xpertrat | 05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657

General

Target

05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
Size

2.1MB
MD5

07c3708de3c443f315ad847b3f67b260
SHA1

7a4cb398dfd4735dd853358a853375cea6ef1db6
SHA256

05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657
SHA512

ee3839901639cbc4bb5a7bc8cfc379a03a0547d9d1f455e08fba3d24cfd75c3ca33ea1edc9d74972afc0288629c77d4b47384c33d9a356ad7c1d29cb13d7f5b9

Score

10^/10

xpertrat evasion persistence rat trojan

Malware Config

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U6K7D1X2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U6K7D1X2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U6K7D1X2W5F0.exe"	iexplore.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U6K7D1X2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U6K7D1X2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U6K7D1X2W5F0.exe"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U6K7D1X2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U6K7D1X2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U6K7D1X2W5F0.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe

pid	process
1608	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
1608	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
1608	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
1608	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
1608	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
1608	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe

description	pid	process	target process
PID 1608 set thread context of 4504	1608	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
PID 4504 set thread context of 4980	4504	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe	iexplore.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4204 1608 WerFault.exe 05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe

pid	pid_target	process	target process
4204	1608	WerFault.exe	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe

pid	process
1608	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
1608	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
1608	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
1608	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
1608	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
4504	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
4504	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
4504	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
4504	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exeiexplore.exe

description	pid	process
Token: SeDebugPrivilege	1608	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
Token: SeDebugPrivilege	4980	iexplore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exeiexplore.exe

pid process

4504 05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
4980 iexplore.exe

pid	process
4504	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
4980	iexplore.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe

description	pid	process	target process
PID 1608 wrote to memory of 4436	1608	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
PID 1608 wrote to memory of 4436	1608	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
PID 1608 wrote to memory of 4436	1608	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
PID 1608 wrote to memory of 4504	1608	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
PID 1608 wrote to memory of 4504	1608	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
PID 1608 wrote to memory of 4504	1608	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
PID 1608 wrote to memory of 4504	1608	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
PID 1608 wrote to memory of 4504	1608	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
PID 1608 wrote to memory of 4504	1608	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
PID 1608 wrote to memory of 4504	1608	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
PID 4504 wrote to memory of 4980	4504	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe	iexplore.exe
PID 4504 wrote to memory of 4980	4504	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe	iexplore.exe
PID 4504 wrote to memory of 4980	4504	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe	iexplore.exe
PID 4504 wrote to memory of 4980	4504	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe	iexplore.exe
PID 4504 wrote to memory of 4980	4504	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe	iexplore.exe
PID 4504 wrote to memory of 4980	4504	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe	iexplore.exe
PID 4504 wrote to memory of 4980	4504	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe	iexplore.exe
PID 4504 wrote to memory of 4980	4504	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe

C:\Users\Admin\AppData\Local\Temp\05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
"C:\Users\Admin\AppData\Local\Temp\05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
"C:\Users\Admin\AppData\Local\Temp\05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe"
2⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
"C:\Users\Admin\AppData\Local\Temp\05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe"
2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4504

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\05cc3666016454b90c6fd02b60f6f9467ba36e3300449a7fe1f0941048606657.exe
3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 1076
2⤵
- Program crash
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1608 -ip 1608
1⤵
PID:4496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Modify Registry

6

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1608-130-0x0000000000270000-0x0000000000492000-memory.dmp

Filesize
2.1MB

Download
memory/1608-131-0x0000000004D10000-0x0000000004DAC000-memory.dmp

Filesize
624KB

Download
memory/1608-132-0x0000000007870000-0x0000000007E14000-memory.dmp

Filesize
5.6MB

Download
memory/4436-133-0x0000000000000000-mapping.dmp

Download
memory/4504-134-0x0000000000000000-mapping.dmp

Download
memory/4504-135-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4504-137-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4504-140-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads