xpertrat | 29a4c9380a91012be5a2b3659f9a4c46d0eca15c689a95707f78ccde9cd11f02

General

Target

1f609ed72b74f23379e8d7636b5faa13.exe
Size

25KB
MD5

1f609ed72b74f23379e8d7636b5faa13
SHA1

439d50691f585b1a3cd674a0852834a97d9fc9cb
SHA256

29a4c9380a91012be5a2b3659f9a4c46d0eca15c689a95707f78ccde9cd11f02
SHA512

15eb37df42c5747aad644844b7ed3a7da98855e443e5293a64ebf092025e9210e99dbc7889c92854bcbfbf1840004a6c0b2c086a20d6a968f22354f0cd1161b4

Score

10^/10

xpertrat special x evasion persistence rat trojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

special X

C2

ghytrty.duckdns.org:4145

spapertyy.duckdns.org:4145

Mutex

L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3900-126-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat
behavioral2/memory/3900-127-0x0000000000401364-mapping.dmp	xpertrat

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0.exe"	iexplore.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

1f609ed72b74f23379e8d7636b5faa13.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	1f609ed72b74f23379e8d7636b5faa13.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0.exe"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0\\L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

1f609ed72b74f23379e8d7636b5faa13.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1f609ed72b74f23379e8d7636b5faa13.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

Processes:

1f609ed72b74f23379e8d7636b5faa13.exe

pid	process
3876	1f609ed72b74f23379e8d7636b5faa13.exe
3876	1f609ed72b74f23379e8d7636b5faa13.exe
3876	1f609ed72b74f23379e8d7636b5faa13.exe
3876	1f609ed72b74f23379e8d7636b5faa13.exe
3876	1f609ed72b74f23379e8d7636b5faa13.exe
3876	1f609ed72b74f23379e8d7636b5faa13.exe
3876	1f609ed72b74f23379e8d7636b5faa13.exe
3876	1f609ed72b74f23379e8d7636b5faa13.exe
3876	1f609ed72b74f23379e8d7636b5faa13.exe
3876	1f609ed72b74f23379e8d7636b5faa13.exe
3876	1f609ed72b74f23379e8d7636b5faa13.exe
3876	1f609ed72b74f23379e8d7636b5faa13.exe
3876	1f609ed72b74f23379e8d7636b5faa13.exe
3876	1f609ed72b74f23379e8d7636b5faa13.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1f609ed72b74f23379e8d7636b5faa13.exe1f609ed72b74f23379e8d7636b5faa13.exe

description	pid	process	target process
PID 3876 set thread context of 192	3876	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 192 set thread context of 3900	192	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3560 3876 WerFault.exe 1f609ed72b74f23379e8d7636b5faa13.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3904 timeout.exe

pid	pid_target	process	target process
3560	3876	WerFault.exe	1f609ed72b74f23379e8d7636b5faa13.exe

pid	process
3904	timeout.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

1f609ed72b74f23379e8d7636b5faa13.exe1f609ed72b74f23379e8d7636b5faa13.exeWerFault.exe

pid	process
3876	1f609ed72b74f23379e8d7636b5faa13.exe
3876	1f609ed72b74f23379e8d7636b5faa13.exe
3876	1f609ed72b74f23379e8d7636b5faa13.exe
192	1f609ed72b74f23379e8d7636b5faa13.exe
192	1f609ed72b74f23379e8d7636b5faa13.exe
3560	WerFault.exe
3560	WerFault.exe
3560	WerFault.exe
3560	WerFault.exe
3560	WerFault.exe
3560	WerFault.exe
3560	WerFault.exe
3560	WerFault.exe
3560	WerFault.exe
3560	WerFault.exe
3560	WerFault.exe
3560	WerFault.exe
3560	WerFault.exe
3560	WerFault.exe
3560	WerFault.exe
192	1f609ed72b74f23379e8d7636b5faa13.exe
192	1f609ed72b74f23379e8d7636b5faa13.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

