Overview

overview

10

Static

static

f6200b9b97...22.exe

windows7_x64

10

f6200b9b97...22.exe

windows10_x64

10

Analysis

  • max time kernel
    77s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    20-09-2021 13:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6200b9b9789794de4a8d78f4ae96d22.exe

  • Size

    292KB

  • MD5

    f6200b9b9789794de4a8d78f4ae96d22

  • SHA1

    1d18c71e7e4de5c6216653db5effba586345597c

  • SHA256

    85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

  • SHA512

    5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

Score
10/10
xpertrattestevasionpersistencerattrojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

C2

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core Payload 1 IoCs
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Program crash 2 IoCs
  • Suspicious use of SetThreadContext 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
    "C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:604
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1204
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1216
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.facebook.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1388
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.twitter.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2276
    • C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
      C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1748
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
        3⤵
          PID:4072
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 92
            4⤵
            • Program crash
            PID:820
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
          3⤵
          • Adds policy Run key to start application
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2912
          • C:\Windows\SysWOW64\notepad.exe
            notepad.exe
            4⤵
            • Deletes itself
            PID:3980
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\arzuswuka0.txt"
            4⤵
              PID:1332
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 92
                5⤵
                • Program crash
                PID:1264
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\arzuswuka0.txt"
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:1328
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\arzuswuka1.txt"
              4⤵
                PID:2800
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\arzuswuka2.txt"
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:1476
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\arzuswuka3.txt"
                4⤵
                  PID:2728
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\arzuswuka4.txt"
                  4⤵
                    PID:2296

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Registry Run Keys / Startup Folder

            2
            T1060

            Privilege Escalation

            Bypass User Account Control

            1
            T1088

            Defense Evasion

            Bypass User Account Control

            1
            T1088

            Disabling Security Tools

            3
            T1089

            Modify Registry

            6
            T1112

            Credential Access

            Discovery

            System Information Discovery

            2
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
              MD5

              e71a0a7e48b10bde0a9c54387762f33e

              SHA1

              fed75947f1163b00096e24a46e67d9c21e7eeebd

              SHA256

              83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de

              SHA512

              394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              MD5

              8660a4637b572e5e873ef1f732a82261

              SHA1

              296063f66b7c9147e4064edb938ee441284ac873

              SHA256

              90867b5af926f1ae0ed73fea9f4cf778f96af16fdcd8595f9fef456db0be074a

              SHA512

              b72cfdf0316db8beb6445c0710017222035c3ba7a7f47b8d72cdab9027c1e01524cc51930cf2cbfa2ce0912376ddf35f976095848e5ee3dc634e4a3421a4e3f6

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              MD5

              0c13f05a12dc83f890009cb5385ab227

              SHA1

              f1e7074e5cac5c93a0faa9abad3dbefdf4c5ed0e

              SHA256

              0af61ea8a157a08e01529c7f67a53921e3a7a27c842b01797d0db7eb5cb67c8d

              SHA512

              76022ac70111ab1c0329d6e791c31370bda7a4d38873b91c6e836001dc99e67a0d8d51bd6950f686d2401cbda518acf3ee035f512f8ca774fac2ef2717b39d00

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              MD5

              2802260e694ebf1227e6e925af81980d

              SHA1

              8858ac84ed2b92df1298b129bd867ebe743a38b9

              SHA256

              cc0a6c1a887d205958ef32c526fa2ab6d42f8799ca8b95d5324473fefe65c833

              SHA512

              69c652e93c866c15b999ba641032be6a74f484441c6457df81d34fe13c2cb049a17144c19950dca1b5ec9e4099ff3829ea1285a71eb709095031bc15c9ea0773

              Download Submit
            • C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\arzuswuka2.txt
              MD5

              f94dc819ca773f1e3cb27abbc9e7fa27

              SHA1

              9a7700efadc5ea09ab288544ef1e3cd876255086

              SHA256

              a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

              SHA512

              72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

              Download Submit
            • C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\arzuswuka4.txt
              MD5

              f3b25701fe362ec84616a93a45ce9998

              SHA1

              d62636d8caec13f04e28442a0a6fa1afeb024bbb

              SHA256

              b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

              SHA512

              98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

              Download Submit
            • memory/604-114-0x0000000000EF0000-0x0000000000EF1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/604-505-0x0000000005C30000-0x0000000005C60000-memory.dmp
              Filesize

              192KB

              Download
            • memory/604-504-0x0000000007CE0000-0x0000000007D26000-memory.dmp
              Filesize

              280KB

              Download
            • memory/604-119-0x0000000005950000-0x0000000005951000-memory.dmp
              Filesize

              4KB

              Download
            • memory/604-118-0x0000000005810000-0x0000000005D0E000-memory.dmp
              Filesize

              5.0MB

              Download
            • memory/604-117-0x00000000058B0000-0x00000000058B1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/604-116-0x0000000005D10000-0x0000000005D11000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1204-139-0x0000000006642000-0x0000000006643000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1204-174-0x0000000008CF0000-0x0000000008CF1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1204-129-0x00000000064E0000-0x00000000064E1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1204-141-0x0000000006AF0000-0x0000000006AF1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1204-132-0x0000000006C80000-0x0000000006C81000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1204-121-0x0000000000000000-mapping.dmp
              Download
            • memory/1204-137-0x0000000006640000-0x0000000006641000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1204-211-0x0000000006643000-0x0000000006644000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1204-156-0x0000000007A30000-0x0000000007A31000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1216-207-0x00000000048C3000-0x00000000048C4000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1216-136-0x00000000048C0000-0x00000000048C1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1216-180-0x00000000090E0000-0x00000000090E1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1216-144-0x0000000007A00000-0x0000000007A01000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1216-120-0x0000000000000000-mapping.dmp
              Download
            • memory/1216-138-0x00000000048C2000-0x00000000048C3000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1216-153-0x0000000008090000-0x0000000008091000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1216-147-0x0000000007C50000-0x0000000007C51000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1328-525-0x0000000000423BC0-mapping.dmp
              Download
            • memory/1332-523-0x0000000000423BC0-mapping.dmp
              Download
            • memory/1388-135-0x0000000006E00000-0x0000000006E01000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1388-150-0x0000000007C50000-0x0000000007C51000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1388-159-0x00000000083D0000-0x00000000083D1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1388-208-0x0000000006E03000-0x0000000006E04000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1388-204-0x000000000A420000-0x000000000A421000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1388-140-0x0000000006E02000-0x0000000006E03000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1388-122-0x0000000000000000-mapping.dmp
              Download
            • memory/1388-177-0x0000000009070000-0x0000000009071000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1476-533-0x0000000000442F04-mapping.dmp
              Download
            • memory/1748-506-0x0000000000400000-0x000000000042C000-memory.dmp
              Filesize

              176KB

              Download
            • memory/1748-507-0x00000000004010B8-mapping.dmp
              Download
            • memory/1748-512-0x0000000000400000-0x000000000042C000-memory.dmp
              Filesize

              176KB

              Download
            • memory/2276-415-0x0000000004A30000-0x0000000004A31000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2276-440-0x0000000004A33000-0x0000000004A34000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2276-416-0x0000000004A32000-0x0000000004A33000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2276-408-0x0000000000000000-mapping.dmp
              Download
            • memory/2296-542-0x000000000040C2A8-mapping.dmp
              Download
            • memory/2728-538-0x0000000000413750-mapping.dmp
              Download
            • memory/2800-529-0x0000000000411654-mapping.dmp
              Download
            • memory/2912-514-0x0000000000401364-mapping.dmp
              Download
            • memory/3980-521-0x0000000000000000-mapping.dmp
              Download
            • memory/4072-511-0x0000000000401364-mapping.dmp
              Download