Overview

overview

10

Static

static

WaybillDoc...95.exe

windows7_x64

10

WaybillDoc...95.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    165s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 03:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WaybillDoc_9910812295.exe

  • Size

    383KB

  • MD5

    7694cacbd4702388c664661eeff13bd4

  • SHA1

    c462561babf3f27d9afb5ebd1b07629f64baa4d3

  • SHA256

    47230c3bcf570bb50440eee83fb83bebe937489895a2b3fee9805ad675fb239f

  • SHA512

    d55d299f0eaf6d60b769f8c6b06175b80d2e6163aaad96806aacf9b0b4de32aa968905cf7cab3a2557575cdc76d6b5af615866c814a9233d93b758566b487625

Score
10/10
xpertratevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Program crash 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\WaybillDoc_9910812295.exe
    "C:\Users\Admin\AppData\Local\Temp\WaybillDoc_9910812295.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Users\Admin\AppData\Local\Temp\WaybillDoc_9910812295.exe
      "{path}"
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3296
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\WaybillDoc_9910812295.exe
        3⤵
          PID:4120
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 84
            4⤵
            • Program crash
            PID:4504
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\WaybillDoc_9910812295.exe
          3⤵
          • Adds policy Run key to start application
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2720
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4120 -ip 4120
      1⤵
        PID:4612

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      2
      T1060

      Privilege Escalation

      Bypass User Account Control

      1
      T1088

      Defense Evasion

      Bypass User Account Control

      1
      T1088

      Disabling Security Tools

      3
      T1089

      Modify Registry

      6
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2932-130-0x0000000000C10000-0x0000000000C76000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2932-131-0x0000000005B10000-0x00000000060B4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/2932-132-0x0000000005800000-0x0000000005892000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2932-133-0x0000000005760000-0x000000000576A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/2932-134-0x00000000060C0000-0x000000000615C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/3296-135-0x0000000000000000-mapping.dmp
        Download
      • memory/3296-136-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/3296-138-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/3296-141-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

        Download