Overview

overview

10

Static

static

24b0f646c3...30.exe

windows7_x64

10

24b0f646c3...30.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    11-06-2022 21:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe

  • Size

    584KB

  • MD5

    171569a4ca58064919c3d9e9cffcd1d0

  • SHA1

    754db0cdffc636d95ee6a12d19a045bc95d9444c

  • SHA256

    24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30

  • SHA512

    fb08c20a852663129aeb5e50d4e1c9e63d0a084a27cc81d60a79525f996bbcc25f04859b7c381f01f3c266e14a12e03b1c5b1efbd3affeb5b348c1d32075b151

Score
10/10
xpertratevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe
    "C:\Users\Admin\AppData\Local\Temp\24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:560
    • C:\Users\Admin\AppData\Local\Temp\24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe
      C:\Users\Admin\AppData\Local\Temp\24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe"
      2⤵
      • UAC bypass
      • Windows security bypass
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2016
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\24b0f646c3bb9d35e9761b5d851b09c866eb8466d7438cedb561e8e79fe2af30.exe
        3⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2000
        • C:\Windows\SysWOW64\notepad.exe
          notepad.exe
          4⤵
          • Deletes itself
          PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Modify Registry

6
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/560-56-0x0000000000270000-0x0000000000277000-memory.dmp
    Filesize

    28KB

    Download
  • memory/560-57-0x0000000075271000-0x0000000075273000-memory.dmp
    Filesize

    8KB

    Download
  • memory/560-59-0x0000000000270000-0x0000000000277000-memory.dmp
    Filesize

    28KB

    Download
  • memory/560-60-0x0000000077170000-0x0000000077319000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/560-61-0x0000000077350000-0x00000000774D0000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1732-71-0x0000000000000000-mapping.dmp
    Download
  • memory/2016-63-0x0000000000400000-0x0000000000495000-memory.dmp
    Filesize

    596KB

    Download
  • memory/2016-64-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/2016-69-0x0000000077170000-0x0000000077319000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2016-70-0x0000000077350000-0x00000000774D0000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/2016-58-0x000000000047C36D-mapping.dmp
    Download
  • memory/2016-73-0x00000000002A0000-0x00000000002A7000-memory.dmp
    Filesize

    28KB

    Download
  • memory/2016-74-0x0000000077350000-0x00000000774D0000-memory.dmp
    Filesize

    1.5MB

    Download