xpertrat | d6d4f87e9126bf6792e3774f73f9c15e308328bca3f8fcef5f5d943a0904e137

General

Target

gunzipped.exe
Size

619KB
MD5

5a31075c7e2eede32b52b7e32d16f560
SHA1

1b0325131df5e081f802f907246da4f2331d60c0
SHA256

d6d4f87e9126bf6792e3774f73f9c15e308328bca3f8fcef5f5d943a0904e137
SHA512

d785092dd4cc6ef921c3f5f8146412ae1e4fd0891ed1493c72801f31adfc3b80aac258021d6c7fe97f03e52180f92349a00a3781581801748fad7339fc13bb1d

Score

10^/10

xpertrat collection evasion persistence rat trojan

Malware Config

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4 = "C:\\Users\\Admin\\AppData\\Roaming\\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4.exe"	iexplore.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1824 notepad.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

gunzipped.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" gunzipped.exe

pid	process
1824	notepad.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	gunzipped.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

iexplore.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	iexplore.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4 = "C:\\Users\\Admin\\AppData\\Roaming\\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4.exe"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4 = "C:\\Users\\Admin\\AppData\\Roaming\\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

gunzipped.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gunzipped.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gunzipped.exe

Suspicious use of SetThreadContext 14 IoCs

Processes:

gunzipped.exegunzipped.exeiexplore.exe

description	pid	process	target process
PID 316 set thread context of 828	316	gunzipped.exe	gunzipped.exe
PID 828 set thread context of 1936	828	gunzipped.exe	iexplore.exe
PID 1936 set thread context of 824	1936	iexplore.exe	iexplore.exe
PID 1936 set thread context of 1340	1936	iexplore.exe	iexplore.exe
PID 1936 set thread context of 1236	1936	iexplore.exe	iexplore.exe
PID 1936 set thread context of 268	1936	iexplore.exe	iexplore.exe
PID 1936 set thread context of 1756	1936	iexplore.exe	iexplore.exe
PID 1936 set thread context of 1640	1936	iexplore.exe	iexplore.exe
PID 1936 set thread context of 772	1936	iexplore.exe	iexplore.exe
PID 1936 set thread context of 1440	1936	iexplore.exe	iexplore.exe
PID 1936 set thread context of 360	1936	iexplore.exe	iexplore.exe
PID 1936 set thread context of 1988	1936	iexplore.exe	iexplore.exe
PID 1936 set thread context of 892	1936	iexplore.exe	iexplore.exe
PID 1936 set thread context of 1080	1936	iexplore.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

gunzipped.exegunzipped.exepowershell.exe

pid process

316 gunzipped.exe
828 gunzipped.exe
1224 powershell.exe
828 gunzipped.exe

pid	process
316	gunzipped.exe
828	gunzipped.exe
1224	powershell.exe
828	gunzipped.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

gunzipped.exeiexplore.exepowershell.exeiexplore.exe

description	pid	process
Token: SeDebugPrivilege	316	gunzipped.exe
Token: SeDebugPrivilege	1936	iexplore.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	1340	iexplore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

gunzipped.exeiexplore.exe

pid process

828 gunzipped.exe
1936 iexplore.exe

pid	process
828	gunzipped.exe
1936	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

