Overview

overview

10

Static

static

EXCEL.exe

windows7_x64

10

EXCEL.exe

windows10_x64

10

Resubmissions

30-09-2021 08:52

210930-ks4xqahbdl 10

30-09-2021 08:44

210930-km65wshac3 10

Analysis

  • max time kernel
    152s
  • max time network
    154s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    30-09-2021 08:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EXCEL.exe

  • Size

    503KB

  • MD5

    cb12b24b0f69225693168e9c35761a1b

  • SHA1

    0f68f676d76e3546d7d625cdb14f0947c59beff5

  • SHA256

    c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535

  • SHA512

    9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

Score
10/10
xpertrattestevasionpersistencerattrojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

C2

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core Payload 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
    "C:\Users\Admin\AppData\Local\Temp\EXCEL.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:532
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitch.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3956
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1496
    • C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
      C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3756
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
        3⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3340
        • C:\Windows\SysWOW64\notepad.exe
          notepad.exe
          4⤵
          • Deletes itself
          PID:672

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    1712dab0a1bf4e9e3ff666b9c431550d

    SHA1

    34d1dec8fa95f62c72cb3f92a22c13ad9eece10f

    SHA256

    7184a35390c8d6549ef4ddf2909c8fc3446572229bb1788fe178332d80ebfa97

    SHA512

    6ae29c37c11c851ed337afee3c3ad654593063e76df88a6974933e449ac8d86bfa005b9bf2e0ee29aad4647b8f8f32ac753587077fd745424be7f9765688e7b7

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    MD5

    1c33ff599b382b705675229c91fc2f99

    SHA1

    c20086746c14c5d57be9a3df47bd75fa77abe7e0

    SHA256

    d46b6790776328125154bb8231deafcc7786911bea48fbcd2742c05fa1c4da0a

    SHA512

    5b975f6b0d5407d8d43975c0fd0c26ecb155f6ee9b7416e39478f84e97deea590d1eb0cf2a972adcf96eba6745fdef472f6fcf51d85cd53c2da9b4c550ee413c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    a7506cea827185b95f9226a4fccd5995

    SHA1

    3809a3faf71e262625f13356f00ad4c698ffc356

    SHA256

    2a37c39a0af22d9d6d9eab1d94ff747d30664a9a65b8c5e3b30ff34ad898aca1

    SHA512

    f8b1ff013154068ba9f6816a7d215b01eb78adc29e71021a1566309d4b9c8c874bcc0643c224332173d7e7a8d902d000feb894ac8dab79b0499cb9a8d295662f

    Download Submit

  • memory/532-702-0x0000000002C70000-0x0000000002CA0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/532-116-0x0000000005380000-0x0000000005381000-memory.dmp

    Filesize

    4KB

    Download

  • memory/532-701-0x00000000011A0000-0x00000000011EF000-memory.dmp

    Filesize

    316KB

    Download

  • memory/532-114-0x00000000008F0000-0x00000000008F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/672-719-0x0000000000000000-mapping.dmp

    Download

  • memory/1496-686-0x00000000072B2000-0x00000000072B3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1496-677-0x0000000000000000-mapping.dmp

    Download

  • memory/1496-685-0x00000000072B0000-0x00000000072B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1496-709-0x00000000072B3000-0x00000000072B4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3340-712-0x0000000000401364-mapping.dmp

    Download

  • memory/3340-711-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

    Download

  • memory/3340-715-0x0000000002D70000-0x0000000002EC3000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3340-716-0x0000000002D71000-0x0000000002E6D000-memory.dmp

    Filesize

    1008KB

    Download

  • memory/3756-703-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3756-704-0x00000000004010B8-mapping.dmp

    Download

  • memory/3756-705-0x00000000015A0000-0x00000000016F3000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3756-706-0x00000000015A1000-0x000000000169D000-memory.dmp

    Filesize

    1008KB

    Download

  • memory/3756-710-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3956-128-0x00000000073B0000-0x00000000073B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3956-138-0x0000000008BE0000-0x0000000008C13000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3956-469-0x00000000026D0000-0x00000000026D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3956-552-0x0000000002700000-0x0000000002701000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3956-570-0x0000000000310000-0x0000000000311000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3956-571-0x00000000064E6000-0x00000000064E8000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3956-382-0x000000000A050000-0x000000000A051000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3956-381-0x000000000A6D0000-0x000000000A6D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3956-153-0x0000000008EF0000-0x0000000008EF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3956-151-0x000000007EF70000-0x000000007EF71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3956-152-0x00000000064E3000-0x00000000064E4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3956-150-0x0000000008D30000-0x0000000008D31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3956-145-0x0000000008BC0000-0x0000000008BC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3956-393-0x0000000000170000-0x0000000000171000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3956-130-0x0000000007C60000-0x0000000007C61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3956-129-0x0000000007CE0000-0x0000000007CE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3956-127-0x0000000007540000-0x0000000007541000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3956-126-0x00000000074D0000-0x00000000074D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3956-125-0x0000000007280000-0x0000000007281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3956-124-0x0000000006A90000-0x0000000006A91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3956-123-0x00000000064E2000-0x00000000064E3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3956-122-0x0000000006B60000-0x0000000006B61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3956-121-0x00000000064E0000-0x00000000064E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3956-120-0x00000000064F0000-0x00000000064F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3956-117-0x0000000000000000-mapping.dmp

    Download