b5faa13.exe
2116	1f609ed72b74f23379e8d7636b5faa13.exe
2116	1f609ed72b74f23379e8d7636b5faa13.exe
2116	1f609ed72b74f23379e8d7636b5faa13.exe
2116	1f609ed72b74f23379e8d7636b5faa13.exe
2116	1f609ed72b74f23379e8d7636b5faa13.exe
2116	1f609ed72b74f23379e8d7636b5faa13.exe
2116	1f609ed72b74f23379e8d7636b5faa13.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1f609ed72b74f23379e8d7636b5faa13.exe1f609ed72b74f23379e8d7636b5faa13.exe

description	pid	process	target process
PID 2116 set thread context of 1296	2116	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 1296 set thread context of 3736	1296	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3120 2116 WerFault.exe 1f609ed72b74f23379e8d7636b5faa13.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1972 timeout.exe

pid	pid_target	process	target process
3120	2116	WerFault.exe	1f609ed72b74f23379e8d7636b5faa13.exe

pid	process
1972	timeout.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

1f609ed72b74f23379e8d7636b5faa13.exe1f609ed72b74f23379e8d7636b5faa13.exeWerFault.exe

pid	process
2116	1f609ed72b74f23379e8d7636b5faa13.exe
2116	1f609ed72b74f23379e8d7636b5faa13.exe
2116	1f609ed72b74f23379e8d7636b5faa13.exe
2116	1f609ed72b74f23379e8d7636b5faa13.exe
2116	1f609ed72b74f23379e8d7636b5faa13.exe
1296	1f609ed72b74f23379e8d7636b5faa13.exe
1296	1f609ed72b74f23379e8d7636b5faa13.exe
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe
3120	WerFault.exe
1296	1f609ed72b74f23379e8d7636b5faa13.exe
1296	1f609ed72b74f23379e8d7636b5faa13.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

1f609ed72b74f23379e8d7636b5faa13.exeWerFault.exeiexplore.exe

description	pid	process
Token: SeDebugPrivilege	2116	1f609ed72b74f23379e8d7636b5faa13.exe
Token: SeRestorePrivilege	3120	WerFault.exe
Token: SeBackupPrivilege	3120	WerFault.exe
Token: SeDebugPrivilege	3736	iexplore.exe
Token: SeDebugPrivilege	3120	WerFault.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1f609ed72b74f23379e8d7636b5faa13.exeiexplore.exe

pid process

1296 1f609ed72b74f23379e8d7636b5faa13.exe
3736 iexplore.exe

pid	process
1296	1f609ed72b74f23379e8d7636b5faa13.exe
3736	iexplore.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

1f609ed72b74f23379e8d7636b5faa13.execmd.exe1f609ed72b74f23379e8d7636b5faa13.exe

description	pid	process	target process
PID 2116 wrote to memory of 1276	2116	1f609ed72b74f23379e8d7636b5faa13.exe	cmd.exe
PID 2116 wrote to memory of 1276	2116	1f609ed72b74f23379e8d7636b5faa13.exe	cmd.exe
PID 2116 wrote to memory of 1276	2116	1f609ed72b74f23379e8d7636b5faa13.exe	cmd.exe
PID 1276 wrote to memory of 1972	1276	cmd.exe	timeout.exe
PID 1276 wrote to memory of 1972	1276	cmd.exe	timeout.exe
PID 1276 wrote to memory of 1972	1276	cmd.exe	timeout.exe
PID 2116 wrote to memory of 1492	2116	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 2116 wrote to memory of 1492	2116	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 2116 wrote to memory of 1492	2116	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 2116 wrote to memory of 1296	2116	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 2116 wrote to memory of 1296	2116	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 2116 wrote to memory of 1296	2116	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 2116 wrote to memory of 1296	2116	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 2116 wrote to memory of 1296	2116	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 2116 wrote to memory of 1296	2116	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 2116 wrote to memory of 1296	2116	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 1296 wrote to memory of 3736	1296	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe
PID 1296 wrote to memory of 3736	1296	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe
PID 1296 wrote to memory of 3736	1296	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe
PID 1296 wrote to memory of 3736	1296	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe
PID 1296 wrote to memory of 3736	1296	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe
PID 1296 wrote to memory of 3736	1296	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe
PID 1296 wrote to memory of 3736	1296	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe
PID 1296 wrote to memory of 3736	1296	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

1f609ed72b74f23379e8d7636b5faa13.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1f609ed72b74f23379e8d7636b5faa13.exe

C:\Users\Admin\AppData\Local\Temp\1f609ed72b74f23379e8d7636b5faa13.exe
"C:\Users\Admin\AppData\Local\Temp\1f609ed72b74f23379e8d7636b5faa13.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1972

C:\Users\Admin\AppData\Local\Temp\1f609ed72b74f23379e8d7636b5faa13.exe
"C:\Users\Admin\AppData\Local\Temp\1f609ed72b74f23379e8d7636b5faa13.exe"
2⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\1f609ed72b74f23379e8d7636b5faa13.exe
"C:\Users\Admin\AppData\Local\Temp\1f609ed72b74f23379e8d7636b5faa13.exe"
2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1296

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\1f609ed72b74f23379e8d7636b5faa13.exe
3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 1884
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Modify Registry

6

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1276-120-0x0000000000000000-mapping.dmp

Download
memory/1296-134-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1296-122-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1296-123-0x00000000004010B8-mapping.dmp

Download
memory/1972-121-0x0000000000000000-mapping.dmp

Download
memory/2116-118-0x0000000004C40000-0x000000000513E000-memory.dmp

Filesize
5.0MB

Download
memory/2116-119-0x0000000000CD0000-0x0000000000D09000-memory.dmp

Filesize
228KB

Download
memory/2116-114-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2116-117-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/2116-116-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/3736-126-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3736-127-0x0000000000401364-mapping.dmp

Download
memory/3736-130-0x0000000003250000-0x00000000033A3000-memory.dmp

Filesize
1.3MB

Download
memory/3736-131-0x0000000003251000-0x000000000334D000-memory.dmp

Filesize
1008KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads