Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    20-09-2021 15:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe

  • Size

    292KB

  • MD5

    f6200b9b9789794de4a8d78f4ae96d22

  • SHA1

    1d18c71e7e4de5c6216653db5effba586345597c

  • SHA256

    85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

  • SHA512

    5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

Score
10/10
xpertrattestevasionpersistencerattrojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

C2

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core Payload 1 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Program crash 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe
    "C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3128
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3460
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.facebook.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2724
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.twitter.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1896
    • C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe
      C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1008
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe
        3⤵
          PID:1336
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 100
            4⤵
            • Program crash
            PID:1616
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe
          3⤵
          • Adds policy Run key to start application
          • Adds Run key to start application
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3800
          • C:\Windows\SysWOW64\notepad.exe
            notepad.exe
            4⤵
            • Deletes itself
            PID:2472

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      ad6bde808bdc16964ad7a372e7b73cfd

      SHA1

      2194901b8e870a408b4aa4d0534d9df9c6060b9d

      SHA256

      4025d9a34e53b11408497c52a42f477697c240c351e6ba44404fee866730a45b

      SHA512

      57aad0c89654751afc3e8f71924a5a9de569e88c55f05b5cab18491960bc9d09ee7f7d106cea3c3ac09b8099efaff52fd47645f7e6869d0f06cee3d60d66a66f

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      517212a16fbab4b6cf90069cfeadc27f

      SHA1

      755aafbaa6e73cdf728cb198e7d0af1623ed6459

      SHA256

      dd3143f6dea807befafc7bac40a2aee4a52e8f09af9665e26569a2b7883eec88

      SHA512

      dc20545e5b22185a060b918691406b8b070ec727298b76c7064c29047aa90054df95ad8433eebfddde8893bf501ee808bc3f0b7ecf00c8d30b161f83bce8de8e

      Download Submit
    • memory/1008-506-0x00000000004010B8-mapping.dmp
      Download
    • memory/1008-511-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1008-505-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1336-510-0x0000000000401364-mapping.dmp
      Download
    • memory/1896-420-0x0000000001180000-0x0000000001181000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1896-407-0x0000000000000000-mapping.dmp
      Download
    • memory/1896-421-0x0000000001182000-0x0000000001183000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1896-434-0x0000000001183000-0x0000000001184000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2348-117-0x00000000052D0000-0x00000000052D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2348-120-0x0000000004CE0000-0x0000000004CE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2348-115-0x0000000000470000-0x0000000000471000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2348-118-0x0000000004DD0000-0x0000000004DD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2348-119-0x0000000004CC0000-0x0000000004D52000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2348-503-0x0000000007130000-0x0000000007176000-memory.dmp
      Filesize

      280KB

      Download
    • memory/2348-504-0x0000000004F50000-0x0000000004F80000-memory.dmp
      Filesize

      192KB

      Download
    • memory/2472-521-0x0000000000000000-mapping.dmp
      Download
    • memory/2724-173-0x0000000008B70000-0x0000000008B71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2724-148-0x0000000007640000-0x0000000007641000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2724-141-0x0000000000EE2000-0x0000000000EE3000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2724-207-0x0000000000EE3000-0x0000000000EE4000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2724-137-0x0000000000EE0000-0x0000000000EE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2724-130-0x0000000000DD0000-0x0000000000DD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2724-123-0x0000000000000000-mapping.dmp
      Download
    • memory/2724-203-0x0000000009C90000-0x0000000009C91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3128-136-0x00000000067C0000-0x00000000067C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3128-139-0x00000000067C2000-0x00000000067C3000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3128-121-0x0000000000000000-mapping.dmp
      Download
    • memory/3128-208-0x00000000067C3000-0x00000000067C4000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3128-142-0x0000000006C60000-0x0000000006C61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3128-146-0x0000000006D70000-0x0000000006D71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3128-151-0x0000000007610000-0x0000000007611000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3128-154-0x0000000007550000-0x0000000007551000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3460-157-0x0000000008780000-0x0000000008781000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3460-160-0x00000000089C0000-0x00000000089C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3460-178-0x0000000009730000-0x0000000009731000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3460-140-0x0000000004E32000-0x0000000004E33000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3460-138-0x0000000004E30000-0x0000000004E31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3460-180-0x0000000009780000-0x0000000009781000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3460-133-0x0000000007940000-0x0000000007941000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3460-122-0x0000000000000000-mapping.dmp
      Download
    • memory/3460-209-0x0000000004E33000-0x0000000004E34000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3800-513-0x0000000000401364-mapping.dmp
      Download