Overview

overview

10

Static

static

RFQ#00439811.exe

windows7_x64

10

RFQ#00439811.exe

windows10_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    23-11-2021 07:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ#00439811.exe

  • Size

    452KB

  • MD5

    ebd23085bae2a8453314f15e526ecc50

  • SHA1

    085915cc9d5fae22d24e9451228f305ab8345d44

  • SHA256

    21553a3434749569bbb6dbf77da2d47a16828a09fdbbb93108b9cf314fb42add

  • SHA512

    71409206d41f208c1df82d84cc5a039d845ec5a3bd5048c2b99b558d3b0ba450a6f6b439629629804b989700b25acd5140bd9a76a9b934c377026c8171992353

Score
10/10
xpertratcollectionevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Program crash 4 IoCs
  • Suspicious use of SetThreadContext 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\RFQ#00439811.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ#00439811.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2808
    • C:\Users\Admin\AppData\Local\Temp\RFQ#00439811.exe
      "C:\Users\Admin\AppData\Local\Temp\RFQ#00439811.exe"
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3264
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\RFQ#00439811.exe
        3⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2876
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\R0W4O1A8-P5N3-X331-D1M0-A2W4Q6D8C2R6\beulpuhyg0.txt"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1564
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\R0W4O1A8-P5N3-X331-D1M0-A2W4Q6D8C2R6\beulpuhyg1.txt"
          4⤵
            PID:1092
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 96
              5⤵
              • Program crash
              PID:368
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\R0W4O1A8-P5N3-X331-D1M0-A2W4Q6D8C2R6\beulpuhyg1.txt"
            4⤵
              PID:668
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 92
                5⤵
                • Program crash
                PID:1188
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\R0W4O1A8-P5N3-X331-D1M0-A2W4Q6D8C2R6\beulpuhyg1.txt"
              4⤵
              • Accesses Microsoft Outlook accounts
              PID:2860
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\R0W4O1A8-P5N3-X331-D1M0-A2W4Q6D8C2R6\beulpuhyg2.txt"
              4⤵
                PID:3972
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 92
                  5⤵
                  • Program crash
                  PID:3600
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\R0W4O1A8-P5N3-X331-D1M0-A2W4Q6D8C2R6\beulpuhyg2.txt"
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:880
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\R0W4O1A8-P5N3-X331-D1M0-A2W4Q6D8C2R6\beulpuhyg3.txt"
                4⤵
                  PID:1700
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 92
                    5⤵
                    • Program crash
                    PID:4008
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  /stext "C:\Users\Admin\AppData\Roaming\R0W4O1A8-P5N3-X331-D1M0-A2W4Q6D8C2R6\beulpuhyg3.txt"
                  4⤵
                    PID:1924
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    /stext "C:\Users\Admin\AppData\Roaming\R0W4O1A8-P5N3-X331-D1M0-A2W4Q6D8C2R6\beulpuhyg4.txt"
                    4⤵
                      PID:2156

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Registry Run Keys / Startup Folder

              2
              T1060

              Privilege Escalation

              Bypass User Account Control

              1
              T1088

              Defense Evasion

              Bypass User Account Control

              1
              T1088

              Disabling Security Tools

              3
              T1089

              Modify Registry

              6
              T1112

              Virtualization/Sandbox Evasion

              2
              T1497

              Credential Access

              Discovery

              Query Registry

              4
              T1012

              Virtualization/Sandbox Evasion

              2
              T1497

              System Information Discovery

              3
              T1082

              Peripheral Device Discovery

              1
              T1120

              Lateral Movement

              Collection

              Email Collection

              1
              T1114

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\R0W4O1A8-P5N3-X331-D1M0-A2W4Q6D8C2R6\beulpuhyg2.txt
                MD5

                f94dc819ca773f1e3cb27abbc9e7fa27

                SHA1

                9a7700efadc5ea09ab288544ef1e3cd876255086

                SHA256

                a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

                SHA512

                72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

                Download Submit
              • C:\Users\Admin\AppData\Roaming\R0W4O1A8-P5N3-X331-D1M0-A2W4Q6D8C2R6\beulpuhyg4.txt
                MD5

                f3b25701fe362ec84616a93a45ce9998

                SHA1

                d62636d8caec13f04e28442a0a6fa1afeb024bbb

                SHA256

                b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                SHA512

                98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                Download Submit
              • memory/668-133-0x0000000000411654-mapping.dmp
                Download
              • memory/880-136-0x0000000000442F04-mapping.dmp
                Download
              • memory/1092-132-0x0000000000411654-mapping.dmp
                Download
              • memory/1564-131-0x0000000000423BC0-mapping.dmp
                Download
              • memory/1700-138-0x0000000000413750-mapping.dmp
                Download
              • memory/1924-139-0x0000000000413750-mapping.dmp
                Download
              • memory/2156-140-0x000000000040C2A8-mapping.dmp
                Download
              • memory/2808-120-0x0000000005170000-0x0000000005171000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2808-124-0x0000000007240000-0x0000000007241000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2808-123-0x0000000007070000-0x00000000070CB000-memory.dmp
                Filesize

                364KB

                Download
              • memory/2808-122-0x0000000006FD0000-0x0000000006FD1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2808-121-0x0000000006C50000-0x0000000006C54000-memory.dmp
                Filesize

                16KB

                Download
              • memory/2808-115-0x00000000003A0000-0x00000000003A1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2808-119-0x0000000004BC0000-0x0000000004C52000-memory.dmp
                Filesize

                584KB

                Download
              • memory/2808-118-0x0000000004C90000-0x0000000004C91000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2808-117-0x0000000005190000-0x0000000005191000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2860-134-0x0000000000411654-mapping.dmp
                Download
              • memory/2876-129-0x0000000000401364-mapping.dmp
                Download
              • memory/3264-130-0x0000000000400000-0x000000000042C000-memory.dmp
                Filesize

                176KB

                Download
              • memory/3264-128-0x0000000000BE0000-0x0000000000BEA000-memory.dmp
                Filesize

                40KB

                Download
              • memory/3264-127-0x0000000000BE0000-0x0000000000BE6000-memory.dmp
                Filesize

                24KB

                Download
              • memory/3264-126-0x00000000004010B8-mapping.dmp
                Download
              • memory/3264-125-0x0000000000400000-0x000000000042C000-memory.dmp
                Filesize

                176KB

                Download
              • memory/3972-135-0x0000000000442F04-mapping.dmp
                Download