Analysis

  • max time kernel
    133s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    14-04-2022 12:44

General

  • Target

    SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe

  • Size

    667KB

  • MD5

    1ba1f5a8783628e45caad235c8f640cf

  • SHA1

    b41e98059945ddb010d3b50e5d0c83ecdde79716

  • SHA256

    3ec377ffc5814c66d3417104617bc3a048448ef400c360480efc036c425afb95

  • SHA512

    75c8de68fad66ec3bc8bc8c4887ee561c4e8e8af3e41021213bad8ea06947f379adca14bd3c2fb3ca17f4ac4a17f6bcf5a4cc630fe9979b40b2f0a60efc2b4a9

Malware Config

Signatures

  • UAC bypass 3 TTPs
  • Windows security bypass 2 TTPs
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4964
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe"
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3700
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe
        3⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1192
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-U113-K7R6L4T0H6H6\vzasvyfwf0.txt"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4476
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-U113-K7R6L4T0H6H6\vzasvyfwf1.txt"
          4⤵
          • Accesses Microsoft Outlook accounts
          PID:2260
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-U113-K7R6L4T0H6H6\vzasvyfwf2.txt"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3824
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-U113-K7R6L4T0H6H6\vzasvyfwf3.txt"
          4⤵
            PID:5012
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 84
              5⤵
              • Program crash
              PID:4600
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-U113-K7R6L4T0H6H6\vzasvyfwf3.txt"
            4⤵
              PID:2440
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-U113-K7R6L4T0H6H6\vzasvyfwf4.txt"
              4⤵
                PID:4120
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 5012 -ip 5012
          1⤵
            PID:4468

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Persistence

          Registry Run Keys / Startup Folder

          2
          T1060

          Privilege Escalation

          Bypass User Account Control

          1
          T1088

          Defense Evasion

          Bypass User Account Control

          1
          T1088

          Disabling Security Tools

          3
          T1089

          Modify Registry

          6
          T1112

          Discovery

          System Information Discovery

          1
          T1082

          Collection

          Email Collection

          1
          T1114

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-U113-K7R6L4T0H6H6\vzasvyfwf2.txt
            Filesize

            3KB

            MD5

            f94dc819ca773f1e3cb27abbc9e7fa27

            SHA1

            9a7700efadc5ea09ab288544ef1e3cd876255086

            SHA256

            a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

            SHA512

            72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

          • C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-U113-K7R6L4T0H6H6\vzasvyfwf4.txt
            Filesize

            2B

            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

          • memory/3700-140-0x0000000000000000-mapping.dmp
          • memory/3700-141-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

          • memory/3700-143-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

          • memory/3700-146-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

          • memory/4964-134-0x0000000000230000-0x00000000002DE000-memory.dmp
            Filesize

            696KB

          • memory/4964-135-0x0000000005310000-0x00000000058B4000-memory.dmp
            Filesize

            5.6MB

          • memory/4964-136-0x0000000004C60000-0x0000000004CF2000-memory.dmp
            Filesize

            584KB

          • memory/4964-137-0x0000000004D10000-0x0000000004D1A000-memory.dmp
            Filesize

            40KB

          • memory/4964-138-0x0000000007450000-0x00000000074EC000-memory.dmp
            Filesize

            624KB

          • memory/4964-139-0x00000000077F0000-0x0000000007856000-memory.dmp
            Filesize

            408KB