Overview

overview

10

Static

static

SecuriteIn...61.exe

windows7_x64

10

SecuriteIn...61.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    208s
  • max time network
    206s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-05-2022 23:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Variant.Ser.Lazy.948.25861.exe

  • Size

    512KB

  • MD5

    bfa6a35755791e6046c304ac582770c7

  • SHA1

    6f921e0412bc2506ef0c1b65f0f086da4a161ca5

  • SHA256

    0a35b0e0112fc3ffb7fb29e2f7afa092ae3b5932ff8e79c7a9b5365ad5e08013

  • SHA512

    fd7271fc40f5c1f25e8c30e05612042c2b200ac1635b079477d1b3cb3dd0a4c3270f425307933cce0b591ab2752a7d6450d15663ea62b3b8da991149ee7c8c75

Score
10/10
xpertratcollectionevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Program crash 2 IoCs
  • Suspicious use of SetThreadContext 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ser.Lazy.948.25861.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ser.Lazy.948.25861.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:636
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ser.Lazy.948.25861.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4748
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4176
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        3⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2328
        • C:\Windows\SysWOW64\notepad.exe
          notepad.exe
          4⤵
            PID:4128
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\azgetzrak0.txt"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5032
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\azgetzrak1.txt"
            4⤵
            • Accesses Microsoft Outlook accounts
            PID:1352
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\azgetzrak2.txt"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3368
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\azgetzrak3.txt"
            4⤵
              PID:4136
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 84
                5⤵
                • Program crash
                PID:4608
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\azgetzrak3.txt"
              4⤵
                PID:768
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\azgetzrak4.txt"
                4⤵
                  PID:4304
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 84
                    5⤵
                    • Program crash
                    PID:1068
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\azgetzrak4.txt"
                  4⤵
                    PID:1636
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4136 -ip 4136
              1⤵
                PID:3568
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4304 -ip 4304
                1⤵
                  PID:4312

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Persistence

                Registry Run Keys / Startup Folder

                2
                T1060

                Privilege Escalation

                Bypass User Account Control

                1
                T1088

                Defense Evasion

                Bypass User Account Control

                1
                T1088

                Disabling Security Tools

                2
                T1089

                Modify Registry

                4
                T1112

                Credential Access

                Discovery

                Query Registry

                1
                T1012

                System Information Discovery

                2
                T1082

                Lateral Movement

                Collection

                Email Collection

                1
                T1114

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\azgetzrak2.txt
                  Filesize

                  3KB

                  MD5

                  f94dc819ca773f1e3cb27abbc9e7fa27

                  SHA1

                  9a7700efadc5ea09ab288544ef1e3cd876255086

                  SHA256

                  a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

                  SHA512

                  72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

                  Download Submit
                • memory/636-131-0x00000000054A0000-0x0000000005A44000-memory.dmp
                  Filesize

                  5.6MB

                  Download
                • memory/636-132-0x0000000004F90000-0x0000000005022000-memory.dmp
                  Filesize

                  584KB

                  Download
                • memory/636-133-0x0000000005030000-0x00000000050CC000-memory.dmp
                  Filesize

                  624KB

                  Download
                • memory/636-134-0x00000000051D0000-0x00000000051DA000-memory.dmp
                  Filesize

                  40KB

                  Download
                • memory/636-135-0x0000000007380000-0x00000000073E6000-memory.dmp
                  Filesize

                  408KB

                  Download
                • memory/636-130-0x00000000004E0000-0x0000000000566000-memory.dmp
                  Filesize

                  536KB

                  Download
                • memory/4128-147-0x0000000000000000-mapping.dmp
                  Download
                • memory/4176-137-0x0000000000000000-mapping.dmp
                  Download
                • memory/4176-138-0x0000000000400000-0x000000000042C000-memory.dmp
                  Filesize

                  176KB

                  Download
                • memory/4176-141-0x0000000000400000-0x000000000042C000-memory.dmp
                  Filesize

                  176KB

                  Download
                • memory/4176-148-0x0000000000400000-0x000000000042C000-memory.dmp
                  Filesize

                  176KB

                  Download
                • memory/4748-150-0x0000000006D10000-0x0000000006D42000-memory.dmp
                  Filesize

                  200KB

                  Download
                • memory/4748-152-0x0000000006100000-0x000000000611E000-memory.dmp
                  Filesize

                  120KB

                  Download
                • memory/4748-145-0x0000000004A90000-0x0000000004AB2000-memory.dmp
                  Filesize

                  136KB

                  Download
                • memory/4748-144-0x0000000004E10000-0x0000000005438000-memory.dmp
                  Filesize

                  6.2MB

                  Download
                • memory/4748-149-0x0000000005B50000-0x0000000005B6E000-memory.dmp
                  Filesize

                  120KB

                  Download
                • memory/4748-140-0x0000000000C50000-0x0000000000C86000-memory.dmp
                  Filesize

                  216KB

                  Download
                • memory/4748-151-0x0000000070A60000-0x0000000070AAC000-memory.dmp
                  Filesize

                  304KB

                  Download
                • memory/4748-146-0x0000000004C30000-0x0000000004C96000-memory.dmp
                  Filesize

                  408KB

                  Download
                • memory/4748-153-0x00000000074A0000-0x0000000007B1A000-memory.dmp
                  Filesize

                  6.5MB

                  Download
                • memory/4748-154-0x0000000006E50000-0x0000000006E6A000-memory.dmp
                  Filesize

                  104KB

                  Download
                • memory/4748-155-0x0000000006EC0000-0x0000000006ECA000-memory.dmp
                  Filesize

                  40KB

                  Download
                • memory/4748-156-0x00000000070D0000-0x0000000007166000-memory.dmp
                  Filesize

                  600KB

                  Download
                • memory/4748-157-0x0000000007090000-0x000000000709E000-memory.dmp
                  Filesize

                  56KB

                  Download
                • memory/4748-158-0x00000000071A0000-0x00000000071BA000-memory.dmp
                  Filesize

                  104KB

                  Download
                • memory/4748-136-0x0000000000000000-mapping.dmp
                  Download
                • memory/4748-160-0x0000000007180000-0x0000000007188000-memory.dmp
                  Filesize

                  32KB

                  Download