Overview

overview

10

Static

static

EXCEL.exe

windows7_x64

10

EXCEL.exe

windows10_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-en
  • submitted
    06-09-2021 11:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EXCEL.exe

  • Size

    911KB

  • MD5

    eefa3dd3a36a5decba3c42072ef0798e

  • SHA1

    a51f4f499fc618b9dc36e079258ed3c087e2bae5

  • SHA256

    862bf290697cfbd5cb41966b550e8b163aac94d6e07461c6e4353ea6fad62e83

  • SHA512

    6e28230749c2938279e32d4c2631ea6193f28c2a5d5cd38f4176dc8e5e70a986db866e770ff32e4eaad3233b8e336f66877e1e2c70c9ef5ec2f3912f9df7d6a2

Score
10/10
xpertrattestevasionpersistencerattrojanupx

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

C2

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core Payload 2 IoCs
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
    "C:\Users\Admin\AppData\Local\Temp\EXCEL.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:736
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName youtube.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1980
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1468
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName facebook.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2024
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName outlook.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1624
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName bing.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1320
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:324
    • C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
      C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2008
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
        3⤵
          PID:1252
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
          3⤵
            PID:1516
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
            3⤵
              PID:1560
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
              3⤵
              • Adds policy Run key to start application
              • Adds Run key to start application
              • Suspicious use of SetThreadContext
              • Suspicious use of SetWindowsHookEx
              PID:1964
              • C:\Windows\SysWOW64\notepad.exe
                notepad.exe
                4⤵
                • Deletes itself
                PID:608
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\oigetytud0.txt"
                4⤵
                  PID:1396
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\oigetytud1.txt"
                  4⤵
                    PID:1532
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\oigetytud2.txt"
                    4⤵
                      PID:1692
                    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                      /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\oigetytud3.txt"
                      4⤵
                        PID:564
                      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                        /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\oigetytud4.txt"
                        4⤵
                          PID:532

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\oigetytud2.txt
                    MD5

                    f3b25701fe362ec84616a93a45ce9998

                    SHA1

                    d62636d8caec13f04e28442a0a6fa1afeb024bbb

                    SHA256

                    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                    SHA512

                    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\oigetytud4.txt
                    MD5

                    f3b25701fe362ec84616a93a45ce9998

                    SHA1

                    d62636d8caec13f04e28442a0a6fa1afeb024bbb

                    SHA256

                    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                    SHA512

                    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                    MD5

                    8ff59a39feae834f4574a358122a4a8b

                    SHA1

                    1d9b29d097fdcecf31b41f77ca9710cfb7322b8f

                    SHA256

                    d0efae4e1476e615da7d5947cb8f2def0d95705bee735d264cd099fefd5b23c1

                    SHA512

                    2cee2487fd686f8d6c4bdbd6c7895d83123ce98cec15ea7b8bbf7a3889150cbfdce76e243c73709a0ebf020a16e5eaef22c931e222e9c141f0f403cacfa5ee88

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                    MD5

                    8ff59a39feae834f4574a358122a4a8b

                    SHA1

                    1d9b29d097fdcecf31b41f77ca9710cfb7322b8f

                    SHA256

                    d0efae4e1476e615da7d5947cb8f2def0d95705bee735d264cd099fefd5b23c1

                    SHA512

                    2cee2487fd686f8d6c4bdbd6c7895d83123ce98cec15ea7b8bbf7a3889150cbfdce76e243c73709a0ebf020a16e5eaef22c931e222e9c141f0f403cacfa5ee88

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                    MD5

                    8ff59a39feae834f4574a358122a4a8b

                    SHA1

                    1d9b29d097fdcecf31b41f77ca9710cfb7322b8f

                    SHA256

                    d0efae4e1476e615da7d5947cb8f2def0d95705bee735d264cd099fefd5b23c1

                    SHA512

                    2cee2487fd686f8d6c4bdbd6c7895d83123ce98cec15ea7b8bbf7a3889150cbfdce76e243c73709a0ebf020a16e5eaef22c931e222e9c141f0f403cacfa5ee88

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                    MD5

                    8ff59a39feae834f4574a358122a4a8b

                    SHA1

                    1d9b29d097fdcecf31b41f77ca9710cfb7322b8f

                    SHA256

                    d0efae4e1476e615da7d5947cb8f2def0d95705bee735d264cd099fefd5b23c1

                    SHA512

                    2cee2487fd686f8d6c4bdbd6c7895d83123ce98cec15ea7b8bbf7a3889150cbfdce76e243c73709a0ebf020a16e5eaef22c931e222e9c141f0f403cacfa5ee88

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                    MD5

                    8ff59a39feae834f4574a358122a4a8b

                    SHA1

                    1d9b29d097fdcecf31b41f77ca9710cfb7322b8f

                    SHA256

                    d0efae4e1476e615da7d5947cb8f2def0d95705bee735d264cd099fefd5b23c1

                    SHA512

                    2cee2487fd686f8d6c4bdbd6c7895d83123ce98cec15ea7b8bbf7a3889150cbfdce76e243c73709a0ebf020a16e5eaef22c931e222e9c141f0f403cacfa5ee88

                    Download Submit
                  • \??\PIPE\srvsvc
                    MD5

                    d41d8cd98f00b204e9800998ecf8427e

                    SHA1

                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                    SHA256

                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                    SHA512

                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                    Download Submit
                  • \??\PIPE\srvsvc
                    MD5

                    d41d8cd98f00b204e9800998ecf8427e

                    SHA1

                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                    SHA256

                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                    SHA512

                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                    Download Submit
                  • memory/324-79-0x0000000000000000-mapping.dmp
                    Download
                  • memory/532-121-0x000000000040C2A8-mapping.dmp
                    Download
                  • memory/532-120-0x0000000000400000-0x0000000000415000-memory.dmp
                    Filesize

                    84KB

                    Download
                  • memory/564-118-0x0000000000413750-mapping.dmp
                    Download
                  • memory/564-117-0x0000000000400000-0x0000000000416000-memory.dmp
                    Filesize

                    88KB

                    Download
                  • memory/608-104-0x0000000000000000-mapping.dmp
                    Download
                  • memory/736-53-0x0000000000AD0000-0x0000000000AD1000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/736-55-0x0000000075E51000-0x0000000075E53000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/736-56-0x0000000004890000-0x0000000004891000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/736-88-0x0000000004DD0000-0x0000000004DF8000-memory.dmp
                    Filesize

                    160KB

                    Download
                  • memory/736-83-0x0000000002150000-0x00000000021A5000-memory.dmp
                    Filesize

                    340KB

                    Download
                  • memory/1252-94-0x0000000000401364-mapping.dmp
                    Download
                  • memory/1320-77-0x00000000020D1000-0x00000000020D2000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1320-78-0x00000000020D2000-0x00000000020D4000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/1320-72-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1320-76-0x00000000020D0000-0x00000000020D1000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1396-107-0x0000000000400000-0x0000000000426000-memory.dmp
                    Filesize

                    152KB

                    Download
                  • memory/1396-108-0x0000000000423BC0-mapping.dmp
                    Download
                  • memory/1468-65-0x0000000002220000-0x0000000002E6A000-memory.dmp
                    Filesize

                    12.3MB

                    Download
                  • memory/1468-62-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1516-96-0x0000000000401364-mapping.dmp
                    Download
                  • memory/1532-111-0x0000000000411654-mapping.dmp
                    Download
                  • memory/1532-110-0x0000000000400000-0x000000000041B000-memory.dmp
                    Filesize

                    108KB

                    Download
                  • memory/1560-98-0x0000000000401364-mapping.dmp
                    Download
                  • memory/1624-69-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1692-113-0x0000000000400000-0x0000000000459000-memory.dmp
                    Filesize

                    356KB

                    Download
                  • memory/1692-114-0x0000000000442F04-mapping.dmp
                    Download
                  • memory/1964-101-0x0000000000600000-0x0000000000753000-memory.dmp
                    Filesize

                    1.3MB

                    Download
                  • memory/1964-100-0x0000000000401364-mapping.dmp
                    Download
                  • memory/1964-99-0x0000000000400000-0x0000000000443000-memory.dmp
                    Filesize

                    268KB

                    Download
                  • memory/1980-57-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1980-59-0x0000000001E50000-0x0000000001E51000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1980-60-0x0000000001E51000-0x0000000001E52000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1980-61-0x0000000001E52000-0x0000000001E54000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/2008-89-0x0000000000400000-0x000000000042C000-memory.dmp
                    Filesize

                    176KB

                    Download
                  • memory/2008-90-0x00000000004010B8-mapping.dmp
                    Download
                  • memory/2024-66-0x0000000000000000-mapping.dmp
                    Download