Overview

overview

10

Static

static

49af0abba0...c7.exe

windows7_x64

10

49af0abba0...c7.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    22-09-2021 07:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49af0abba03a7d559171f378728e9bc7.exe

  • Size

    33KB

  • MD5

    49af0abba03a7d559171f378728e9bc7

  • SHA1

    7e6e1ccf693bb62f2a36119996583228a9e5c665

  • SHA256

    bc2a5e452669de43c4f4533c995b515bace2941ea5b45bb537085b204ee5d54b

  • SHA512

    d155349a6dae76775b26a96ec00a8dc860749eb46450c6dcc479303afa01325b1fb31b41c8adac3cbabb2b17c7b23a6768949a8bf5221c3edee0a25082e71a8f

Score
10/10
xpertrattestevasionpersistencerattrojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

C2

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core Payload 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Program crash 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\49af0abba03a7d559171f378728e9bc7.exe
    "C:\Users\Admin\AppData\Local\Temp\49af0abba03a7d559171f378728e9bc7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:656
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1056
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 15
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2360
    • C:\Users\Admin\AppData\Local\Temp\49af0abba03a7d559171f378728e9bc7.exe
      C:\Users\Admin\AppData\Local\Temp\49af0abba03a7d559171f378728e9bc7.exe
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3144
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\49af0abba03a7d559171f378728e9bc7.exe
        3⤵
          PID:3868
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 100
            4⤵
            • Program crash
            PID:396
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\49af0abba03a7d559171f378728e9bc7.exe
          3⤵
          • Adds policy Run key to start application
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1764
          • C:\Windows\SysWOW64\notepad.exe
            notepad.exe
            4⤵
            • Deletes itself
            PID:1300

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      MD5

      66382a4ca6c4dcf75ce41417d44be93e

      SHA1

      8132cbef1c12f8a89a68a6153ade4286bf130812

      SHA256

      a70acce0f4c6ab59b88ce79d84c38d4abffe19b72b033250499b17d788a2db56

      SHA512

      2bf66f2850f4a65220085c55a5b3c8866453104d78fe516e5bd6e3e47df783062ce4ea10de580f2eb0274ac8c3ce71965201c49ef55a78f307731ccc8600aadc

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      d6618ccec6ef1c78233d4f41a2b9805d

      SHA1

      7aa1f883a954595872973a341f1f5012da557c08

      SHA256

      edb8c39176df911fa5bb3b41073647ad86beed644eae778dbc65e70e35196fe9

      SHA512

      5fee1668d1712ee8baf29e8fe004cd623403553366c43b9efe27b49424f59f9aafeeb95954e2af4c2fe4719d7541e1e6e2ffea0d893bfac881ed50749ca4b660

      Download Submit
    • memory/656-114-0x00000000008C0000-0x00000000008C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/656-116-0x0000000005750000-0x0000000005751000-memory.dmp
      Filesize

      4KB

      Download
    • memory/656-117-0x0000000005250000-0x0000000005251000-memory.dmp
      Filesize

      4KB

      Download
    • memory/656-118-0x0000000005230000-0x0000000005231000-memory.dmp
      Filesize

      4KB

      Download
    • memory/656-119-0x00000000052F0000-0x00000000052F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/656-167-0x0000000007670000-0x00000000076A0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/656-166-0x0000000008460000-0x00000000084AF000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1056-126-0x0000000004962000-0x0000000004963000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1056-154-0x0000000004963000-0x0000000004964000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1056-128-0x0000000007AA0000-0x0000000007AA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1056-129-0x00000000079C0000-0x00000000079C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1056-130-0x0000000007BF0000-0x0000000007BF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1056-131-0x0000000006F20000-0x0000000006F21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1056-132-0x0000000008340000-0x0000000008341000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1056-133-0x0000000008410000-0x0000000008411000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1056-138-0x00000000098F0000-0x00000000098F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1056-139-0x0000000009080000-0x0000000009081000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1056-120-0x0000000000000000-mapping.dmp
      Download
    • memory/1056-125-0x0000000004960000-0x0000000004961000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1056-124-0x00000000072F0000-0x00000000072F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1056-127-0x0000000007920000-0x0000000007921000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1056-123-0x0000000004880000-0x0000000004881000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1300-183-0x0000000000000000-mapping.dmp
      Download
    • memory/1764-175-0x0000000000400000-0x0000000000443000-memory.dmp
      Filesize

      268KB

      Download
    • memory/1764-180-0x00000000031E1000-0x00000000032DD000-memory.dmp
      Filesize

      1008KB

      Download
    • memory/1764-179-0x00000000031E0000-0x0000000003333000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1764-176-0x0000000000401364-mapping.dmp
      Download
    • memory/2360-141-0x0000000000000000-mapping.dmp
      Download
    • memory/2360-156-0x0000000004F12000-0x0000000004F13000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2360-155-0x0000000004F10000-0x0000000004F11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2360-165-0x0000000004F13000-0x0000000004F14000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3144-174-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/3144-169-0x00000000004010B8-mapping.dmp
      Download
    • memory/3144-168-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/3868-173-0x0000000000401364-mapping.dmp
      Download