Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-06-2022 03:24
General
-
Target
22eb28e2650a28f5b5aed8720fe39649c1da2288917134827be7970f764aa5d2.exe
-
Size
1.3MB
-
MD5
33f8a0394a84cc3c4a427dade84dc08e
-
SHA1
5387c0ead3450eaef1cc82e4c4a0b52982fb2952
-
SHA256
22eb28e2650a28f5b5aed8720fe39649c1da2288917134827be7970f764aa5d2
-
SHA512
3cd6375ce8b6160fa7109fcdab1f2909cf9827bc0ac20fbc98c9f844d53d70122016e3e7eab2334cf1a8205f989c18958c3a6ebb6d0e5a38774a7435d43bd9b7
Score
10/10
Malware Config
Extracted
Family
xpertrat
Version
3.0.10
Botnet
Test
C2
185.125.205.93:9911
Mutex
P0V4N118-N5M3-W331-C1L0-Y2V3P6C8B2Q6
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 1 IoCs
-
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
-
XpertRAT Core Payload 5 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\22eb28e2650a28f5b5aed8720fe39649c1da2288917134827be7970f764aa5d2.exe"C:\Users\Admin\AppData\Local\Temp\22eb28e2650a28f5b5aed8720fe39649c1da2288917134827be7970f764aa5d2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\22eb28e2650a28f5b5aed8720fe39649c1da2288917134827be7970f764aa5d2.exe"C:\Users\Admin\AppData\Local\Temp\22eb28e2650a28f5b5aed8720fe39649c1da2288917134827be7970f764aa5d2.exe"2⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\22eb28e2650a28f5b5aed8720fe39649c1da2288917134827be7970f764aa5d2.exeC:\Users\Admin\AppData\Local\Temp\22eb28e2650a28f5b5aed8720fe39649c1da2288917134827be7970f764aa5d2.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\22eb28e2650a28f5b5aed8720fe39649c1da2288917134827be7970f764aa5d2.exe"C:\Users\Admin\AppData\Local\Temp\22eb28e2650a28f5b5aed8720fe39649c1da2288917134827be7970f764aa5d2.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\22eb28e2650a28f5b5aed8720fe39649c1da2288917134827be7970f764aa5d2.exe"C:\Users\Admin\AppData\Local\Temp\22eb28e2650a28f5b5aed8720fe39649c1da2288917134827be7970f764aa5d2.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2644-132-0x0000000000000000-mapping.dmp
-
memory/2644-133-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2644-138-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2828-131-0x0000000000000000-mapping.dmp
-
memory/4376-130-0x0000000000000000-mapping.dmp
-
memory/4468-144-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/4468-142-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/4468-141-0x0000000000000000-mapping.dmp
-
memory/4468-147-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/4468-148-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB