Malware Analysis Report

2024-10-19 07:37

Sample ID 210930-km65wshac3
Target EXCEL.exe
SHA256 c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
Tags
xpertrat test evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535

Threat Level: Known bad

The file EXCEL.exe was found to be: Known bad.

Malicious Activity Summary

xpertrat test evasion persistence rat trojan

Windows security bypass

XpertRAT Core Payload

UAC bypass

XpertRAT

Adds policy Run key to start application

Windows security modification

Deletes itself

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-30 08:44

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-30 08:44

Reported

2021-09-30 08:46

Platform

win10v20210408

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EXCEL.exe"

Signatures

UAC bypass

evasion trojan

Windows security bypass

evasion trojan

XpertRAT

rat xpertrat

XpertRAT Core Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\notepad.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 664 set thread context of 1420 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1420 set thread context of 1960 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 664 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 664 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 664 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 664 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 664 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 664 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 664 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 664 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 664 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 664 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 664 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 664 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 664 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1420 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1420 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1420 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1420 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1420 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1420 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1420 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1420 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1960 wrote to memory of 1700 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 1960 wrote to memory of 1700 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 1960 wrote to memory of 1700 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 1960 wrote to memory of 1700 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

"C:\Users\Admin\AppData\Local\Temp\EXCEL.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitch.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

C:\Windows\SysWOW64\notepad.exe

notepad.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 twitch.com udp
US 8.8.8.8:53 twitch.com udp
US 8.8.8.8:53 twitch.com udp
US 8.8.8.8:53 twitch.com udp
US 8.8.8.8:53 twitch.com udp
US 8.8.8.8:53 kapasky-antivirus.firewall-gateway.net udp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp

Files

memory/664-114-0x0000000000850000-0x0000000000851000-memory.dmp

memory/664-116-0x0000000005230000-0x0000000005231000-memory.dmp

memory/1164-117-0x0000000000000000-mapping.dmp

memory/1164-120-0x0000000006980000-0x0000000006981000-memory.dmp

memory/1164-121-0x0000000007040000-0x0000000007041000-memory.dmp

memory/1164-122-0x0000000006A00000-0x0000000006A01000-memory.dmp

memory/1164-123-0x0000000006A02000-0x0000000006A03000-memory.dmp

memory/1164-124-0x00000000076B0000-0x00000000076B1000-memory.dmp

memory/1164-125-0x0000000007750000-0x0000000007751000-memory.dmp

memory/1164-126-0x0000000007910000-0x0000000007911000-memory.dmp

memory/1164-127-0x0000000007A80000-0x0000000007A81000-memory.dmp

memory/1164-128-0x0000000007E30000-0x0000000007E31000-memory.dmp

memory/1164-129-0x00000000082A0000-0x00000000082A1000-memory.dmp

memory/1164-130-0x0000000008160000-0x0000000008161000-memory.dmp

memory/1164-138-0x0000000008EE0000-0x0000000008F13000-memory.dmp

memory/1164-145-0x0000000008EC0000-0x0000000008EC1000-memory.dmp

memory/1164-150-0x0000000009230000-0x0000000009231000-memory.dmp

memory/1164-151-0x000000007EDD0000-0x000000007EDD1000-memory.dmp

memory/1164-152-0x0000000009450000-0x0000000009451000-memory.dmp

memory/1164-219-0x0000000006A03000-0x0000000006A04000-memory.dmp

memory/1164-381-0x000000000ABA0000-0x000000000ABA1000-memory.dmp

memory/1164-382-0x000000000A540000-0x000000000A541000-memory.dmp

memory/1164-393-0x00000000028D0000-0x00000000028D1000-memory.dmp

memory/1164-469-0x0000000006F40000-0x0000000006F41000-memory.dmp

memory/1164-552-0x0000000006F70000-0x0000000006F71000-memory.dmp

memory/1164-570-0x0000000002930000-0x0000000002931000-memory.dmp

memory/1164-572-0x0000000006A06000-0x0000000006A08000-memory.dmp

memory/716-677-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 26cfaf6b321c86dfc24262e01f03d929
SHA1 7026c2d0182aee991326da0967418a3b72d97970
SHA256 ef42a7bbf10616760366d4baba9976be9b8497f610389b5b8994eea2c498489b
SHA512 fed2081182d4b7d8f679e0e06eea4a4c1292f83c6b4ffaf46f0d199c384efca86da03d69ecd65cdd87c52745979f53eabe6ab19e1251000849c5c67a8038eac7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 66c63c392d8c9423fc27c3a21623fb5c
SHA1 aa77e0802f753540e1a6d9e7f918f78ba54e8275
SHA256 2cd50ee734d44b5d676d99c92103ab9b0520140f52f1d664177f8fd7446c86b3
SHA512 36ba2c958232a1cc9aef4490287463ed5a5a5c0969be047e2a937104a1c68578aba80d0f046c61dac2e36b00c35dcebc7156ef467a0dff09cf7a2245cfe96d98

