Overview

overview

10

Static

static

452ea764a4...8a.exe

windows7_x64

10

452ea764a4...8a.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    29-09-2021 07:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    452ea764a4f629c9c4d6880aa215928a.exe

  • Size

    433KB

  • MD5

    452ea764a4f629c9c4d6880aa215928a

  • SHA1

    9b69fcd3856d302da2506e84f220b26dd926e061

  • SHA256

    e4b8184869d65a34fb9e0fb43d8b6c252cb153f7139485e3fde6d02cd6898242

  • SHA512

    c0898afc925e5a6099ca6ba8468aa6ef528b94f921036db0445dd5b2f575fbf4bb25994196fe4af387c43542720215b29422e241e6da172aad22c8824e2281a0

Score
10/10
xpertrattestevasionrattrojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

C2

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core Payload 31 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Program crash 30 IoCs
  • Suspicious use of SetThreadContext 31 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    "C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
      C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
      2⤵
        PID:3020
      • C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
        C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
        2⤵
        • Windows security modification
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1440
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
          3⤵
            PID:2992
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 24
              4⤵
              • Program crash
              PID:4060
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
            3⤵
              PID:1264
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 24
                4⤵
                • Program crash
                PID:1152
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
              3⤵
                PID:3792
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 24
                  4⤵
                  • Program crash
                  PID:3180
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                3⤵
                  PID:3448
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 24
                    4⤵
                    • Program crash
                    PID:796
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                  3⤵
                    PID:1384
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 24
                      4⤵
                      • Program crash
                      PID:2312
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                    3⤵
                      PID:2100
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 24
                        4⤵
                        • Program crash
                        PID:3728
                    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                      C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                      3⤵
                        PID:4064
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 24
                          4⤵
                          • Program crash
                          PID:4016
                      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                        C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                        3⤵
                          PID:3440
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 24
                            4⤵
                            • Program crash
                            PID:1764
                        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                          C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                          3⤵
                            PID:1828
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 24
                              4⤵
                              • Program crash
                              PID:604
                          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                            C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                            3⤵
                              PID:2712
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 24
                                4⤵
                                • Program crash
                                PID:1096
                            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                              3⤵
                                PID:1168
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 24
                                  4⤵
                                  • Program crash
                                  PID:1844
                              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                                3⤵
                                  PID:1008
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 24
                                    4⤵
                                    • Program crash
                                    PID:3200
                                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                  C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                                  3⤵
                                    PID:1648
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 24
                                      4⤵
                                      • Program crash
                                      PID:1548
                                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                                    3⤵
                                      PID:412
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 24
                                        4⤵
                                        • Program crash
                                        PID:1404
                                    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                      C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                                      3⤵
                                        PID:2452
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 24
                                          4⤵
                                          • Program crash
                                          PID:4092
                                      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                                        3⤵
                                          PID:1256
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 24
                                            4⤵
                                            • Program crash
                                            PID:1156
                                        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                          C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                                          3⤵
                                            PID:3900
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 24
                                              4⤵
                                              • Program crash
                                              PID:504
                                          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                            C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                                            3⤵
                                              PID:4076
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 24
                                                4⤵
                                                • Program crash
                                                PID:2900
                                            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                              C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                                              3⤵
                                                PID:2952
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 24
                                                  4⤵
                                                  • Program crash
                                                  PID:1128
                                              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                                                3⤵
                                                  PID:1512
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 24
                                                    4⤵
                                                    • Program crash
                                                    PID:2156
                                                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                  C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                                                  3⤵
                                                    PID:2068
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 24
                                                      4⤵
                                                      • Program crash
                                                      PID:2492
                                                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                                                    3⤵
                                                      PID:744
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 24
                                                        4⤵
                                                        • Program crash
                                                        PID:3544
                                                    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                      C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                                                      3⤵
                                                        PID:1160
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 24
                                                          4⤵
                                                          • Program crash
                                                          PID:3928
                                                      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                        C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                                                        3⤵
                                                          PID:1804
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 24
                                                            4⤵
                                                            • Program crash
                                                            PID:1496
                                                        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                          C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                                                          3⤵
                                                            PID:1336
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 24
                                                              4⤵
                                                              • Program crash
                                                              PID:1240
                                                          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                            C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                                                            3⤵
                                                              PID:3148
                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 24
                                                                4⤵
                                                                • Program crash
                                                                PID:1800
                                                            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                              C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                                                              3⤵
                                                                PID:1548
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 24
                                                                  4⤵
                                                                  • Program crash
                                                                  PID:3924
                                                              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                                                                3⤵
                                                                  PID:1944
                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 24
                                                                    4⤵
                                                                    • Program crash
                                                                    PID:3408
                                                                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                  C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                                                                  3⤵
                                                                    PID:3832
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 24
                                                                      4⤵
                                                                      • Program crash
                                                                      PID:3724
                                                                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
                                                                    3⤵
                                                                      PID:3528
                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 24
                                                                        4⤵
                                                                        • Program crash
                                                                        PID:3564

                                                                Network

                                                                MITRE ATT&CK Matrix ATT&CK v6

                                                                Initial Access

                                                                Execution

                                                                Persistence

                                                                Privilege Escalation

                                                                Bypass User Account Control

                                                                1
                                                                T1088

                                                                Defense Evasion

                                                                Bypass User Account Control

                                                                1
                                                                T1088

                                                                Disabling Security Tools

                                                                3
                                                                T1089

                                                                Modify Registry

                                                                4
                                                                T1112

                                                                Credential Access

                                                                Discovery

                                                                System Information Discovery

                                                                1
                                                                T1082

                                                                Lateral Movement

                                                                Collection

                                                                Exfiltration

                                                                Command and Control

                                                                Impact

                                                                Replay Monitor

                                                                Loading Replay Monitor...

                                                                Downloads

                                                                • memory/412-151-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/744-167-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/1008-147-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/1160-169-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/1168-145-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/1256-155-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/1264-127-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/1336-173-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/1384-133-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/1400-118-0x00000000057E0000-0x0000000005810000-memory.dmp
                                                                  Filesize

                                                                  192KB

                                                                  Download
                                                                • memory/1400-114-0x0000000000B50000-0x0000000000B51000-memory.dmp
                                                                  Filesize

                                                                  4KB

                                                                  Download
                                                                • memory/1400-116-0x0000000003010000-0x0000000003011000-memory.dmp
                                                                  Filesize

                                                                  4KB

                                                                  Download
                                                                • memory/1400-117-0x00000000054E0000-0x0000000005529000-memory.dmp
                                                                  Filesize

                                                                  292KB

                                                                  Download
                                                                • memory/1440-119-0x0000000000400000-0x000000000042C000-memory.dmp
                                                                  Filesize

                                                                  176KB

                                                                  Download
                                                                • memory/1440-125-0x0000000000400000-0x000000000042C000-memory.dmp
                                                                  Filesize

                                                                  176KB

                                                                  Download
                                                                • memory/1440-120-0x00000000004010B8-mapping.dmp
                                                                  Download
                                                                • memory/1512-163-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/1548-177-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/1648-149-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/1804-171-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/1828-141-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/1944-179-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/2068-165-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/2100-135-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/2452-153-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/2712-143-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/2952-161-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/2992-123-0x0000000000400000-0x0000000000443000-memory.dmp
                                                                  Filesize

                                                                  268KB

                                                                  Download
                                                                • memory/2992-124-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/3148-175-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/3440-139-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/3448-131-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/3528-183-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/3792-129-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/3832-181-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/3900-157-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/4064-137-0x0000000000401364-mapping.dmp
                                                                  Download
                                                                • memory/4076-159-0x0000000000401364-mapping.dmp
                                                                  Download