Overview

overview

10

Static

static

INQUIRY No...ro.exe

windows7_x64

10

INQUIRY No...ro.exe

windows10_x64

10

Analysis

  • max time kernel
    62s
  • max time network
    160s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    30-06-2021 05:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INQUIRY No. 063021 Materials for Al Wakra Pro.exe

  • Size

    1.3MB

  • MD5

    a15915a25a5ec67af6e2e422acedaa68

  • SHA1

    c48ccd1326ab3a1d15dec32b1617c2e65ee9d194

  • SHA256

    d72da2af39e90713d465aff2de9c4991a2fe6125e06b67cd85cd67915a2c966e

  • SHA512

    87bb58dfed4271fc985e2c4987478230b4ed588986749798ffe333ea885bca41f3aa8cf98a0b23bf6e53eaa7cce803e9b717ed5530c8dd5751ae0853005e3fdb

Score
10/10
xpertratoscar clientevasionpersistencerattrojanupx

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

OSCAR CLIENT

C2

oski123.duckdns.org:1909

Mutex

I3N7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C8

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core Payload 2 IoCs
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Program crash 1 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\INQUIRY No. 063021 Materials for Al Wakra Pro.exe
    "C:\Users\Admin\AppData\Local\Temp\INQUIRY No. 063021 Materials for Al Wakra Pro.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Users\Admin\AppData\Local\Temp\INQUIRY No. 063021 Materials for Al Wakra Pro.exe
      "C:\Users\Admin\AppData\Local\Temp\INQUIRY No. 063021 Materials for Al Wakra Pro.exe"
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2352
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\INQUIRY No. 063021 Materials for Al Wakra Pro.exe
        3⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3724
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\I3N7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C8\vdrdjxxni0.txt"
          4⤵
            PID:3636
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 92
              5⤵
              • Program crash
              PID:3728
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\I3N7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C8\vdrdjxxni0.txt"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3732
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\I3N7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C8\vdrdjxxni1.txt"
            4⤵
              PID:3840
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\I3N7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C8\vdrdjxxni2.txt"
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:1240
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\I3N7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C8\vdrdjxxni3.txt"
              4⤵
                PID:1520
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\I3N7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C8\vdrdjxxni4.txt"
                4⤵
                  PID:2416

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          2
          T1060

          Privilege Escalation

          Bypass User Account Control

          1
          T1088

          Defense Evasion

          Bypass User Account Control

          1
          T1088

          Disabling Security Tools

          3
          T1089

          Modify Registry

          6
          T1112

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\I3N7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C8\vdrdjxxni2.txt
            MD5

            f94dc819ca773f1e3cb27abbc9e7fa27

            SHA1

            9a7700efadc5ea09ab288544ef1e3cd876255086

            SHA256

            a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

            SHA512

            72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

            Download Submit
          • C:\Users\Admin\AppData\Roaming\I3N7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C8\vdrdjxxni4.txt
            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

            Download Submit
          • memory/1240-151-0x0000000000442F04-mapping.dmp
            Download
          • memory/1240-150-0x0000000000400000-0x0000000000459000-memory.dmp
            Filesize

            356KB

            Download
          • memory/1520-156-0x0000000000413750-mapping.dmp
            Download
          • memory/1520-155-0x0000000000400000-0x0000000000416000-memory.dmp
            Filesize

            88KB

            Download
          • memory/2352-127-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

            Download
          • memory/2352-129-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

            Download
          • memory/2352-128-0x00000000004010B8-mapping.dmp
            Download
          • memory/2416-160-0x000000000040C2A8-mapping.dmp
            Download
          • memory/2416-159-0x0000000000400000-0x0000000000415000-memory.dmp
            Filesize

            84KB

            Download
          • memory/3128-123-0x0000000005680000-0x0000000005681000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3128-114-0x0000000000120000-0x0000000000121000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3128-125-0x000000000B930000-0x000000000B9AB000-memory.dmp
            Filesize

            492KB

            Download
          • memory/3128-124-0x0000000009730000-0x000000000B72F000-memory.dmp
            Filesize

            32.0MB

            Download
          • memory/3128-116-0x0000000004A70000-0x0000000004A71000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3128-117-0x0000000005090000-0x0000000005091000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3128-126-0x000000000B9B0000-0x000000000B9F0000-memory.dmp
            Filesize

            256KB

            Download
          • memory/3128-118-0x0000000004C30000-0x0000000004C31000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3128-119-0x0000000004B90000-0x000000000508E000-memory.dmp
            Filesize

            5.0MB

            Download
          • memory/3128-120-0x0000000004B10000-0x0000000004B11000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3128-121-0x0000000004DF0000-0x0000000004DF1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3128-122-0x0000000004F00000-0x0000000004F01000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3636-141-0x0000000000423BC0-mapping.dmp
            Download
          • memory/3724-136-0x00000000036F0000-0x0000000003843000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/3724-137-0x00000000036F1000-0x00000000037ED000-memory.dmp
            Filesize

            1008KB

            Download
          • memory/3724-133-0x0000000000401364-mapping.dmp
            Download
          • memory/3724-132-0x0000000000400000-0x0000000000443000-memory.dmp
            Filesize

            268KB

            Download
          • memory/3732-143-0x0000000000423BC0-mapping.dmp
            Download
          • memory/3732-142-0x0000000000400000-0x0000000000426000-memory.dmp
            Filesize

            152KB

            Download
          • memory/3840-147-0x0000000000411654-mapping.dmp
            Download
          • memory/3840-146-0x0000000000400000-0x000000000041B000-memory.dmp
            Filesize

            108KB

            Download