gunzipped.exegunzipped.exeiexplore.exe

description	pid	process	target process
PID 316 wrote to memory of 1224	316	gunzipped.exe	powershell.exe
PID 316 wrote to memory of 1224	316	gunzipped.exe	powershell.exe
PID 316 wrote to memory of 1224	316	gunzipped.exe	powershell.exe
PID 316 wrote to memory of 1224	316	gunzipped.exe	powershell.exe
PID 316 wrote to memory of 1120	316	gunzipped.exe	gunzipped.exe
PID 316 wrote to memory of 1120	316	gunzipped.exe	gunzipped.exe
PID 316 wrote to memory of 1120	316	gunzipped.exe	gunzipped.exe
PID 316 wrote to memory of 1120	316	gunzipped.exe	gunzipped.exe
PID 316 wrote to memory of 828	316	gunzipped.exe	gunzipped.exe
PID 316 wrote to memory of 828	316	gunzipped.exe	gunzipped.exe
PID 316 wrote to memory of 828	316	gunzipped.exe	gunzipped.exe
PID 316 wrote to memory of 828	316	gunzipped.exe	gunzipped.exe
PID 316 wrote to memory of 828	316	gunzipped.exe	gunzipped.exe
PID 316 wrote to memory of 828	316	gunzipped.exe	gunzipped.exe
PID 316 wrote to memory of 828	316	gunzipped.exe	gunzipped.exe
PID 316 wrote to memory of 828	316	gunzipped.exe	gunzipped.exe
PID 828 wrote to memory of 1936	828	gunzipped.exe	iexplore.exe
PID 828 wrote to memory of 1936	828	gunzipped.exe	iexplore.exe
PID 828 wrote to memory of 1936	828	gunzipped.exe	iexplore.exe
PID 828 wrote to memory of 1936	828	gunzipped.exe	iexplore.exe
PID 828 wrote to memory of 1936	828	gunzipped.exe	iexplore.exe
PID 828 wrote to memory of 1936	828	gunzipped.exe	iexplore.exe
PID 828 wrote to memory of 1936	828	gunzipped.exe	iexplore.exe
PID 828 wrote to memory of 1936	828	gunzipped.exe	iexplore.exe
PID 828 wrote to memory of 1936	828	gunzipped.exe	iexplore.exe
PID 1936 wrote to memory of 1824	1936	iexplore.exe	notepad.exe
PID 1936 wrote to memory of 1824	1936	iexplore.exe	notepad.exe
PID 1936 wrote to memory of 1824	1936	iexplore.exe	notepad.exe
PID 1936 wrote to memory of 1824	1936	iexplore.exe	notepad.exe
PID 1936 wrote to memory of 1824	1936	iexplore.exe	notepad.exe
PID 1936 wrote to memory of 824	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 824	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 824	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 824	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 824	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 824	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 824	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 824	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 824	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 1340	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 1340	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 1340	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 1340	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 1340	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 1340	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 1340	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 1340	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 1340	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 1236	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 1236	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 1236	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 1236	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 1236	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 1236	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 1236	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 1236	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 1236	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 1236	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 268	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 268	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 268	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 268	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 268	1936	iexplore.exe	iexplore.exe
PID 1936 wrote to memory of 268	1936	iexplore.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

gunzipped.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gunzipped.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	gunzipped.exe

C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1224
- C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
  "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
  2⤵
  PID:1120
- C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
  "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
  2⤵
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:828
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
    3⤵
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\SysWOW64\notepad.exe
      notepad.exe
      4⤵
      Deletes itself
      PID:1824
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk0.txt"
      4⤵
      PID:824
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk0.txt"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1340
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk1.txt"
      4⤵
      PID:1236
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk1.txt"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:268
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk2.txt"
      4⤵
      PID:1756
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk2.txt"
      4⤵
      PID:1640
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk2.txt"
      4⤵
      PID:772
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk3.txt"
      4⤵
      PID:1440
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk3.txt"
      4⤵
      PID:360
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk3.txt"
      4⤵
      PID:1988
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk4.txt"
      4⤵
      PID:892
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk4.txt"
      4⤵
      PID:1080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk2.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk4.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/316-54-0x00000000008E0000-0x0000000000982000-memory.dmp

Filesize
648KB

Download
memory/316-55-0x0000000076431000-0x0000000076433000-memory.dmp

Filesize
8KB

Download
memory/316-56-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/316-57-0x0000000005D80000-0x0000000005E06000-memory.dmp

Filesize
536KB

Download
memory/316-59-0x0000000004320000-0x0000000004356000-memory.dmp

Filesize
216KB

Download
memory/828-73-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/828-64-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/828-66-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/828-67-0x00000000004010B8-mapping.dmp

Download
memory/828-62-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/828-61-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1224-72-0x000000006F2F0000-0x000000006F89B000-memory.dmp

Filesize
5.7MB

Download
memory/1224-58-0x0000000000000000-mapping.dmp

Download
memory/1824-74-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads