Analysis

  • max time kernel
    187s
  • max time network
    201s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    11-05-2022 02:45

General

  • Target

    683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe

  • Size

    638KB

  • MD5

    043bbfccd9e9deebe4559e291dbebda1

  • SHA1

    0e6da4ccaed482767eb94a61679b5f24375f24d3

  • SHA256

    683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4

  • SHA512

    41e4ea16800ddc0078eca1260f6ef07cd33a1c849802437a2c5868a4bf2fc4ee8b4f480f63e30f88d6e63eab733916fe5f6ec8fd2d3ce91a8bd6bfa4c98a4cc5

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • UAC bypass 3 TTPs
  • Windows security bypass 2 TTPs
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Windows security modification 2 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
    "C:\Users\Admin\AppData\Local\Temp\683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe"
    1⤵
    • Windows security modification
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2040
    • C:\Users\Admin\AppData\Local\Temp\683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
      "C:\Users\Admin\AppData\Local\Temp\683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe"
      2⤵
        PID:812
      • C:\Users\Admin\AppData\Local\Temp\683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
        "C:\Users\Admin\AppData\Local\Temp\683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe"
        2⤵
        • Windows security modification
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1396
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
          3⤵
            PID:820
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
            3⤵
              PID:2016
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              C:\Users\Admin\AppData\Local\Temp\683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
              3⤵
                PID:1360
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                C:\Users\Admin\AppData\Local\Temp\683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
                3⤵
                  PID:1336
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  C:\Users\Admin\AppData\Local\Temp\683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
                  3⤵
                  • Adds policy Run key to start application
                  • Adds Run key to start application
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:1268
                  • C:\Windows\SysWOW64\notepad.exe
                    notepad.exe
                    4⤵
                    • Deletes itself
                    PID:1084

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Persistence

            Modify Existing Service

            1
            T1031

            Registry Run Keys / Startup Folder

            2
            T1060

            Privilege Escalation

            Bypass User Account Control

            1
            T1088

            Defense Evasion

            Modify Registry

            7
            T1112

            Disabling Security Tools

            4
            T1089

            Bypass User Account Control

            1
            T1088

            Discovery

            System Information Discovery

            1
            T1082

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1084-74-0x0000000000000000-mapping.dmp
            • memory/1396-63-0x0000000000400000-0x000000000042C000-memory.dmp
              Filesize

              176KB

            • memory/1396-73-0x0000000000400000-0x000000000042C000-memory.dmp
              Filesize

              176KB

            • memory/1396-68-0x00000000004010B8-mapping.dmp
            • memory/1396-67-0x0000000000400000-0x000000000042C000-memory.dmp
              Filesize

              176KB

            • memory/1396-65-0x0000000000400000-0x000000000042C000-memory.dmp
              Filesize

              176KB

            • memory/1396-62-0x0000000000400000-0x000000000042C000-memory.dmp
              Filesize

              176KB

            • memory/1676-57-0x0000000004AD0000-0x0000000004B24000-memory.dmp
              Filesize

              336KB

            • memory/1676-58-0x00000000006E0000-0x0000000000714000-memory.dmp
              Filesize

              208KB

            • memory/1676-54-0x0000000000190000-0x0000000000234000-memory.dmp
              Filesize

              656KB

            • memory/1676-56-0x00000000002C0000-0x00000000002CA000-memory.dmp
              Filesize

              40KB

            • memory/1676-55-0x0000000075361000-0x0000000075363000-memory.dmp
              Filesize

              8KB

            • memory/2040-61-0x000000006F1A0000-0x000000006F74B000-memory.dmp
              Filesize

              5.7MB

            • memory/2040-59-0x0000000000000000-mapping.dmp