xpertrat | 29a4c9380a91012be5a2b3659f9a4c46d0eca15c689a95707f78ccde9cd11f02

General

Target

1f609ed72b74f23379e8d7636b5faa13.exe
Size

25KB
MD5

1f609ed72b74f23379e8d7636b5faa13
SHA1

439d50691f585b1a3cd674a0852834a97d9fc9cb
SHA256

29a4c9380a91012be5a2b3659f9a4c46d0eca15c689a95707f78ccde9cd11f02
SHA512

15eb37df42c5747aad644844b7ed3a7da98855e443e5293a64ebf092025e9210e99dbc7889c92854bcbfbf1840004a6c0b2c086a20d6a968f22354f0cd1161b4

Score

10^/10

xpertrat special x evasion persistence rat trojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

special X

C2

ghytrty.duckdns.org:4145

spapertyy.duckdns.org:4145

Mutex

L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/544-70-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat
behavioral1/memory/544-71-0x0000000000401364-mapping.dmp	xpertrat

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0.exe"	iexplore.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

1f609ed72b74f23379e8d7636b5faa13.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	1f609ed72b74f23379e8d7636b5faa13.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0.exe"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

1f609ed72b74f23379e8d7636b5faa13.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1f609ed72b74f23379e8d7636b5faa13.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

1f609ed72b74f23379e8d7636b5faa13.exe

pid	process
540	1f609ed72b74f23379e8d7636b5faa13.exe
540	1f609ed72b74f23379e8d7636b5faa13.exe
540	1f609ed72b74f23379e8d7636b5faa13.exe
540	1f609ed72b74f23379e8d7636b5faa13.exe
540	1f609ed72b74f23379e8d7636b5faa13.exe
540	1f609ed72b74f23379e8d7636b5faa13.exe
540	1f609ed72b74f23379e8d7636b5faa13.exe
540	1f609ed72b74f23379e8d7636b5faa13.exe
540	1f609ed72b74f23379e8d7636b5faa13.exe
540	1f609ed72b74f23379e8d7636b5faa13.exe
540	1f609ed72b74f23379e8d7636b5faa13.exe
540	1f609ed72b74f23379e8d7636b5faa13.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1f609ed72b74f23379e8d7636b5faa13.exe1f609ed72b74f23379e8d7636b5faa13.exe

description	pid	process	target process
PID 540 set thread context of 1592	540	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 1592 set thread context of 544	1592	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1632 timeout.exe

pid	process
1632	timeout.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

1f609ed72b74f23379e8d7636b5faa13.exe1f609ed72b74f23379e8d7636b5faa13.exe

pid	process
540	1f609ed72b74f23379e8d7636b5faa13.exe
540	1f609ed72b74f23379e8d7636b5faa13.exe
540	1f609ed72b74f23379e8d7636b5faa13.exe
1592	1f609ed72b74f23379e8d7636b5faa13.exe
1592	1f609ed72b74f23379e8d7636b5faa13.exe
1592	1f609ed72b74f23379e8d7636b5faa13.exe
1592	1f609ed72b74f23379e8d7636b5faa13.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1f609ed72b74f23379e8d7636b5faa13.exeiexplore.exe

description pid process

Token: SeDebugPrivilege 540 1f609ed72b74f23379e8d7636b5faa13.exe
Token: SeDebugPrivilege 544 iexplore.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1f609ed72b74f23379e8d7636b5faa13.exeiexplore.exe

pid process

1592 1f609ed72b74f23379e8d7636b5faa13.exe
544 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	540	1f609ed72b74f23379e8d7636b5faa13.exe
Token: SeDebugPrivilege	544	iexplore.exe

pid	process
1592	1f609ed72b74f23379e8d7636b5faa13.exe
544	iexplore.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

1f609ed72b74f23379e8d7636b5faa13.execmd.exe1f609ed72b74f23379e8d7636b5faa13.exe

description	pid	process	target process
PID 540 wrote to memory of 1252	540	1f609ed72b74f23379e8d7636b5faa13.exe	cmd.exe
PID 540 wrote to memory of 1252	540	1f609ed72b74f23379e8d7636b5faa13.exe	cmd.exe
PID 540 wrote to memory of 1252	540	1f609ed72b74f23379e8d7636b5faa13.exe	cmd.exe
PID 540 wrote to memory of 1252	540	1f609ed72b74f23379e8d7636b5faa13.exe	cmd.exe
PID 1252 wrote to memory of 1632	1252	cmd.exe	timeout.exe
PID 1252 wrote to memory of 1632	1252	cmd.exe	timeout.exe
PID 1252 wrote to memory of 1632	1252	cmd.exe	timeout.exe
PID 1252 wrote to memory of 1632	1252	cmd.exe	timeout.exe
PID 540 wrote to memory of 1592	540	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 540 wrote to memory of 1592	540	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 540 wrote to memory of 1592	540	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 540 wrote to memory of 1592	540	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 540 wrote to memory of 1592	540	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 540 wrote to memory of 1592	540	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 540 wrote to memory of 1592	540	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 540 wrote to memory of 1592	540	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 1592 wrote to memory of 544	1592	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe
PID 1592 wrote to memory of 544	1592	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe
PID 1592 wrote to memory of 544	1592	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe
PID 1592 wrote to memory of 544	1592	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe
PID 1592 wrote to memory of 544	1592	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe
PID 1592 wrote to memory of 544	1592	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe
PID 1592 wrote to memory of 544	1592	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe
PID 1592 wrote to memory of 544	1592	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe
PID 1592 wrote to memory of 544	1592	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

1f609ed72b74f23379e8d7636b5faa13.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1f609ed72b74f23379e8d7636b5faa13.exe

C:\Users\Admin\AppData\Local\Temp\1f609ed72b74f23379e8d7636b5faa13.exe
"C:\Users\Admin\AppData\Local\Temp\1f609ed72b74f23379e8d7636b5faa13.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1632

C:\Users\Admin\AppData\Local\Temp\1f609ed72b74f23379e8d7636b5faa13.exe
"C:\Users\Admin\AppData\Local\Temp\1f609ed72b74f23379e8d7636b5faa13.exe"
2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1592

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\1f609ed72b74f23379e8d7636b5faa13.exe
3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Modify Registry

6

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/540-60-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/540-62-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/540-63-0x00000000003B0000-0x00000000003E9000-memory.dmp

Filesize
228KB

Download
memory/544-70-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/544-71-0x0000000000401364-mapping.dmp

Download
memory/544-72-0x00000000006A0000-0x00000000007F3000-memory.dmp

Filesize
1.3MB

Download
memory/544-76-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/1252-64-0x0000000000000000-mapping.dmp

Download
memory/1592-66-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1592-67-0x00000000004010B8-mapping.dmp

Download
memory/1632-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads