Overview

overview

10

Static

static

INQUIRY No...ro.exe

windows7_x64

10

INQUIRY No...ro.exe

windows10_x64

10

Analysis

  • max time kernel
    60s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    30-06-2021 05:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INQUIRY No. 063021 Materials for Al Wakra Pro.exe

  • Size

    1.3MB

  • MD5

    a15915a25a5ec67af6e2e422acedaa68

  • SHA1

    c48ccd1326ab3a1d15dec32b1617c2e65ee9d194

  • SHA256

    d72da2af39e90713d465aff2de9c4991a2fe6125e06b67cd85cd67915a2c966e

  • SHA512

    87bb58dfed4271fc985e2c4987478230b4ed588986749798ffe333ea885bca41f3aa8cf98a0b23bf6e53eaa7cce803e9b717ed5530c8dd5751ae0853005e3fdb

Score
10/10
xpertratoscar clientevasionpersistencerattrojanupx

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

OSCAR CLIENT

C2

oski123.duckdns.org:1909

Mutex

I3N7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C8

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core Payload 2 IoCs
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\INQUIRY No. 063021 Materials for Al Wakra Pro.exe
    "C:\Users\Admin\AppData\Local\Temp\INQUIRY No. 063021 Materials for Al Wakra Pro.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Users\Admin\AppData\Local\Temp\INQUIRY No. 063021 Materials for Al Wakra Pro.exe
      "C:\Users\Admin\AppData\Local\Temp\INQUIRY No. 063021 Materials for Al Wakra Pro.exe"
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:520
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\INQUIRY No. 063021 Materials for Al Wakra Pro.exe
        3⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:856
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\I3N7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C8\xuladdnpi0.txt"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1824
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\I3N7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C8\xuladdnpi1.txt"
          4⤵
            PID:860
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\I3N7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C8\xuladdnpi2.txt"
            4⤵
              PID:924
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\I3N7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C8\xuladdnpi3.txt"
              4⤵
                PID:1320
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\I3N7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C8\xuladdnpi3.txt"
                4⤵
                  PID:1828
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  /stext "C:\Users\Admin\AppData\Roaming\I3N7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C8\xuladdnpi3.txt"
                  4⤵
                    PID:1668
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    /stext "C:\Users\Admin\AppData\Roaming\I3N7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C8\xuladdnpi3.txt"
                    4⤵
                      PID:748
                    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                      /stext "C:\Users\Admin\AppData\Roaming\I3N7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C8\xuladdnpi4.txt"
                      4⤵
                        PID:364
                      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                        /stext "C:\Users\Admin\AppData\Roaming\I3N7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C8\xuladdnpi4.txt"
                        4⤵
                          PID:1256
                        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                          /stext "C:\Users\Admin\AppData\Roaming\I3N7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C8\xuladdnpi4.txt"
                          4⤵
                            PID:1600
                          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                            /stext "C:\Users\Admin\AppData\Roaming\I3N7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C8\xuladdnpi4.txt"
                            4⤵
                              PID:1700

                      Network

                      MITRE ATT&CK Matrix ATT&CK v6

                      Initial Access

                      Execution

                      Persistence

                      Registry Run Keys / Startup Folder

                      2
                      T1060

                      Privilege Escalation

                      Bypass User Account Control

                      1
                      T1088

                      Defense Evasion

                      Bypass User Account Control

                      1
                      T1088

                      Disabling Security Tools

                      3
                      T1089

                      Modify Registry

                      6
                      T1112

                      Credential Access

                      Discovery

                      System Information Discovery

                      1
                      T1082

                      Lateral Movement

                      Collection

                      Exfiltration

                      Command and Control

                      Impact

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Roaming\I3N7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C8\xuladdnpi2.txt
                        MD5

                        f3b25701fe362ec84616a93a45ce9998

                        SHA1

                        d62636d8caec13f04e28442a0a6fa1afeb024bbb

                        SHA256

                        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                        SHA512

                        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\I3N7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C8\xuladdnpi4.txt
                        MD5

                        f3b25701fe362ec84616a93a45ce9998

                        SHA1

                        d62636d8caec13f04e28442a0a6fa1afeb024bbb

                        SHA256

                        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                        SHA512

                        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                        Download Submit
                      • memory/364-96-0x000000000040C2A8-mapping.dmp
                        Download
                      • memory/520-66-0x00000000004010B8-mapping.dmp
                        Download
                      • memory/520-65-0x0000000000400000-0x000000000042C000-memory.dmp
                        Filesize

                        176KB

                        Download
                      • memory/748-93-0x0000000000413750-mapping.dmp
                        Download
                      • memory/748-92-0x0000000000400000-0x0000000000416000-memory.dmp
                        Filesize

                        88KB

                        Download
                      • memory/856-69-0x0000000000400000-0x0000000000443000-memory.dmp
                        Filesize

                        268KB

                        Download
                      • memory/856-71-0x00000000006D0000-0x0000000000823000-memory.dmp
                        Filesize

                        1.3MB

                        Download
                      • memory/856-75-0x0000000074F31000-0x0000000074F33000-memory.dmp
                        Filesize

                        8KB

                        Download
                      • memory/856-70-0x0000000000401364-mapping.dmp
                        Download
                      • memory/860-79-0x0000000000400000-0x000000000041B000-memory.dmp
                        Filesize

                        108KB

                        Download
                      • memory/860-80-0x0000000000411654-mapping.dmp
                        Download
                      • memory/924-83-0x0000000000442F04-mapping.dmp
                        Download
                      • memory/924-82-0x0000000000400000-0x0000000000459000-memory.dmp
                        Filesize

                        356KB

                        Download
                      • memory/1256-98-0x000000000040C2A8-mapping.dmp
                        Download
                      • memory/1320-87-0x0000000000413750-mapping.dmp
                        Download
                      • memory/1600-100-0x000000000040C2A8-mapping.dmp
                        Download
                      • memory/1668-91-0x0000000000413750-mapping.dmp
                        Download
                      • memory/1700-101-0x0000000000400000-0x0000000000415000-memory.dmp
                        Filesize

                        84KB

                        Download
                      • memory/1700-102-0x000000000040C2A8-mapping.dmp
                        Download
                      • memory/1824-76-0x0000000000400000-0x0000000000426000-memory.dmp
                        Filesize

                        152KB

                        Download
                      • memory/1824-77-0x0000000000423BC0-mapping.dmp
                        Download
                      • memory/1828-89-0x0000000000413750-mapping.dmp
                        Download
                      • memory/1852-59-0x0000000000C60000-0x0000000000C61000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/1852-64-0x0000000000C10000-0x0000000000C50000-memory.dmp
                        Filesize

                        256KB

                        Download
                      • memory/1852-63-0x0000000005480000-0x00000000054FB000-memory.dmp
                        Filesize

                        492KB

                        Download
                      • memory/1852-62-0x0000000009FA0000-0x000000000BF9F000-memory.dmp
                        Filesize

                        32.0MB

                        Download
                      • memory/1852-61-0x0000000004930000-0x0000000004931000-memory.dmp
                        Filesize

                        4KB

                        Download