Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    30-09-2021 18:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe

  • Size

    503KB

  • MD5

    cb12b24b0f69225693168e9c35761a1b

  • SHA1

    0f68f676d76e3546d7d625cdb14f0947c59beff5

  • SHA256

    c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535

  • SHA512

    9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

Score
10/10
xpertrattestevasionpersistencerattrojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

C2

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core Payload 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe
    "C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3728
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitch.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3104
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1628
    • C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe
      C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1360
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe
        3⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1720
        • C:\Windows\SysWOW64\notepad.exe
          notepad.exe
          4⤵
          • Deletes itself
          PID:1524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Modify Registry

6
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    1712dab0a1bf4e9e3ff666b9c431550d

    SHA1

    34d1dec8fa95f62c72cb3f92a22c13ad9eece10f

    SHA256

    7184a35390c8d6549ef4ddf2909c8fc3446572229bb1788fe178332d80ebfa97

    SHA512

    6ae29c37c11c851ed337afee3c3ad654593063e76df88a6974933e449ac8d86bfa005b9bf2e0ee29aad4647b8f8f32ac753587077fd745424be7f9765688e7b7

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    MD5

    1c33ff599b382b705675229c91fc2f99

    SHA1

    c20086746c14c5d57be9a3df47bd75fa77abe7e0

    SHA256

    d46b6790776328125154bb8231deafcc7786911bea48fbcd2742c05fa1c4da0a

    SHA512

    5b975f6b0d5407d8d43975c0fd0c26ecb155f6ee9b7416e39478f84e97deea590d1eb0cf2a972adcf96eba6745fdef472f6fcf51d85cd53c2da9b4c550ee413c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    9d84bdc9aebbc477f64263748d591608

    SHA1

    eb65b304ce5ceaea4876d828b082017d6d28d9cb

    SHA256

    459e930dfd5cbc1b9e57f20d2ff1dfdf2d31bc25d9998c0ac550eabaf7ea40e8

    SHA512

    e84cc9c73143897b18cae93eb918a7df6c2f133d972e5d302d1b4f65700e8568d0416abfb19c58b19932f40eba141b4e4fc1aa46d7a2c95b9283314a35c8913d

    Download Submit
  • memory/1360-715-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1360-704-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1360-705-0x00000000004010B8-mapping.dmp
    Download
  • memory/1524-717-0x0000000000000000-mapping.dmp
    Download
  • memory/1628-691-0x0000000004432000-0x0000000004433000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1628-677-0x0000000000000000-mapping.dmp
    Download
  • memory/1628-690-0x0000000004430000-0x0000000004431000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1628-702-0x0000000004433000-0x0000000004434000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1720-713-0x0000000003101000-0x00000000031FD000-memory.dmp
    Filesize

    1008KB

    Download
  • memory/1720-708-0x0000000000400000-0x0000000000443000-memory.dmp
    Filesize

    268KB

    Download
  • memory/1720-709-0x0000000000401364-mapping.dmp
    Download
  • memory/1720-712-0x0000000003100000-0x0000000003253000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3104-393-0x0000000002D30000-0x0000000002D31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3104-129-0x00000000083B0000-0x00000000083B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3104-151-0x00000000096E0000-0x00000000096E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3104-152-0x0000000006E43000-0x0000000006E44000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3104-153-0x0000000009900000-0x0000000009901000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3104-381-0x000000000B200000-0x000000000B201000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3104-382-0x000000000AB80000-0x000000000AB81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3104-116-0x0000000000000000-mapping.dmp
    Download
  • memory/3104-469-0x0000000002DC0000-0x0000000002DC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3104-552-0x0000000002DF0000-0x0000000002DF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3104-570-0x0000000006E46000-0x0000000006E48000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3104-571-0x0000000002D90000-0x0000000002D91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3104-139-0x000000007F220000-0x000000007F221000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3104-138-0x00000000095B0000-0x00000000095E3000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3104-130-0x00000000085A0000-0x00000000085A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3104-146-0x0000000009570000-0x0000000009571000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3104-128-0x0000000007EE0000-0x0000000007EE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3104-127-0x0000000007F60000-0x0000000007F61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3104-119-0x0000000006D20000-0x0000000006D21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3104-126-0x0000000007E70000-0x0000000007E71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3104-120-0x0000000007480000-0x0000000007481000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3104-125-0x0000000007E00000-0x0000000007E01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3104-124-0x0000000007440000-0x0000000007441000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3104-123-0x0000000006E42000-0x0000000006E43000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3104-122-0x0000000006E40000-0x0000000006E41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3728-121-0x0000000004E80000-0x0000000004E81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3728-703-0x0000000004C30000-0x0000000004C60000-memory.dmp
    Filesize

    192KB

    Download
  • memory/3728-701-0x0000000000C60000-0x0000000000CAF000-memory.dmp
    Filesize

    316KB

    Download
  • memory/3728-114-0x0000000000430000-0x0000000000431000-memory.dmp
    Filesize

    4KB

    Download