Overview

overview

10

Static

static

RFQ_PO_563...in.exe

windows7_x64

10

RFQ_PO_563...in.exe

windows10-2004_x64

10

Specificat...nd.exe

windows7_x64

10

Specificat...nd.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    91s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 11:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Specification 788919754.pdf img ind.exe

  • Size

    411KB

  • MD5

    b93e8fe38d0df20ba517b9d531660a4e

  • SHA1

    ebc70668346f27b9c31759b335c3f6cb619c71b5

  • SHA256

    293bf5eeec6d5d30ee3b3d26f73d6cb81f4e080a449774fc8d2c3a724454f521

  • SHA512

    fa07022ab0d2d48066017e8283a9adab2fa2f8aebac2113ec451bd5b339639d0771fd975a92072bdabb24c24f4f40c25707aa9ec3d906104db9c59ba6ddf675d

Score
10/10
xpertratcollectionevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Program crash 3 IoCs
  • Suspicious use of SetThreadContext 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Specification 788919754.pdf img ind.exe
    "C:\Users\Admin\AppData\Local\Temp\Specification 788919754.pdf img ind.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:636
    • C:\Users\Admin\AppData\Local\Temp\Specification 788919754.pdf img ind.exe
      "{path}"
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2612
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\Specification 788919754.pdf img ind.exe
        3⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1836
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5\xyeyajuoy0.txt"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2388
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5\xyeyajuoy1.txt"
          4⤵
            PID:956
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 84
              5⤵
              • Program crash
              PID:3748
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5\xyeyajuoy1.txt"
            4⤵
              PID:3324
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 20
                5⤵
                • Program crash
                PID:2516
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5\xyeyajuoy1.txt"
              4⤵
              • Accesses Microsoft Outlook accounts
              PID:4380
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5\xyeyajuoy2.txt"
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:4668
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5\xyeyajuoy3.txt"
              4⤵
                PID:1236
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5\xyeyajuoy4.txt"
                4⤵
                  PID:552
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 84
                    5⤵
                    • Program crash
                    PID:2908
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  /stext "C:\Users\Admin\AppData\Roaming\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5\xyeyajuoy4.txt"
                  4⤵
                    PID:556
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 956 -ip 956
              1⤵
                PID:2268
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3324 -ip 3324
                1⤵
                  PID:1828
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 552 -ip 552
                  1⤵
                    PID:4700

                  Network

                  MITRE ATT&CK Matrix ATT&CK v6

                  Initial Access

                  Execution

                  Persistence

                  Registry Run Keys / Startup Folder

                  2
                  T1060

                  Privilege Escalation

                  Bypass User Account Control

                  1
                  T1088

                  Defense Evasion

                  Bypass User Account Control

                  1
                  T1088

                  Disabling Security Tools

                  3
                  T1089

                  Modify Registry

                  6
                  T1112

                  Credential Access

                  Discovery

                  System Information Discovery

                  1
                  T1082

                  Lateral Movement

                  Collection

                  Email Collection

                  1
                  T1114

                  Exfiltration

                  Command and Control

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Roaming\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5\xyeyajuoy2.txt
                    Filesize

                    3KB

                    MD5

                    f94dc819ca773f1e3cb27abbc9e7fa27

                    SHA1

                    9a7700efadc5ea09ab288544ef1e3cd876255086

                    SHA256

                    a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

                    SHA512

                    72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\F4S7P6J0-V116-K8H5-A6F1-U1L8V8A4B6R5\xyeyajuoy4.txt
                    Filesize

                    2B

                    MD5

                    f3b25701fe362ec84616a93a45ce9998

                    SHA1

                    d62636d8caec13f04e28442a0a6fa1afeb024bbb

                    SHA256

                    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                    SHA512

                    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                    Download Submit
                  • memory/636-130-0x0000000000200000-0x000000000026C000-memory.dmp
                    Filesize

                    432KB

                    Download
                  • memory/636-131-0x0000000007650000-0x0000000007BF4000-memory.dmp
                    Filesize

                    5.6MB

                    Download
                  • memory/636-132-0x0000000007140000-0x00000000071D2000-memory.dmp
                    Filesize

                    584KB

                    Download
                  • memory/636-133-0x00000000070F0000-0x00000000070FA000-memory.dmp
                    Filesize

                    40KB

                    Download
                  • memory/636-134-0x0000000007450000-0x00000000074EC000-memory.dmp
                    Filesize

                    624KB

                    Download
                  • memory/2612-135-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2612-136-0x0000000000400000-0x000000000042C000-memory.dmp
                    Filesize

                    176KB

                    Download
                  • memory/2612-138-0x0000000000400000-0x000000000042C000-memory.dmp
                    Filesize

                    176KB

                    Download
                  • memory/2612-141-0x0000000000400000-0x000000000042C000-memory.dmp
                    Filesize

                    176KB

                    Download