Overview

overview

10

Static

static

986d993fb9...f8.exe

windows7_x64

10

986d993fb9...f8.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    167s
  • max time network
    173s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    15-04-2022 15:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    986d993fb900f333814a9405bc8be12685aecfc2c5c0da6dc968e06f6bf4b7f8.exe

  • Size

    1014KB

  • MD5

    66b911f4bd33b3c563164c85b59f2e18

  • SHA1

    0ce658b5bdf3ccfa3140df8b9d2beb1562331ed1

  • SHA256

    986d993fb900f333814a9405bc8be12685aecfc2c5c0da6dc968e06f6bf4b7f8

  • SHA512

    050f19ec427b97850692e5ddd7f4076724e9e74c8b157e41257d00e867b1cebbf6faf5db7a2b7998a9c0bf89d13e891912d92c961c20024368debbbe07a0e0bc

Score
10/10
xpertratevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\986d993fb900f333814a9405bc8be12685aecfc2c5c0da6dc968e06f6bf4b7f8.exe
    "C:\Users\Admin\AppData\Local\Temp\986d993fb900f333814a9405bc8be12685aecfc2c5c0da6dc968e06f6bf4b7f8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:764
    • C:\Users\Admin\AppData\Local\Temp\986d993fb900f333814a9405bc8be12685aecfc2c5c0da6dc968e06f6bf4b7f8.exe
      "C:\Users\Admin\AppData\Local\Temp\986d993fb900f333814a9405bc8be12685aecfc2c5c0da6dc968e06f6bf4b7f8.exe"
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1008
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\986d993fb900f333814a9405bc8be12685aecfc2c5c0da6dc968e06f6bf4b7f8.exe
        3⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1472
        • C:\Windows\SysWOW64\notepad.exe
          notepad.exe
          4⤵
          • Deletes itself
          PID:1564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Modify Registry

6
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/764-54-0x00000000009A0000-0x0000000000AA2000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/764-55-0x0000000000275000-0x0000000000286000-memory.dmp
    Filesize

    68KB

    Download
  • memory/764-56-0x00000000048B0000-0x0000000004910000-memory.dmp
    Filesize

    384KB

    Download
  • memory/764-57-0x0000000000450000-0x000000000046C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1008-58-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1008-59-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1008-61-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1008-64-0x00000000004010B8-mapping.dmp
    Download
  • memory/1008-63-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1008-69-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1564-71-0x0000000075DF1000-0x0000000075DF3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1564-70-0x0000000000000000-mapping.dmp
    Download