Overview

overview

10

Static

static

f6200b9b97...22.exe

windows7_x64

3

f6200b9b97...22.exe

windows10_x64

10

Analysis

  • max time kernel
    82s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    20-09-2021 12:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6200b9b9789794de4a8d78f4ae96d22.exe

  • Size

    292KB

  • MD5

    f6200b9b9789794de4a8d78f4ae96d22

  • SHA1

    1d18c71e7e4de5c6216653db5effba586345597c

  • SHA256

    85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

  • SHA512

    5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

Score
10/10
xpertrattestevasionpersistencerattrojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

C2

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core Payload 1 IoCs
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Program crash 3 IoCs
  • Suspicious use of SetThreadContext 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
    "C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3388
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3928
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3888
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.facebook.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3584
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.twitter.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3032
    • C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
      C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
      2⤵
        PID:4716
      • C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
        C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
        2⤵
        • Windows security modification
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:4720
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
          3⤵
          • Adds policy Run key to start application
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4764
          • C:\Windows\SysWOW64\notepad.exe
            notepad.exe
            4⤵
            • Deletes itself
            PID:1016
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ykgleybck0.txt"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4784
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ykgleybck1.txt"
            4⤵
              PID:4796
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 92
                5⤵
                • Program crash
                PID:1304
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ykgleybck1.txt"
              4⤵
                PID:4828
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ykgleybck2.txt"
                4⤵
                  PID:4860
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 92
                    5⤵
                    • Program crash
                    PID:1436
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ykgleybck2.txt"
                  4⤵
                    PID:4876
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 92
                      5⤵
                      • Program crash
                      PID:4884
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ykgleybck2.txt"
                    4⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1600
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ykgleybck3.txt"
                    4⤵
                      PID:1672
                    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                      /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ykgleybck4.txt"
                      4⤵
                        PID:1824

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Persistence

                Registry Run Keys / Startup Folder

                2
                T1060

                Privilege Escalation

                Bypass User Account Control

                1
                T1088

                Defense Evasion

                Bypass User Account Control

                1
                T1088

                Disabling Security Tools

                3
                T1089

                Modify Registry

                6
                T1112

                Credential Access

                Discovery

                System Information Discovery

                2
                T1082

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                  MD5

                  e71a0a7e48b10bde0a9c54387762f33e

                  SHA1

                  fed75947f1163b00096e24a46e67d9c21e7eeebd

                  SHA256

                  83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de

                  SHA512

                  394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a

                  Download Submit
                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                  MD5

                  e71a0a7e48b10bde0a9c54387762f33e

                  SHA1

                  fed75947f1163b00096e24a46e67d9c21e7eeebd

                  SHA256

                  83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de

                  SHA512

                  394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a

                  Download Submit
                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  MD5

                  3e77416d08e983c4998c643d5bcfac14

                  SHA1

                  ffe76fe7b9acaf48ebb11799618b111c362d5ab3

                  SHA256

                  fca58f3e1d9142142f68e503be69209cd16f7fa573b99a85f484898c68fac675

                  SHA512

                  298e863d5cf308cd50ff1687fb076fe882ff72e5bc2f7b4775e5c88efad6ca15fbe252620228eee8e6e896460dca1a25bfb7402390d77438be5e7862ef24997d

                  Download Submit
                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  MD5

                  27e87e2444e75e1df647adc5c9a43364

                  SHA1

                  b29220936e83725e2794e4523483214eea3cda35

                  SHA256

                  c4175db27f7e960f30cbcad7541b3157b3a31ed521f79c66820febca3e4c18e8

                  SHA512

                  f4dce6aeccda767db9e87ba00537ba46802da759cf0e2b2ae4b6ed515d3c7024277a4c92c95aac6905d9e2cbf7cec3ba0a02aaa8cbce1231262120e3ab8d8c75

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ykgleybck2.txt
                  MD5

                  f94dc819ca773f1e3cb27abbc9e7fa27

                  SHA1

                  9a7700efadc5ea09ab288544ef1e3cd876255086

                  SHA256

                  a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

                  SHA512

                  72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ykgleybck4.txt
                  MD5

                  f3b25701fe362ec84616a93a45ce9998

                  SHA1

                  d62636d8caec13f04e28442a0a6fa1afeb024bbb

                  SHA256

                  b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                  SHA512

                  98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                  Download Submit
                • memory/1016-520-0x0000000000000000-mapping.dmp
                  Download
                • memory/1600-536-0x0000000000442F04-mapping.dmp
                  Download
                • memory/1672-541-0x0000000000413750-mapping.dmp
                  Download
                • memory/1824-545-0x000000000040C2A8-mapping.dmp
                  Download
                • memory/3032-455-0x0000000001033000-0x0000000001034000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3032-409-0x0000000000000000-mapping.dmp
                  Download
                • memory/3032-413-0x0000000001030000-0x0000000001031000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3032-415-0x0000000001032000-0x0000000001033000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3388-505-0x0000000006F10000-0x0000000006F56000-memory.dmp
                  Filesize

                  280KB

                  Download
                • memory/3388-119-0x0000000004B70000-0x0000000004B71000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3388-115-0x00000000002E0000-0x00000000002E1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3388-506-0x0000000005010000-0x0000000005040000-memory.dmp
                  Filesize

                  192KB

                  Download
                • memory/3388-120-0x0000000004B00000-0x0000000004B01000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3388-118-0x0000000004BE0000-0x0000000004BE1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3388-117-0x0000000005040000-0x0000000005041000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3584-139-0x0000000006B40000-0x0000000006B41000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3584-154-0x0000000007A10000-0x0000000007A11000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3584-151-0x0000000007580000-0x0000000007581000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3584-123-0x0000000000000000-mapping.dmp
                  Download
                • memory/3584-144-0x0000000000E52000-0x0000000000E53000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3584-138-0x0000000000E50000-0x0000000000E51000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3584-209-0x0000000000E53000-0x0000000000E54000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3888-208-0x0000000006BA3000-0x0000000006BA4000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3888-142-0x0000000006BA2000-0x0000000006BA3000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3888-160-0x00000000082E0000-0x00000000082E1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3888-136-0x0000000006BA0000-0x0000000006BA1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3888-122-0x0000000000000000-mapping.dmp
                  Download
                • memory/3888-148-0x0000000007A90000-0x0000000007A91000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3888-145-0x00000000079B0000-0x00000000079B1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3928-157-0x00000000089F0000-0x00000000089F1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3928-133-0x0000000007940000-0x0000000007941000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3928-210-0x0000000007303000-0x0000000007304000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3928-205-0x000000000A9D0000-0x000000000A9D1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3928-137-0x0000000007300000-0x0000000007301000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3928-143-0x0000000007302000-0x0000000007303000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3928-121-0x0000000000000000-mapping.dmp
                  Download
                • memory/3928-171-0x00000000098B0000-0x00000000098B1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3928-176-0x00000000095A0000-0x00000000095A1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3928-179-0x00000000095C0000-0x00000000095C1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3928-130-0x0000000004D80000-0x0000000004D81000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4720-507-0x0000000000400000-0x000000000042C000-memory.dmp
                  Filesize

                  176KB

                  Download
                • memory/4720-511-0x0000000000400000-0x000000000042C000-memory.dmp
                  Filesize

                  176KB

                  Download
                • memory/4720-508-0x00000000004010B8-mapping.dmp
                  Download
                • memory/4764-513-0x0000000000401364-mapping.dmp
                  Download
                • memory/4784-522-0x0000000000423BC0-mapping.dmp
                  Download
                • memory/4796-526-0x0000000000411654-mapping.dmp
                  Download
                • memory/4828-528-0x0000000000411654-mapping.dmp
                  Download
                • memory/4860-532-0x0000000000442F04-mapping.dmp
                  Download
                • memory/4876-534-0x0000000000442F04-mapping.dmp
                  Download