Overview

overview

10

Static

static

CPINV_DEC_...df.exe

windows7_x64

10

CPINV_DEC_...df.exe

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    03-12-2021 07:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe

  • Size

    3.0MB

  • MD5

    22ad4f47ce82a255765f2e96b61d78c8

  • SHA1

    c260d25d8e49d342d86a3231ff112b9707dc8d8a

  • SHA256

    cec4e2234a72035a6c3f4144cccf9ec49f34f56a2a212981606f979be1b85adf

  • SHA512

    6eca6d26d8809415c410ca2343adc221dca9c996de4f81fd3765dc53605eb4793b0c655deed31b011382352a7b69370df4eeb239fbcdc474e1d4c876db1328a3

Score
10/10
xpertratcollectionevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Downloads MZ/PE file
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1332
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:1620
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2⤵
        • Windows security modification
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:856
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          3⤵
          • Adds policy Run key to start application
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:964
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5\jvwupjsgj0.txt"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1964
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5\jvwupjsgj1.txt"
            4⤵
            • Accesses Microsoft Outlook accounts
            PID:1780
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5\jvwupjsgj2.txt"
            4⤵
              PID:308
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5\jvwupjsgj3.txt"
              4⤵
                PID:1740
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5\jvwupjsgj4.txt"
                4⤵
                  PID:1732

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          2
          T1060

          Privilege Escalation

          Bypass User Account Control

          1
          T1088

          Defense Evasion

          Bypass User Account Control

          1
          T1088

          Disabling Security Tools

          3
          T1089

          Modify Registry

          6
          T1112

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Email Collection

          1
          T1114

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5\jvwupjsgj2.txt
            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

            Download Submit
          • C:\Users\Admin\AppData\Roaming\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5\jvwupjsgj4.txt
            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

            Download Submit
          • memory/308-72-0x0000000000442F04-mapping.dmp
            Download
          • memory/856-61-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

            Download
          • memory/856-67-0x0000000000160000-0x0000000000166000-memory.dmp
            Filesize

            24KB

            Download
          • memory/856-68-0x0000000000160000-0x000000000016A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/856-62-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

            Download
          • memory/856-64-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

            Download
          • memory/856-63-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

            Download
          • memory/856-65-0x00000000004010B8-mapping.dmp
            Download
          • memory/964-69-0x0000000000401364-mapping.dmp
            Download
          • memory/1332-55-0x00000000000E0000-0x00000000000E1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1332-60-0x00000000094D0000-0x0000000009688000-memory.dmp
            Filesize

            1.7MB

            Download
          • memory/1332-59-0x00000000051C5000-0x00000000051D6000-memory.dmp
            Filesize

            68KB

            Download
          • memory/1332-58-0x00000000051C0000-0x00000000051C1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1332-57-0x00000000757A1000-0x00000000757A3000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1732-75-0x000000000040C2A8-mapping.dmp
            Download
          • memory/1740-74-0x0000000000413750-mapping.dmp
            Download
          • memory/1780-71-0x0000000000411654-mapping.dmp
            Download
          • memory/1964-70-0x0000000000423BC0-mapping.dmp
            Download