Overview

overview

10

Static

static

1

RFQ- SPECI...b).exe

windows7_x64

10

RFQ- SPECI...b).exe

windows10-2004_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    10-02-2022 10:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ- SPECIFI-PE0008234.pdf(89kb).exe

  • Size

    391KB

  • MD5

    764b623961a0d9575de514979d3173ba

  • SHA1

    6803599f25f3a13860d26b106df36ded15fb7aac

  • SHA256

    40dbb91cfe13864e0e650527e0b28bd288533adc1a82ebb1b96c99b2c32c78ff

  • SHA512

    d5f6357ebae30bbfdb8f9a6b2dc83168dcc776ca718a4b4dcac0cd3dc040cdab70d1f65944351a691b8a43a3f5f5be2385e9c74bfa869e9a9c5133554a45a02c

Score
10/10
xpertratcollectionevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\RFQ- SPECIFI-PE0008234.pdf(89kb).exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ- SPECIFI-PE0008234.pdf(89kb).exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:828
    • C:\Users\Admin\AppData\Local\Temp\qrnav.exe
      C:\Users\Admin\AppData\Local\Temp\qrnav.exe C:\Users\Admin\AppData\Local\Temp\istpwlimw
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:528
      • C:\Users\Admin\AppData\Local\Temp\qrnav.exe
        C:\Users\Admin\AppData\Local\Temp\qrnav.exe C:\Users\Admin\AppData\Local\Temp\istpwlimw
        3⤵
        • Executes dropped EXE
        • Windows security modification
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1484
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\istpwlimw
          4⤵
          • Adds policy Run key to start application
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1036
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\F7K2D8U6-D3B1-M1Q8-R8B7-O1L2F5R6X0G4\zupwxadxr0.txt"
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:660
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\F7K2D8U6-D3B1-M1Q8-R8B7-O1L2F5R6X0G4\zupwxadxr1.txt"
            5⤵
            • Accesses Microsoft Outlook accounts
            PID:984
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\F7K2D8U6-D3B1-M1Q8-R8B7-O1L2F5R6X0G4\zupwxadxr2.txt"
            5⤵
              PID:1304
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\F7K2D8U6-D3B1-M1Q8-R8B7-O1L2F5R6X0G4\zupwxadxr3.txt"
              5⤵
                PID:1200
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\F7K2D8U6-D3B1-M1Q8-R8B7-O1L2F5R6X0G4\zupwxadxr3.txt"
                5⤵
                  PID:2020
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  /stext "C:\Users\Admin\AppData\Roaming\F7K2D8U6-D3B1-M1Q8-R8B7-O1L2F5R6X0G4\zupwxadxr4.txt"
                  5⤵
                    PID:964

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          2
          T1060

          Privilege Escalation

          Bypass User Account Control

          1
          T1088

          Defense Evasion

          Bypass User Account Control

          1
          T1088

          Disabling Security Tools

          3
          T1089

          Modify Registry

          6
          T1112

          Credential Access

          Discovery

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Email Collection

          1
          T1114

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\7hyxnjgmd47ntelzwgwt
            MD5

            9c67aeafb0c99d237180052621fca431

            SHA1

            ef3306578842315c89228ea50b1ce93843d988cc

            SHA256

            04e0cbf6d8e4d45062207e26d4ba383f2e25ee9aac7ce2cd416bc6274ca98181

            SHA512

            d8acdbb34bd3a8a985aa72fa15850513ce06eac7ff87460879ce8bdf2715c5353a8beb19b1d1cda3696f8004a6de9d771c720f36fcc18ef138a07b3cd94e306b

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\istpwlimw
            MD5

            99aeb88137ea58f82f338ef2d7623c5a

            SHA1

            3fda4c82acd5aa5e448c9544898176965626ae44

            SHA256

            1dbc0c5945eab29589db828466a108703dc0b1cfe7b67840805bfe82c9f88116

            SHA512

            e6da08c096493e568b336df2fe29e4ccc802cca059e28501271220a811f0faf6f779b77a3179575d6e6064bfaca06da6f046710f441add562fea5914b6305984

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\qrnav.exe
            MD5

            a868c7d72d05fc4c2d68d04fd0894386

            SHA1

            cae4b6b8bb478d0824fa397e94446a2f22f75be6

            SHA256

            6bec69cee8704cfd41fc7363b307dbb9b76eff54cc7b782c7cb7fe60fa2a491a

            SHA512

            a53bbceb86bf6bc2cef08df4045e0e6d42405d8fd163e071a9576bd15d088017af30d316bbbd1c8a03f0796967d91851825378fa15ccc6afb51d73c177db2e08

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\qrnav.exe
            MD5

            a868c7d72d05fc4c2d68d04fd0894386

            SHA1

            cae4b6b8bb478d0824fa397e94446a2f22f75be6

            SHA256

            6bec69cee8704cfd41fc7363b307dbb9b76eff54cc7b782c7cb7fe60fa2a491a

            SHA512

            a53bbceb86bf6bc2cef08df4045e0e6d42405d8fd163e071a9576bd15d088017af30d316bbbd1c8a03f0796967d91851825378fa15ccc6afb51d73c177db2e08

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\qrnav.exe
            MD5

            a868c7d72d05fc4c2d68d04fd0894386

            SHA1

            cae4b6b8bb478d0824fa397e94446a2f22f75be6

            SHA256

            6bec69cee8704cfd41fc7363b307dbb9b76eff54cc7b782c7cb7fe60fa2a491a

            SHA512

            a53bbceb86bf6bc2cef08df4045e0e6d42405d8fd163e071a9576bd15d088017af30d316bbbd1c8a03f0796967d91851825378fa15ccc6afb51d73c177db2e08

            Download Submit
          • C:\Users\Admin\AppData\Roaming\F7K2D8U6-D3B1-M1Q8-R8B7-O1L2F5R6X0G4\zupwxadxr2.txt
            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

            Download Submit
          • C:\Users\Admin\AppData\Roaming\F7K2D8U6-D3B1-M1Q8-R8B7-O1L2F5R6X0G4\zupwxadxr4.txt
            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

            Download Submit
          • \Users\Admin\AppData\Local\Temp\qrnav.exe
            MD5

            a868c7d72d05fc4c2d68d04fd0894386

            SHA1

            cae4b6b8bb478d0824fa397e94446a2f22f75be6

            SHA256

            6bec69cee8704cfd41fc7363b307dbb9b76eff54cc7b782c7cb7fe60fa2a491a

            SHA512

            a53bbceb86bf6bc2cef08df4045e0e6d42405d8fd163e071a9576bd15d088017af30d316bbbd1c8a03f0796967d91851825378fa15ccc6afb51d73c177db2e08

            Download Submit
          • \Users\Admin\AppData\Local\Temp\qrnav.exe
            MD5

            a868c7d72d05fc4c2d68d04fd0894386

            SHA1

            cae4b6b8bb478d0824fa397e94446a2f22f75be6

            SHA256

            6bec69cee8704cfd41fc7363b307dbb9b76eff54cc7b782c7cb7fe60fa2a491a

            SHA512

            a53bbceb86bf6bc2cef08df4045e0e6d42405d8fd163e071a9576bd15d088017af30d316bbbd1c8a03f0796967d91851825378fa15ccc6afb51d73c177db2e08

            Download Submit
          • memory/828-55-0x0000000076071000-0x0000000076073000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1484-63-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

            Download
          • memory/1484-67-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

            Download