Overview

overview

10

Static

static

WaybillDoc...95.exe

windows7_x64

10

WaybillDoc...95.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 03:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WaybillDoc_9910812295.exe

  • Size

    383KB

  • MD5

    7694cacbd4702388c664661eeff13bd4

  • SHA1

    c462561babf3f27d9afb5ebd1b07629f64baa4d3

  • SHA256

    47230c3bcf570bb50440eee83fb83bebe937489895a2b3fee9805ad675fb239f

  • SHA512

    d55d299f0eaf6d60b769f8c6b06175b80d2e6163aaad96806aacf9b0b4de32aa968905cf7cab3a2557575cdc76d6b5af615866c814a9233d93b758566b487625

Score
10/10
xpertratevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\WaybillDoc_9910812295.exe
    "C:\Users\Admin\AppData\Local\Temp\WaybillDoc_9910812295.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:824
    • C:\Users\Admin\AppData\Local\Temp\WaybillDoc_9910812295.exe
      "{path}"
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:932
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\WaybillDoc_9910812295.exe
        3⤵
          PID:940
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\WaybillDoc_9910812295.exe
          3⤵
          • Adds policy Run key to start application
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1608

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    2
    T1060

    Privilege Escalation

    Bypass User Account Control

    1
    T1088

    Defense Evasion

    Bypass User Account Control

    1
    T1088

    Disabling Security Tools

    3
    T1089

    Modify Registry

    6
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/824-54-0x0000000000C50000-0x0000000000CB6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/824-55-0x0000000075741000-0x0000000075743000-memory.dmp
      Filesize

      8KB

      Download
    • memory/824-56-0x00000000004B0000-0x00000000004B8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/824-57-0x0000000004C00000-0x0000000004C64000-memory.dmp
      Filesize

      400KB

      Download
    • memory/824-58-0x0000000000640000-0x000000000067C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/932-59-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/932-60-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/932-62-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/932-64-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/932-65-0x00000000004010B8-mapping.dmp
      Download
    • memory/932-70-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download