memory/716-690-0x0000000007330000-0x0000000007331000-memory.dmp

memory/716-691-0x0000000007332000-0x0000000007333000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 1c33ff599b382b705675229c91fc2f99
SHA1 c20086746c14c5d57be9a3df47bd75fa77abe7e0
SHA256 d46b6790776328125154bb8231deafcc7786911bea48fbcd2742c05fa1c4da0a
SHA512 5b975f6b0d5407d8d43975c0fd0c26ecb155f6ee9b7416e39478f84e97deea590d1eb0cf2a972adcf96eba6745fdef472f6fcf51d85cd53c2da9b4c550ee413c

memory/664-701-0x0000000001120000-0x000000000116F000-memory.dmp

memory/664-702-0x0000000002BE0000-0x0000000002C10000-memory.dmp

memory/716-703-0x0000000007333000-0x0000000007334000-memory.dmp

memory/1420-704-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1420-705-0x00000000004010B8-mapping.dmp

memory/1420-706-0x0000000001570000-0x00000000016C3000-memory.dmp

memory/1420-707-0x0000000001571000-0x000000000166D000-memory.dmp

memory/1960-710-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1960-711-0x0000000000401364-mapping.dmp

memory/1960-714-0x0000000002F90000-0x00000000030E3000-memory.dmp

memory/1960-715-0x0000000002F91000-0x000000000308D000-memory.dmp

memory/1420-717-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1700-719-0x0000000000000000-mapping.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-30 08:44

Reported

2021-09-30 08:46

Platform

win7-en-20210920

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EXCEL.exe"

Signatures

UAC bypass

evasion trojan

Windows security bypass

evasion trojan

XpertRAT

rat xpertrat

XpertRAT Core Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\notepad.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1216 set thread context of 548 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 548 set thread context of 1072 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1216 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1216 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1216 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1216 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1216 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1216 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1216 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1216 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1216 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1216 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1216 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1216 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1216 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1216 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1216 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1216 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1216 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1216 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1216 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 548 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 548 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 548 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 548 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 548 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 548 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 548 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 548 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 548 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1072 wrote to memory of 840 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 1072 wrote to memory of 840 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 1072 wrote to memory of 840 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 1072 wrote to memory of 840 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 1072 wrote to memory of 840 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

"C:\Users\Admin\AppData\Local\Temp\EXCEL.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitch.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

C:\Windows\SysWOW64\notepad.exe

notepad.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 kapasky-antivirus.firewall-gateway.net udp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
US 8.8.8.8:53 kapasky-antivirus.firewall-gateway.net udp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
US 151.101.1.194:443 tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
US 8.8.8.8:53 kapasky-antivirus.firewall-gateway.net udp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp

Files

memory/1216-53-0x0000000000850000-0x0000000000851000-memory.dmp

memory/1216-55-0x0000000075B11000-0x0000000075B13000-memory.dmp

memory/1540-56-0x0000000000000000-mapping.dmp

memory/1216-58-0x0000000004880000-0x0000000004881000-memory.dmp

memory/1540-59-0x00000000023B0000-0x0000000002FFA000-memory.dmp

memory/1540-60-0x00000000023B0000-0x0000000002FFA000-memory.dmp

memory/1540-61-0x00000000023B0000-0x0000000002FFA000-memory.dmp

memory/268-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 8eea4e370fa1026a5938542ec1c8cec8
SHA1 08a885be99d41b9172d6eb4a6be2060b58210f60
SHA256 db628b293b3be87537f0f91e3ba8b1304af0671f231edd6915a9c6f0b1cdecae
SHA512 af0b84c4b9adecd442f761f852c25c9208e50b170b6d18cb5f26d9d6c39b94edd080ed050546520855d5b8f1863c6aa9e24a2f964aa96f67af6da281ef04f582

memory/268-65-0x00000000023B0000-0x0000000002FFA000-memory.dmp

memory/1216-66-0x0000000004820000-0x000000000486F000-memory.dmp

memory/1216-67-0x0000000004160000-0x0000000004190000-memory.dmp

memory/548-68-0x0000000000400000-0x000000000042C000-memory.dmp

memory/548-69-0x00000000004010B8-mapping.dmp

memory/1072-72-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1072-73-0x0000000000401364-mapping.dmp

memory/1072-74-0x0000000000450000-0x00000000005A3000-memory.dmp

memory/840-77-0x0000000000000000-mapping.dmp