1f609ed72b74f23379e8d7636b5faa13.exeWerFault.exeiexplore.exe

description	pid	process
Token: SeDebugPrivilege	3876	1f609ed72b74f23379e8d7636b5faa13.exe
Token: SeRestorePrivilege	3560	WerFault.exe
Token: SeBackupPrivilege	3560	WerFault.exe
Token: SeDebugPrivilege	3900	iexplore.exe
Token: SeDebugPrivilege	3560	WerFault.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1f609ed72b74f23379e8d7636b5faa13.exeiexplore.exe

pid process

192 1f609ed72b74f23379e8d7636b5faa13.exe
3900 iexplore.exe

pid	process
192	1f609ed72b74f23379e8d7636b5faa13.exe
3900	iexplore.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

1f609ed72b74f23379e8d7636b5faa13.execmd.exe1f609ed72b74f23379e8d7636b5faa13.exe

description	pid	process	target process
PID 3876 wrote to memory of 3940	3876	1f609ed72b74f23379e8d7636b5faa13.exe	cmd.exe
PID 3876 wrote to memory of 3940	3876	1f609ed72b74f23379e8d7636b5faa13.exe	cmd.exe
PID 3876 wrote to memory of 3940	3876	1f609ed72b74f23379e8d7636b5faa13.exe	cmd.exe
PID 3940 wrote to memory of 3904	3940	cmd.exe	timeout.exe
PID 3940 wrote to memory of 3904	3940	cmd.exe	timeout.exe
PID 3940 wrote to memory of 3904	3940	cmd.exe	timeout.exe
PID 3876 wrote to memory of 192	3876	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 3876 wrote to memory of 192	3876	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 3876 wrote to memory of 192	3876	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 3876 wrote to memory of 192	3876	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 3876 wrote to memory of 192	3876	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 3876 wrote to memory of 192	3876	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 3876 wrote to memory of 192	3876	1f609ed72b74f23379e8d7636b5faa13.exe	1f609ed72b74f23379e8d7636b5faa13.exe
PID 192 wrote to memory of 3900	192	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe
PID 192 wrote to memory of 3900	192	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe
PID 192 wrote to memory of 3900	192	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe
PID 192 wrote to memory of 3900	192	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe
PID 192 wrote to memory of 3900	192	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe
PID 192 wrote to memory of 3900	192	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe
PID 192 wrote to memory of 3900	192	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe
PID 192 wrote to memory of 3900	192	1f609ed72b74f23379e8d7636b5faa13.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

1f609ed72b74f23379e8d7636b5faa13.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1f609ed72b74f23379e8d7636b5faa13.exe

C:\Users\Admin\AppData\Local\Temp\1f609ed72b74f23379e8d7636b5faa13.exe
"C:\Users\Admin\AppData\Local\Temp\1f609ed72b74f23379e8d7636b5faa13.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3904

C:\Users\Admin\AppData\Local\Temp\1f609ed72b74f23379e8d7636b5faa13.exe
"C:\Users\Admin\AppData\Local\Temp\1f609ed72b74f23379e8d7636b5faa13.exe"
2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:192

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\1f609ed72b74f23379e8d7636b5faa13.exe
3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 1840
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Modify Registry

6

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/192-122-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/192-130-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/192-123-0x00000000004010B8-mapping.dmp

Download
memory/3876-116-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/3876-117-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/3876-118-0x0000000004B10000-0x000000000500E000-memory.dmp

Filesize
5.0MB

Download
memory/3876-119-0x00000000024C0000-0x00000000024F9000-memory.dmp

Filesize
228KB

Download
memory/3876-114-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/3900-126-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3900-127-0x0000000000401364-mapping.dmp

Download
memory/3900-132-0x0000000003100000-0x0000000003253000-memory.dmp

Filesize
1.3MB

Download
memory/3900-133-0x0000000003101000-0x00000000031FD000-memory.dmp

Filesize
1008KB

Download
memory/3904-121-0x0000000000000000-mapping.dmp

Download
memory/3940-120-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads