Overview

overview

10

Static

static

986d993fb9...f8.exe

windows7_x64

10

986d993fb9...f8.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    166s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    15-04-2022 15:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    986d993fb900f333814a9405bc8be12685aecfc2c5c0da6dc968e06f6bf4b7f8.exe

  • Size

    1014KB

  • MD5

    66b911f4bd33b3c563164c85b59f2e18

  • SHA1

    0ce658b5bdf3ccfa3140df8b9d2beb1562331ed1

  • SHA256

    986d993fb900f333814a9405bc8be12685aecfc2c5c0da6dc968e06f6bf4b7f8

  • SHA512

    050f19ec427b97850692e5ddd7f4076724e9e74c8b157e41257d00e867b1cebbf6faf5db7a2b7998a9c0bf89d13e891912d92c961c20024368debbbe07a0e0bc

Score
10/10
xpertratevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\986d993fb900f333814a9405bc8be12685aecfc2c5c0da6dc968e06f6bf4b7f8.exe
    "C:\Users\Admin\AppData\Local\Temp\986d993fb900f333814a9405bc8be12685aecfc2c5c0da6dc968e06f6bf4b7f8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1328
    • C:\Users\Admin\AppData\Local\Temp\986d993fb900f333814a9405bc8be12685aecfc2c5c0da6dc968e06f6bf4b7f8.exe
      "C:\Users\Admin\AppData\Local\Temp\986d993fb900f333814a9405bc8be12685aecfc2c5c0da6dc968e06f6bf4b7f8.exe"
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1568
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\986d993fb900f333814a9405bc8be12685aecfc2c5c0da6dc968e06f6bf4b7f8.exe
        3⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Windows\SysWOW64\notepad.exe
          notepad.exe
          4⤵
            PID:2840

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    2
    T1060

    Privilege Escalation

    Bypass User Account Control

    1
    T1088

    Defense Evasion

    Bypass User Account Control

    1
    T1088

    Disabling Security Tools

    3
    T1089

    Modify Registry

    6
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1328-130-0x0000000000380000-0x0000000000482000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1328-131-0x0000000005380000-0x0000000005924000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1328-132-0x0000000004E70000-0x0000000004F02000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1328-133-0x0000000004E40000-0x0000000004E4A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1328-134-0x0000000004DD0000-0x0000000005374000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1328-135-0x00000000088A0000-0x0000000008906000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1568-136-0x0000000000000000-mapping.dmp
      Download
    • memory/1568-137-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1568-139-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1568-143-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/2840-142-0x0000000000000000-mapping.dmp
      Download