Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
25-04-2021 07:07
Static task
static1
Behavioral task
behavioral1
Sample
1f609ed72b74f23379e8d7636b5faa13.exe
Resource
win7v20210410
General
-
Target
1f609ed72b74f23379e8d7636b5faa13.exe
-
Size
25KB
-
MD5
1f609ed72b74f23379e8d7636b5faa13
-
SHA1
439d50691f585b1a3cd674a0852834a97d9fc9cb
-
SHA256
29a4c9380a91012be5a2b3659f9a4c46d0eca15c689a95707f78ccde9cd11f02
-
SHA512
15eb37df42c5747aad644844b7ed3a7da98855e443e5293a64ebf092025e9210e99dbc7889c92854bcbfbf1840004a6c0b2c086a20d6a968f22354f0cd1161b4
Malware Config
Extracted
xpertrat
3.0.10
special X
ghytrty.duckdns.org:4145
spapertyy.duckdns.org:4145
L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0
Signatures
-
XpertRAT Core Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/544-70-0x0000000000400000-0x0000000000443000-memory.dmp xpertrat behavioral1/memory/544-71-0x0000000000401364-mapping.dmp xpertrat -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0.exe" iexplore.exe -
Processes:
1f609ed72b74f23379e8d7636b5faa13.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" 1f609ed72b74f23379e8d7636b5faa13.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0.exe" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0.exe" iexplore.exe -
Processes:
1f609ed72b74f23379e8d7636b5faa13.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1f609ed72b74f23379e8d7636b5faa13.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
1f609ed72b74f23379e8d7636b5faa13.exepid process 540 1f609ed72b74f23379e8d7636b5faa13.exe 540 1f609ed72b74f23379e8d7636b5faa13.exe 540 1f609ed72b74f23379e8d7636b5faa13.exe 540 1f609ed72b74f23379e8d7636b5faa13.exe 540 1f609ed72b74f23379e8d7636b5faa13.exe 540 1f609ed72b74f23379e8d7636b5faa13.exe 540 1f609ed72b74f23379e8d7636b5faa13.exe 540 1f609ed72b74f23379e8d7636b5faa13.exe 540 1f609ed72b74f23379e8d7636b5faa13.exe 540 1f609ed72b74f23379e8d7636b5faa13.exe 540 1f609ed72b74f23379e8d7636b5faa13.exe 540 1f609ed72b74f23379e8d7636b5faa13.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
1f609ed72b74f23379e8d7636b5faa13.exe1f609ed72b74f23379e8d7636b5faa13.exedescription pid process target process PID 540 set thread context of 1592 540 1f609ed72b74f23379e8d7636b5faa13.exe 1f609ed72b74f23379e8d7636b5faa13.exe PID 1592 set thread context of 544 1592 1f609ed72b74f23379e8d7636b5faa13.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1632 timeout.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
1f609ed72b74f23379e8d7636b5faa13.exe1f609ed72b74f23379e8d7636b5faa13.exepid process 540 1f609ed72b74f23379e8d7636b5faa13.exe 540 1f609ed72b74f23379e8d7636b5faa13.exe 540 1f609ed72b74f23379e8d7636b5faa13.exe 1592 1f609ed72b74f23379e8d7636b5faa13.exe 1592 1f609ed72b74f23379e8d7636b5faa13.exe 1592 1f609ed72b74f23379e8d7636b5faa13.exe 1592 1f609ed72b74f23379e8d7636b5faa13.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1f609ed72b74f23379e8d7636b5faa13.exeiexplore.exedescription pid process Token: SeDebugPrivilege 540 1f609ed72b74f23379e8d7636b5faa13.exe Token: SeDebugPrivilege 544 iexplore.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
1f609ed72b74f23379e8d7636b5faa13.exeiexplore.exepid process 1592 1f609ed72b74f23379e8d7636b5faa13.exe 544 iexplore.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
1f609ed72b74f23379e8d7636b5faa13.execmd.exe1f609ed72b74f23379e8d7636b5faa13.exedescription pid process target process PID 540 wrote to memory of 1252 540 1f609ed72b74f23379e8d7636b5faa13.exe cmd.exe PID 540 wrote to memory of 1252 540 1f609ed72b74f23379e8d7636b5faa13.exe cmd.exe PID 540 wrote to memory of 1252 540 1f609ed72b74f23379e8d7636b5faa13.exe cmd.exe PID 540 wrote to memory of 1252 540 1f609ed72b74f23379e8d7636b5faa13.exe cmd.exe PID 1252 wrote to memory of 1632 1252 cmd.exe timeout.exe PID 1252 wrote to memory of 1632 1252 cmd.exe timeout.exe PID 1252 wrote to memory of 1632 1252 cmd.exe timeout.exe PID 1252 wrote to memory of 1632 1252 cmd.exe timeout.exe PID 540 wrote to memory of 1592 540 1f609ed72b74f23379e8d7636b5faa13.exe 1f609ed72b74f23379e8d7636b5faa13.exe PID 540 wrote to memory of 1592 540 1f609ed72b74f23379e8d7636b5faa13.exe 1f609ed72b74f23379e8d7636b5faa13.exe PID 540 wrote to memory of 1592 540 1f609ed72b74f23379e8d7636b5faa13.exe 1f609ed72b74f23379e8d7636b5faa13.exe PID 540 wrote to memory of 1592 540 1f609ed72b74f23379e8d7636b5faa13.exe 1f609ed72b74f23379e8d7636b5faa13.exe PID 540 wrote to memory of 1592 540 1f609ed72b74f23379e8d7636b5faa13.exe 1f609ed72b74f23379e8d7636b5faa13.exe PID 540 wrote to memory of 1592 540 1f609ed72b74f23379e8d7636b5faa13.exe 1f609ed72b74f23379e8d7636b5faa13.exe PID 540 wrote to memory of 1592 540 1f609ed72b74f23379e8d7636b5faa13.exe 1f609ed72b74f23379e8d7636b5faa13.exe PID 540 wrote to memory of 1592 540 1f609ed72b74f23379e8d7636b5faa13.exe 1f609ed72b74f23379e8d7636b5faa13.exe PID 1592 wrote to memory of 544 1592 1f609ed72b74f23379e8d7636b5faa13.exe iexplore.exe PID 1592 wrote to memory of 544 1592 1f609ed72b74f23379e8d7636b5faa13.exe iexplore.exe PID 1592 wrote to memory of 544 1592 1f609ed72b74f23379e8d7636b5faa13.exe iexplore.exe PID 1592 wrote to memory of 544 1592 1f609ed72b74f23379e8d7636b5faa13.exe iexplore.exe PID 1592 wrote to memory of 544 1592 1f609ed72b74f23379e8d7636b5faa13.exe iexplore.exe PID 1592 wrote to memory of 544 1592 1f609ed72b74f23379e8d7636b5faa13.exe iexplore.exe PID 1592 wrote to memory of 544 1592 1f609ed72b74f23379e8d7636b5faa13.exe iexplore.exe PID 1592 wrote to memory of 544 1592 1f609ed72b74f23379e8d7636b5faa13.exe iexplore.exe PID 1592 wrote to memory of 544 1592 1f609ed72b74f23379e8d7636b5faa13.exe iexplore.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
1f609ed72b74f23379e8d7636b5faa13.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1f609ed72b74f23379e8d7636b5faa13.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f609ed72b74f23379e8d7636b5faa13.exe"C:\Users\Admin\AppData\Local\Temp\1f609ed72b74f23379e8d7636b5faa13.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\1f609ed72b74f23379e8d7636b5faa13.exe"C:\Users\Admin\AppData\Local\Temp\1f609ed72b74f23379e8d7636b5faa13.exe"2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\1f609ed72b74f23379e8d7636b5faa13.exe3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/540-60-0x0000000000D20000-0x0000000000D21000-memory.dmpFilesize
4KB
-
memory/540-62-0x0000000000720000-0x0000000000721000-memory.dmpFilesize
4KB
-
memory/540-63-0x00000000003B0000-0x00000000003E9000-memory.dmpFilesize
228KB
-
memory/544-70-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/544-71-0x0000000000401364-mapping.dmp
-
memory/544-72-0x00000000006A0000-0x00000000007F3000-memory.dmpFilesize
1.3MB
-
memory/544-76-0x0000000075A71000-0x0000000075A73000-memory.dmpFilesize
8KB
-
memory/1252-64-0x0000000000000000-mapping.dmp
-
memory/1592-66-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1592-67-0x00000000004010B8-mapping.dmp
-
memory/1632-65-0x0000000000000000-mapping.dmp