Overview

overview

10

Static

static

Expo_REQUE...B).exe

windows7_x64

10

Expo_REQUE...B).exe

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    09-12-2021 10:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Expo_REQUEST FOR QUOTATION 2021-0912.PDF(79KB).exe

  • Size

    1.1MB

  • MD5

    1bad21957abf5597d295ed971faf1ffc

  • SHA1

    a72a8de5dcdcf6d7b71e932c482cfa69d81ff28d

  • SHA256

    97ccd53d7d9abd378152b48894064f0c226d40a40a19f9ca485bbf5c062d02ca

  • SHA512

    3101c0680c088575e1bf0835b2d2ad3d545cfb20360e163f3d81af02edc73ea72d3e24e30cb91aadb3db9d05267d21245ab2c8a21686e64ed9321ee4e09682a9

Score
10/10
xpertratcollectionevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Expo_REQUEST FOR QUOTATION 2021-0912.PDF(79KB).exe
    "C:\Users\Admin\AppData\Local\Temp\Expo_REQUEST FOR QUOTATION 2021-0912.PDF(79KB).exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:944
    • C:\Users\Admin\AppData\Local\Temp\Expo_REQUEST FOR QUOTATION 2021-0912.PDF(79KB).exe
      "C:\Users\Admin\AppData\Local\Temp\Expo_REQUEST FOR QUOTATION 2021-0912.PDF(79KB).exe"
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1124
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\Expo_REQUEST FOR QUOTATION 2021-0912.PDF(79KB).exe
        3⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:364
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\A1F5W2I0-X6V4-A4D3-L3U1-J445Y8L0L337\uujdbmzqb0.txt"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:296
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\A1F5W2I0-X6V4-A4D3-L3U1-J445Y8L0L337\uujdbmzqb1.txt"
          4⤵
          • Accesses Microsoft Outlook accounts
          PID:1092
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\A1F5W2I0-X6V4-A4D3-L3U1-J445Y8L0L337\uujdbmzqb2.txt"
          4⤵
            PID:1084
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\A1F5W2I0-X6V4-A4D3-L3U1-J445Y8L0L337\uujdbmzqb3.txt"
            4⤵
              PID:1372
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\A1F5W2I0-X6V4-A4D3-L3U1-J445Y8L0L337\uujdbmzqb4.txt"
              4⤵
                PID:1940

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\A1F5W2I0-X6V4-A4D3-L3U1-J445Y8L0L337\uujdbmzqb2.txt
          MD5

          f3b25701fe362ec84616a93a45ce9998

          SHA1

          d62636d8caec13f04e28442a0a6fa1afeb024bbb

          SHA256

          b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

          SHA512

          98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

          Download Submit
        • C:\Users\Admin\AppData\Roaming\A1F5W2I0-X6V4-A4D3-L3U1-J445Y8L0L337\uujdbmzqb4.txt
          MD5

          f3b25701fe362ec84616a93a45ce9998

          SHA1

          d62636d8caec13f04e28442a0a6fa1afeb024bbb

          SHA256

          b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

          SHA512

          98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

          Download Submit
        • memory/296-68-0x0000000000423BC0-mapping.dmp
          Download
        • memory/364-67-0x0000000000401364-mapping.dmp
          Download
        • memory/944-56-0x0000000076911000-0x0000000076913000-memory.dmp
          Filesize

          8KB

          Download
        • memory/944-57-0x0000000004D70000-0x0000000004D71000-memory.dmp
          Filesize

          4KB

          Download
        • memory/944-58-0x0000000000540000-0x0000000000547000-memory.dmp
          Filesize

          28KB

          Download
        • memory/944-59-0x00000000080E0000-0x00000000081F9000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/944-54-0x0000000000E60000-0x0000000000E61000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1084-70-0x0000000000442F04-mapping.dmp
          Download
        • memory/1092-69-0x0000000000411654-mapping.dmp
          Download
        • memory/1124-60-0x0000000000400000-0x000000000042C000-memory.dmp
          Filesize

          176KB

          Download
        • memory/1124-66-0x0000000000100000-0x000000000010A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/1124-65-0x0000000000100000-0x0000000000106000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1124-63-0x0000000000400000-0x000000000042C000-memory.dmp
          Filesize

          176KB

          Download
        • memory/1124-64-0x00000000004010B8-mapping.dmp
          Download
        • memory/1124-62-0x0000000000400000-0x000000000042C000-memory.dmp
          Filesize

          176KB

          Download
        • memory/1124-61-0x0000000000400000-0x000000000042C000-memory.dmp
          Filesize

          176KB

          Download
        • memory/1372-72-0x0000000000413750-mapping.dmp
          Download
        • memory/1940-73-0x000000000040C2A8-mapping.dmp
          Download