Overview

overview

10

Static

static

RFQ_PO_563...in.exe

windows7_x64

10

RFQ_PO_563...in.exe

windows10-2004_x64

10

Specificat...nd.exe

windows7_x64

10

Specificat...nd.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    86s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 11:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Specification 788919754.pdf img ind.exe

  • Size

    411KB

  • MD5

    b93e8fe38d0df20ba517b9d531660a4e

  • SHA1

    ebc70668346f27b9c31759b335c3f6cb619c71b5

  • SHA256

    293bf5eeec6d5d30ee3b3d26f73d6cb81f4e080a449774fc8d2c3a724454f521

  • SHA512

    fa07022ab0d2d48066017e8283a9adab2fa2f8aebac2113ec451bd5b339639d0771fd975a92072bdabb24c24f4f40c25707aa9ec3d906104db9c59ba6ddf675d

Score
10/10
xpertratcollectionevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Specification 788919754.pdf img ind.exe
    "C:\Users\Admin\AppData\Local\Temp\Specification 788919754.pdf img ind.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1844
    • C:\Users\Admin\AppData\Local\Temp\Specification 788919754.pdf img ind.exe
      "{path}"
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1740
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\Specification 788919754.pdf img ind.exe
        3⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1760
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5\umdneqbtr0.txt"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:960
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5\umdneqbtr1.txt"
          4⤵
          • Accesses Microsoft Outlook accounts
          PID:628
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5\umdneqbtr2.txt"
          4⤵
            PID:1284
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5\umdneqbtr3.txt"
            4⤵
              PID:1080
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5\umdneqbtr4.txt"
              4⤵
                PID:1932
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5\umdneqbtr4.txt"
                4⤵
                  PID:1904

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          2
          T1060

          Privilege Escalation

          Bypass User Account Control

          1
          T1088

          Defense Evasion

          Bypass User Account Control

          1
          T1088

          Disabling Security Tools

          3
          T1089

          Modify Registry

          6
          T1112

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Email Collection

          1
          T1114

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5\umdneqbtr2.txt
            Filesize

            2B

            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

            Download Submit
          • C:\Users\Admin\AppData\Roaming\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5\umdneqbtr4.txt
            Filesize

            2B

            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

            Download Submit
          • memory/1740-65-0x00000000004010B8-mapping.dmp
            Download
          • memory/1740-59-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

            Download
          • memory/1740-60-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

            Download
          • memory/1740-62-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

            Download
          • memory/1740-64-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

            Download
          • memory/1740-70-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

            Download
          • memory/1844-57-0x0000000004870000-0x00000000048C6000-memory.dmp
            Filesize

            344KB

            Download
          • memory/1844-58-0x00000000003D0000-0x0000000000400000-memory.dmp
            Filesize

            192KB

            Download
          • memory/1844-54-0x00000000010B0000-0x000000000111C000-memory.dmp
            Filesize

            432KB

            Download
          • memory/1844-56-0x0000000000450000-0x000000000045A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/1844-55-0x0000000075261000-0x0000000075263000-memory.dmp
            Filesize

            8KB

            Download