Analysis

  • max time kernel
    151s
  • max time network
    166s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    30-09-2021 06:04

General

  • Target

    cb12b24b0f69225693168e9c35761a1b.exe

  • Size

    503KB

  • MD5

    cb12b24b0f69225693168e9c35761a1b

  • SHA1

    0f68f676d76e3546d7d625cdb14f0947c59beff5

  • SHA256

    c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535

  • SHA512

    9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

C2

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Signatures

  • UAC bypass 3 TTPs
  • Windows security bypass 2 TTPs
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

  • XpertRAT Core Payload 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
    "C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3260
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitch.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3548
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1000
    • C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
      C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:992
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
        3⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2532
        • C:\Windows\SysWOW64\notepad.exe
          notepad.exe
          4⤵
          • Deletes itself
          PID:4052

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

    MD5

    1712dab0a1bf4e9e3ff666b9c431550d

    SHA1

    34d1dec8fa95f62c72cb3f92a22c13ad9eece10f

    SHA256

    7184a35390c8d6549ef4ddf2909c8fc3446572229bb1788fe178332d80ebfa97

    SHA512

    6ae29c37c11c851ed337afee3c3ad654593063e76df88a6974933e449ac8d86bfa005b9bf2e0ee29aad4647b8f8f32ac753587077fd745424be7f9765688e7b7

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

    MD5

    1c33ff599b382b705675229c91fc2f99

    SHA1

    c20086746c14c5d57be9a3df47bd75fa77abe7e0

    SHA256

    d46b6790776328125154bb8231deafcc7786911bea48fbcd2742c05fa1c4da0a

    SHA512

    5b975f6b0d5407d8d43975c0fd0c26ecb155f6ee9b7416e39478f84e97deea590d1eb0cf2a972adcf96eba6745fdef472f6fcf51d85cd53c2da9b4c550ee413c

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    MD5

    9959b6d1155a9c0618a8b07d46b6ef07

    SHA1

    8518e8e6a0ecdeab03fcbe2bcb71b4b14f0c5786

    SHA256

    a5f17b4a70aea4f8ba4b85adf88ffc793e1e06af10cb9d9504bd762c3d9632a5

    SHA512

    78c5a5319ee2f2bded6ae0c268a05886ff88b4b03a45f466b8ba73f10f2436bf54d5b489f423b21650685fa21c212f0102487aa72aee9b2c49e888153ff3d65e

  • memory/992-708-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/992-704-0x00000000004010B8-mapping.dmp

  • memory/992-703-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/1000-687-0x0000000004320000-0x0000000004321000-memory.dmp

    Filesize

    4KB

  • memory/1000-688-0x0000000004322000-0x0000000004323000-memory.dmp

    Filesize

    4KB

  • memory/1000-677-0x0000000000000000-mapping.dmp

  • memory/1000-707-0x0000000004323000-0x0000000004324000-memory.dmp

    Filesize

    4KB

  • memory/2532-710-0x0000000000401364-mapping.dmp

  • memory/2532-709-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

  • memory/2532-713-0x0000000003300000-0x0000000003453000-memory.dmp

    Filesize

    1.3MB

  • memory/2532-714-0x0000000003301000-0x00000000033FD000-memory.dmp

    Filesize

    1008KB

  • memory/3260-114-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

    Filesize

    4KB

  • memory/3260-701-0x00000000014A0000-0x00000000014EF000-memory.dmp

    Filesize

    316KB

  • memory/3260-702-0x00000000016D0000-0x0000000001700000-memory.dmp

    Filesize

    192KB

  • memory/3260-116-0x0000000001250000-0x000000000139A000-memory.dmp

    Filesize

    1.3MB

  • memory/3548-128-0x0000000008640000-0x0000000008641000-memory.dmp

    Filesize

    4KB

  • memory/3548-138-0x0000000009780000-0x00000000097B3000-memory.dmp

    Filesize

    204KB

  • memory/3548-381-0x000000000B520000-0x000000000B521000-memory.dmp

    Filesize

    4KB

  • memory/3548-382-0x0000000009D60000-0x0000000009D61000-memory.dmp

    Filesize

    4KB

  • memory/3548-393-0x0000000002F60000-0x0000000002F61000-memory.dmp

    Filesize

    4KB

  • memory/3548-469-0x0000000003200000-0x0000000003201000-memory.dmp

    Filesize

    4KB

  • memory/3548-552-0x0000000003430000-0x0000000003431000-memory.dmp

    Filesize

    4KB

  • memory/3548-562-0x0000000007316000-0x0000000007318000-memory.dmp

    Filesize

    8KB

  • memory/3548-571-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

    Filesize

    4KB

  • memory/3548-152-0x0000000009D80000-0x0000000009D81000-memory.dmp

    Filesize

    4KB

  • memory/3548-151-0x000000007E540000-0x000000007E541000-memory.dmp

    Filesize

    4KB

  • memory/3548-150-0x0000000009AD0000-0x0000000009AD1000-memory.dmp

    Filesize

    4KB

  • memory/3548-145-0x0000000009760000-0x0000000009761000-memory.dmp

    Filesize

    4KB

  • memory/3548-153-0x0000000007313000-0x0000000007314000-memory.dmp

    Filesize

    4KB

  • memory/3548-130-0x0000000008A40000-0x0000000008A41000-memory.dmp

    Filesize

    4KB

  • memory/3548-129-0x0000000008670000-0x0000000008671000-memory.dmp

    Filesize

    4KB

  • memory/3548-127-0x0000000008270000-0x0000000008271000-memory.dmp

    Filesize

    4KB

  • memory/3548-126-0x0000000008200000-0x0000000008201000-memory.dmp

    Filesize

    4KB

  • memory/3548-125-0x0000000008090000-0x0000000008091000-memory.dmp

    Filesize

    4KB

  • memory/3548-124-0x0000000007FF0000-0x0000000007FF1000-memory.dmp

    Filesize

    4KB

  • memory/3548-122-0x0000000007310000-0x0000000007311000-memory.dmp

    Filesize

    4KB

  • memory/3548-123-0x0000000007312000-0x0000000007313000-memory.dmp

    Filesize

    4KB

  • memory/3548-121-0x0000000007950000-0x0000000007951000-memory.dmp

    Filesize

    4KB

  • memory/3548-120-0x0000000007220000-0x0000000007221000-memory.dmp

    Filesize

    4KB

  • memory/3548-117-0x0000000000000000-mapping.dmp

  • memory/4052-717-0x0000000000000000-mapping.dmp