xpertrat | 519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5

General

Target

519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe
Size

349KB
MD5

cfc7eec10a72d743ba86e1f9f661629e
SHA1

719d433f928ccfa0b5c554587fd17e1a70485fd4
SHA256

519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5
SHA512

da49b741bb37c93e277cec3bb3d1afbefdb553b6c56b8cce96b466e6967a51b7ea4472f4a270d32cb36c7ed7d6c0feebb4356e0bc1325addacc9ec595c8369bc

Score

10^/10

xpertrat evasion persistence rat trojan

Malware Config

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\T4Y8Q5C3-R0I7-T7W6-M224-N7U6O4W0K7K6 = "C:\\Users\\Admin\\AppData\\Roaming\\T4Y8Q5C3-R0I7-T7W6-M224-N7U6O4W0K7K6\\T4Y8Q5C3-R0I7-T7W6-M224-N7U6O4W0K7K6.exe"	iexplore.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\T4Y8Q5C3-R0I7-T7W6-M224-N7U6O4W0K7K6 = "C:\\Users\\Admin\\AppData\\Roaming\\T4Y8Q5C3-R0I7-T7W6-M224-N7U6O4W0K7K6\\T4Y8Q5C3-R0I7-T7W6-M224-N7U6O4W0K7K6.exe"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T4Y8Q5C3-R0I7-T7W6-M224-N7U6O4W0K7K6 = "C:\\Users\\Admin\\AppData\\Roaming\\T4Y8Q5C3-R0I7-T7W6-M224-N7U6O4W0K7K6\\T4Y8Q5C3-R0I7-T7W6-M224-N7U6O4W0K7K6.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe

description	pid	process	target process
PID 1236 set thread context of 1468	1236	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe
PID 1468 set thread context of 1928	1468	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe	iexplore.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe

pid	process
1236	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe
1236	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe
1236	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe
1236	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe
1236	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe
1236	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe
1236	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe
1236	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe
1468	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe
1468	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exeiexplore.exe

description	pid	process
Token: SeDebugPrivilege	1236	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe
Token: SeDebugPrivilege	1928	iexplore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exeiexplore.exe

pid process

1468 519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe
1928 iexplore.exe

pid	process
1468	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe
1928	iexplore.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe

description	pid	process	target process
PID 1236 wrote to memory of 1468	1236	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe
PID 1236 wrote to memory of 1468	1236	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe
PID 1236 wrote to memory of 1468	1236	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe
PID 1236 wrote to memory of 1468	1236	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe
PID 1236 wrote to memory of 1468	1236	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe
PID 1236 wrote to memory of 1468	1236	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe
PID 1236 wrote to memory of 1468	1236	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe
PID 1236 wrote to memory of 1468	1236	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe
PID 1468 wrote to memory of 1928	1468	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe	iexplore.exe
PID 1468 wrote to memory of 1928	1468	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe	iexplore.exe
PID 1468 wrote to memory of 1928	1468	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe	iexplore.exe
PID 1468 wrote to memory of 1928	1468	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe	iexplore.exe
PID 1468 wrote to memory of 1928	1468	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe	iexplore.exe
PID 1468 wrote to memory of 1928	1468	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe	iexplore.exe
PID 1468 wrote to memory of 1928	1468	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe	iexplore.exe
PID 1468 wrote to memory of 1928	1468	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe	iexplore.exe
PID 1468 wrote to memory of 1928	1468	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe

C:\Users\Admin\AppData\Local\Temp\519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe
"C:\Users\Admin\AppData\Local\Temp\519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe
"C:\Users\Admin\AppData\Local\Temp\519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe"
2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1468

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\519fc2007f744abcb7a7b2d6b255670ca232662182897d2312fcf1480879e7c5.exe
3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Modify Registry

6

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1236-54-0x00000000011F0000-0x000000000124E000-memory.dmp

Filesize
376KB

Download
memory/1236-55-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/1236-56-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download
memory/1236-57-0x0000000000B70000-0x0000000000BCE000-memory.dmp

Filesize
376KB

Download
memory/1236-58-0x0000000005BB0000-0x0000000005BF4000-memory.dmp

Filesize
272KB

Download
memory/1236-59-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/1236-60-0x0000000005C00000-0x0000000005C0C000-memory.dmp

Filesize
48KB

Download
memory/1236-61-0x0000000005C80000-0x0000000005C88000-memory.dmp

Filesize
32KB

Download
memory/1468-62-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1468-63-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1468-64-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1468-65-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1468-68-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads