xpertrat | 6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Processes:

Emerge.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Emerge.exe

Windows security bypass 2 TTPs 1 IoCs

Disabling Security Tools

Modify Registry

Processes:

Emerge.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Emerge.exe

XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

iexplore.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N3S8L5V2-L0C7-N6Q5-Y5J3-W6M7F112Y5H0 = "C:\\Users\\Admin\\AppData\\Roaming\\N3S8L5V2-L0C7-N6Q5-Y5J3-W6M7F112Y5H0\\N3S8L5V2-L0C7-N6Q5-Y5J3-W6M7F112Y5H0.exe"	iexplore.exe

Executes dropped EXE 2 IoCs

Processes:

Emerge.exeEmerge.exe

pid	Process
1716	Emerge.exe
572	Emerge.exe

Loads dropped DLL 3 IoCs

Processes:

6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exeEmerge.exe

pid	Process
1956	6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe
1956	6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe
1716	Emerge.exe

Windows security modification 2 TTPs 1 IoCs

Disabling Security Tools

Modify Registry

Processes:

Emerge.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Emerge.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

iexplore.exereg.EXE

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N3S8L5V2-L0C7-N6Q5-Y5J3-W6M7F112Y5H0 = "C:\\Users\\Admin\\AppData\\Roaming\\N3S8L5V2-L0C7-N6Q5-Y5J3-W6M7F112Y5H0\\N3S8L5V2-L0C7-N6Q5-Y5J3-W6M7F112Y5H0.exe"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\Abidingness2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Emerge.exe"	reg.EXE
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\N3S8L5V2-L0C7-N6Q5-Y5J3-W6M7F112Y5H0 = "C:\\Users\\Admin\\AppData\\Roaming\\N3S8L5V2-L0C7-N6Q5-Y5J3-W6M7F112Y5H0\\N3S8L5V2-L0C7-N6Q5-Y5J3-W6M7F112Y5H0.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

Processes:

Emerge.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Emerge.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Emerge.exeEmerge.exe

description	pid	Process	procid_target
PID 1716 set thread context of 572	1716	Emerge.exe	35
PID 572 set thread context of 1116	572	Emerge.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exe

pid	Process
988	schtasks.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

Processes:

reg.EXE

pid	Process
1852	reg.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Emerge.exe

pid	Process
572	Emerge.exe
572	Emerge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

iexplore.exe

description	pid	Process
Token: SeDebugPrivilege	1116	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exeEmerge.exeEmerge.exeiexplore.exe

pid	Process
1956	6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe
1716	Emerge.exe
572	Emerge.exe
1116	iexplore.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exetaskeng.exeEmerge.exeEmerge.exe

description	pid	Process	procid_target
PID 1956 wrote to memory of 988	1956	6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe	28
PID 1956 wrote to memory of 988	1956	6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe	28
PID 1956 wrote to memory of 988	1956	6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe	28
PID 1956 wrote to memory of 988	1956	6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe	28
PID 1956 wrote to memory of 1284	1956	6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe	30
PID 1956 wrote to memory of 1284	1956	6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe	30
PID 1956 wrote to memory of 1284	1956	6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe	30
PID 1956 wrote to memory of 1284	1956	6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe	30
PID 1956 wrote to memory of 1716	1956	6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe	32
PID 1956 wrote to memory of 1716	1956	6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe	32
PID 1956 wrote to memory of 1716	1956	6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe	32
PID 1956 wrote to memory of 1716	1956	6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe	32
PID 2012 wrote to memory of 1852	2012	taskeng.exe	34
PID 2012 wrote to memory of 1852	2012	taskeng.exe	34
PID 2012 wrote to memory of 1852	2012	taskeng.exe	34
PID 1716 wrote to memory of 572	1716	Emerge.exe	35
PID 1716 wrote to memory of 572	1716	Emerge.exe	35
PID 1716 wrote to memory of 572	1716	Emerge.exe	35
PID 1716 wrote to memory of 572	1716	Emerge.exe	35
PID 1716 wrote to memory of 572	1716	Emerge.exe	35
PID 1716 wrote to memory of 572	1716	Emerge.exe	35
PID 1716 wrote to memory of 572	1716	Emerge.exe	35
PID 1716 wrote to memory of 572	1716	Emerge.exe	35
PID 1716 wrote to memory of 572	1716	Emerge.exe	35
PID 1716 wrote to memory of 572	1716	Emerge.exe	35
PID 572 wrote to memory of 1116	572	Emerge.exe	36
PID 572 wrote to memory of 1116	572	Emerge.exe	36
PID 572 wrote to memory of 1116	572	Emerge.exe	36
PID 572 wrote to memory of 1116	572	Emerge.exe	36
PID 572 wrote to memory of 1116	572	Emerge.exe	36
PID 572 wrote to memory of 1116	572	Emerge.exe	36
PID 572 wrote to memory of 1116	572	Emerge.exe	36
PID 572 wrote to memory of 1116	572	Emerge.exe	36
PID 572 wrote to memory of 1116	572	Emerge.exe	36

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

Emerge.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Emerge.exe

C:\Users\Admin\AppData\Local\Temp\6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe
"C:\Users\Admin\AppData\Local\Temp\6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /SC HOURLY /MO 23 /TN "Abidingness2" /TR "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "\""Abidingness2"\"" /f /t REG_SZ /d "\""C:\Users\Admin\AppData\Local\Temp\Emerge.exe\""
  2⤵
  - Creates scheduled task(s)
  PID:988
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /run /tn "Abidingness2"
  2⤵
  PID:1284
- C:\Users\Admin\AppData\Local\Temp\Emerge.exe
  "C:\Users\Admin\AppData\Local\Temp\Emerge.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Users\Admin\AppData\Local\Temp\Emerge.exe
    "C:\Users\Admin\AppData\Local\Temp\Emerge.exe"
    3⤵
    - UAC bypass
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:572
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      C:\Users\Admin\AppData\Local\Temp\Emerge.exe
      4⤵
      Adds policy Run key to start application
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1116

C:\Windows\system32\taskeng.exe
taskeng.exe {151789F2-3B0D-4B03-9C31-2C6CFE0C2854} S-1-5-21-3762437355-3468409815-1164039494-1000:TZEOUYSL\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\system32\reg.EXE
  C:\Windows\system32\reg.EXE add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Abidingness2" /f /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Emerge.exe"
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:1852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry