Overview

overview

10

Static

static

04162b1bcb...b0.exe

windows7_x64

3

04162b1bcb...b0.exe

windows10_x64

10

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    13-10-2021 17:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04162b1bcb2ebb326fc52801821e42b0.exe

  • Size

    12KB

  • MD5

    04162b1bcb2ebb326fc52801821e42b0

  • SHA1

    2443aac454b8299bdfea13017cc2339d605dacea

  • SHA256

    259dbea8ad36ca1f502f7eba9257bf7111313f4ef76c34922cd34dd5808b5181

  • SHA512

    701f55f4da2fddcf42ee9c0be5539a4f4e617b8a837ed88647295b1f98cf407ae52df19557c8202c303714301c6cccefd0acad49da4c138aa2d140c1d41e6973

Score
10/10
xpertratevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\04162b1bcb2ebb326fc52801821e42b0.exe
    "C:\Users\Admin\AppData\Local\Temp\04162b1bcb2ebb326fc52801821e42b0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:776
    • C:\Users\Admin\AppData\Local\Temp\04162b1bcb2ebb326fc52801821e42b0.exe
      C:\Users\Admin\AppData\Local\Temp\04162b1bcb2ebb326fc52801821e42b0.exe
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3996
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\04162b1bcb2ebb326fc52801821e42b0.exe
        3⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2308
        • C:\Windows\SysWOW64\notepad.exe
          notepad.exe
          4⤵
          • Deletes itself
          PID:2292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Modify Registry

6
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/776-114-0x00000000007B0000-0x00000000007B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/776-116-0x00000000052C0000-0x00000000052C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/776-117-0x0000000005ED0000-0x0000000005F6F000-memory.dmp
    Filesize

    636KB

    Download
  • memory/776-118-0x00000000061E0000-0x0000000006210000-memory.dmp
    Filesize

    192KB

    Download
  • memory/2292-125-0x0000000000000000-mapping.dmp
    Download
  • memory/2308-124-0x0000000000401364-mapping.dmp
    Download
  • memory/3996-119-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/3996-120-0x00000000004010B8-mapping.dmp
    Download
  • memory/3996-121-0x0000000002990000-0x0000000002996000-memory.dmp
    Filesize

    24KB

    Download
  • memory/3996-122-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/3996-123-0x0000000002990000-0x000000000299A000-memory.dmp
    Filesize

    40KB

    Download