Overview

overview

10

Static

static

6aa342f22e...80.exe

windows7_x64

10

6aa342f22e...80.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    29-03-2022 18:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6aa342f22e938855a4158aaf5e5290227cfc8ec244f12a4087d6235bcd4e0c80.exe

  • Size

    484KB

  • MD5

    8e00098b2140e8b6a58a18350e45112c

  • SHA1

    c91661bc6067bd0a7b0d9ab7765f7728069deb62

  • SHA256

    6aa342f22e938855a4158aaf5e5290227cfc8ec244f12a4087d6235bcd4e0c80

  • SHA512

    1136b1a7004f64c4862d4eb77422dbf8d388f02a490633a1a894b1350b56c474b95cb7addc42beb4a2d74abf9c868145a925bf40e713f592a2f4ee2120080e4b

Score
10/10
xpertratevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\6aa342f22e938855a4158aaf5e5290227cfc8ec244f12a4087d6235bcd4e0c80.exe
    "C:\Users\Admin\AppData\Local\Temp\6aa342f22e938855a4158aaf5e5290227cfc8ec244f12a4087d6235bcd4e0c80.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3628
    • C:\Users\Admin\AppData\Local\Temp\6aa342f22e938855a4158aaf5e5290227cfc8ec244f12a4087d6235bcd4e0c80.exe
      "{path}"
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2884
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\6aa342f22e938855a4158aaf5e5290227cfc8ec244f12a4087d6235bcd4e0c80.exe
        3⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3476
        • C:\Windows\SysWOW64\notepad.exe
          notepad.exe
          4⤵
            PID:368

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/368-145-0x0000000000000000-mapping.dmp

      Download

    • memory/2884-139-0x0000000000000000-mapping.dmp

      Download

    • memory/2884-140-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2884-142-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/3628-133-0x0000000000BD0000-0x0000000000C4C000-memory.dmp

      Filesize

      496KB

      Download

    • memory/3628-134-0x0000000005B10000-0x00000000060B4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3628-135-0x0000000005600000-0x0000000005692000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3628-136-0x00000000057A0000-0x00000000057AA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3628-137-0x0000000007F60000-0x000000000848C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3628-138-0x00000000087C0000-0x000000000885C000-memory.dmp

      Filesize

      624KB

      Download