Overview

overview

10

Static

static

7560b03d97...25.exe

windows7_x64

1

7560b03d97...25.exe

windows10_x64

10

Analysis

  • max time kernel
    67s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    15-10-2021 07:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7560b03d9721036181565287e85d9525.exe

  • Size

    1.1MB

  • MD5

    7560b03d9721036181565287e85d9525

  • SHA1

    447c0d915c9236b5f3221bfbe05e5b57785d3142

  • SHA256

    f2926aaea4603961e15c9ac92eb599ddd51bd6e19bd7fded285a1db16753db87

  • SHA512

    fb38977856b6d4702b1793916c90b0b595dc8881457d6a2a98ba488f80e444314a5e1cdaa0f6a741e6c12b129195fd04f499d84a4cca32386c64fe58ccdfe583

Score
10/10
xpertratcollectionevasionpersistencerattrojan

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • Nirsoft 1 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Program crash 6 IoCs
  • Suspicious use of SetThreadContext 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\7560b03d9721036181565287e85d9525.exe
    "C:\Users\Admin\AppData\Local\Temp\7560b03d9721036181565287e85d9525.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Users\Admin\AppData\Local\Temp\7560b03d9721036181565287e85d9525.exe
      C:\Users\Admin\AppData\Local\Temp\7560b03d9721036181565287e85d9525.exe
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3404
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\7560b03d9721036181565287e85d9525.exe
        3⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3652
        • C:\Windows\SysWOW64\notepad.exe
          notepad.exe
          4⤵
          • Deletes itself
          PID:944
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\reuefkbwu0.txt"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1788
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\reuefkbwu1.txt"
          4⤵
            PID:2964
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 24
              5⤵
              • Program crash
              PID:1976
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 36
              5⤵
              • Suspicious use of NtCreateProcessExOtherParentProcess
              • Program crash
              PID:744
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\reuefkbwu1.txt"
            4⤵
            • Accesses Microsoft Outlook accounts
            PID:1144
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\reuefkbwu2.txt"
            4⤵
              PID:740
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 92
                5⤵
                • Program crash
                PID:1476
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\reuefkbwu2.txt"
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:1768
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\reuefkbwu3.txt"
              4⤵
                PID:1088
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 92
                  5⤵
                  • Program crash
                  PID:1580
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\reuefkbwu3.txt"
                4⤵
                  PID:1188
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 92
                    5⤵
                    • Program crash
                    PID:1512
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\reuefkbwu3.txt"
                  4⤵
                    PID:3492
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 92
                      5⤵
                      • Program crash
                      PID:1408
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\reuefkbwu3.txt"
                    4⤵
                      PID:2316
                    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                      /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\reuefkbwu4.txt"
                      4⤵
                        PID:2008

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Persistence

                Registry Run Keys / Startup Folder

                2
                T1060

                Privilege Escalation

                Bypass User Account Control

                1
                T1088

                Defense Evasion

                Bypass User Account Control

                1
                T1088

                Disabling Security Tools

                3
                T1089

                Modify Registry

                6
                T1112

                Credential Access

                Discovery

                System Information Discovery

                1
                T1082

                Lateral Movement

                Collection

                Email Collection

                1
                T1114

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\reuefkbwu2.txt
                  MD5

                  f94dc819ca773f1e3cb27abbc9e7fa27

                  SHA1

                  9a7700efadc5ea09ab288544ef1e3cd876255086

                  SHA256

                  a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

                  SHA512

                  72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\reuefkbwu4.txt
                  MD5

                  f3b25701fe362ec84616a93a45ce9998

                  SHA1

                  d62636d8caec13f04e28442a0a6fa1afeb024bbb

                  SHA256

                  b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                  SHA512

                  98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                  Download Submit
                • memory/740-130-0x0000000000442F04-mapping.dmp
                  Download
                • memory/944-125-0x0000000000000000-mapping.dmp
                  Download
                • memory/1088-133-0x0000000000413750-mapping.dmp
                  Download
                • memory/1144-129-0x0000000000411654-mapping.dmp
                  Download
                • memory/1188-134-0x0000000000413750-mapping.dmp
                  Download
                • memory/1768-131-0x0000000000442F04-mapping.dmp
                  Download
                • memory/1788-127-0x0000000000423BC0-mapping.dmp
                  Download
                • memory/2008-137-0x000000000040C2A8-mapping.dmp
                  Download
                • memory/2132-115-0x0000000000760000-0x0000000000761000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/2132-119-0x0000000005060000-0x0000000005090000-memory.dmp
                  Filesize

                  192KB

                  Download
                • memory/2132-118-0x00000000052D0000-0x00000000052D1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/2132-117-0x0000000005140000-0x0000000005251000-memory.dmp
                  Filesize

                  1.1MB

                  Download
                • memory/2316-136-0x0000000000413750-mapping.dmp
                  Download
                • memory/2964-128-0x0000000000411654-mapping.dmp
                  Download
                • memory/3404-121-0x00000000004010B8-mapping.dmp
                  Download
                • memory/3404-126-0x0000000000400000-0x000000000042C000-memory.dmp
                  Filesize

                  176KB

                  Download
                • memory/3404-123-0x0000000001500000-0x000000000150A000-memory.dmp
                  Filesize

                  40KB

                  Download
                • memory/3404-122-0x0000000001500000-0x0000000001506000-memory.dmp
                  Filesize

                  24KB

                  Download
                • memory/3404-120-0x0000000000400000-0x000000000042C000-memory.dmp
                  Filesize

                  176KB

                  Download
                • memory/3492-135-0x0000000000413750-mapping.dmp
                  Download
                • memory/3652-124-0x0000000000401364-mapping.dmp
                  Download