Overview

overview

10

Static

static

49af0abba0...c7.exe

windows7_x64

10

49af0abba0...c7.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    22-09-2021 07:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49af0abba03a7d559171f378728e9bc7.exe

  • Size

    33KB

  • MD5

    49af0abba03a7d559171f378728e9bc7

  • SHA1

    7e6e1ccf693bb62f2a36119996583228a9e5c665

  • SHA256

    bc2a5e452669de43c4f4533c995b515bace2941ea5b45bb537085b204ee5d54b

  • SHA512

    d155349a6dae76775b26a96ec00a8dc860749eb46450c6dcc479303afa01325b1fb31b41c8adac3cbabb2b17c7b23a6768949a8bf5221c3edee0a25082e71a8f

Score
10/10
xpertrattestevasionpersistencerattrojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

C2

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core Payload 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\49af0abba03a7d559171f378728e9bc7.exe
    "C:\Users\Admin\AppData\Local\Temp\49af0abba03a7d559171f378728e9bc7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1232
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1524
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 15
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1396
    • C:\Users\Admin\AppData\Local\Temp\49af0abba03a7d559171f378728e9bc7.exe
      C:\Users\Admin\AppData\Local\Temp\49af0abba03a7d559171f378728e9bc7.exe
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1500
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\49af0abba03a7d559171f378728e9bc7.exe
        3⤵
          PID:680
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\49af0abba03a7d559171f378728e9bc7.exe
          3⤵
          • Adds policy Run key to start application
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:976
          • C:\Windows\SysWOW64\notepad.exe
            notepad.exe
            4⤵
            • Deletes itself
            PID:828

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      MD5

      bbf05ec41efa8caf3e915e887a9fa53e

      SHA1

      32fc5249458bf5ca1fb8f2d109fedd2d003279af

      SHA256

      68077b939eee6972f05b2947963d662fda5cc10e28bde6d26bb2a4989f6aeee1

      SHA512

      421162865959e2ee6c55c892c1bf29b054ddfec36cfa55d9e6761f70601c06435068b3cc54274ceab692cc1d9e4f7925979655247bf670eabe415c7ff59c3fdd

      Download Submit
    • memory/680-73-0x0000000000401364-mapping.dmp
      Download
    • memory/680-72-0x0000000000400000-0x0000000000443000-memory.dmp
      Filesize

      268KB

      Download
    • memory/828-79-0x0000000000000000-mapping.dmp
      Download
    • memory/976-76-0x00000000004C0000-0x0000000000613000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/976-75-0x0000000000401364-mapping.dmp
      Download
    • memory/1232-54-0x00000000013C0000-0x00000000013C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1232-56-0x00000000005D0000-0x00000000005D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1232-66-0x0000000005C70000-0x0000000005CBF000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1232-67-0x0000000000BD0000-0x0000000000C00000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1396-62-0x0000000000000000-mapping.dmp
      Download
    • memory/1396-65-0x0000000002300000-0x0000000002F4A000-memory.dmp
      Filesize

      12.3MB

      Download
    • memory/1500-68-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1500-69-0x00000000004010B8-mapping.dmp
      Download
    • memory/1524-60-0x0000000002500000-0x000000000314A000-memory.dmp
      Filesize

      12.3MB

      Download
    • memory/1524-61-0x0000000002500000-0x000000000314A000-memory.dmp
      Filesize

      12.3MB

      Download
    • memory/1524-59-0x0000000002500000-0x000000000314A000-memory.dmp
      Filesize

      12.3MB

      Download
    • memory/1524-58-0x0000000074F81000-0x0000000074F83000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1524-57-0x0000000000000000-mapping.dmp
      Download