Overview

overview

10

Static

static

CPINV_DEC_...df.exe

windows7_x64

10

CPINV_DEC_...df.exe

windows10_x64

10

Analysis

  • max time kernel
    134s
  • max time network
    133s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    03-12-2021 07:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe

  • Size

    3.0MB

  • MD5

    22ad4f47ce82a255765f2e96b61d78c8

  • SHA1

    c260d25d8e49d342d86a3231ff112b9707dc8d8a

  • SHA256

    cec4e2234a72035a6c3f4144cccf9ec49f34f56a2a212981606f979be1b85adf

  • SHA512

    6eca6d26d8809415c410ca2343adc221dca9c996de4f81fd3765dc53605eb4793b0c655deed31b011382352a7b69370df4eeb239fbcdc474e1d4c876db1328a3

Score
10/10
xpertratevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Downloads MZ/PE file
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2084
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        3⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Modify Registry

6
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/416-127-0x0000000000401364-mapping.dmp
    Download
  • memory/2084-123-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/2084-128-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/2084-126-0x00000000012A0000-0x00000000012AA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2084-125-0x00000000012A0000-0x00000000012A6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/2084-124-0x00000000004010B8-mapping.dmp
    Download
  • memory/3020-119-0x0000000005860000-0x0000000005D5E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3020-122-0x000000000A510000-0x000000000A6C8000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/3020-121-0x0000000005860000-0x0000000005D5E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3020-120-0x00000000058B0000-0x00000000058B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3020-115-0x0000000000D60000-0x0000000000D61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3020-118-0x0000000005900000-0x0000000005901000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3020-117-0x0000000005D60000-0x0000000005D61000-memory.dmp
    Filesize

    4KB

    Download