xpertrat | 3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Processes:

3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe

Windows security bypass 2 TTPs 1 IoCs

Disabling Security Tools

Modify Registry

Processes:

3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe

XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L8Q3J007-J4H2-S2W0-X0H8-U2R3L6X771M5 = "C:\\Users\\Admin\\AppData\\Roaming\\L8Q3J007-J4H2-S2W0-X0H8-U2R3L6X771M5\\L8Q3J007-J4H2-S2W0-X0H8-U2R3L6X771M5.exe"	iexplore.exe

Windows security modification 2 TTPs 1 IoCs

Disabling Security Tools

Modify Registry

Processes:

3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\L8Q3J007-J4H2-S2W0-X0H8-U2R3L6X771M5 = "C:\\Users\\Admin\\AppData\\Roaming\\L8Q3J007-J4H2-S2W0-X0H8-U2R3L6X771M5\\L8Q3J007-J4H2-S2W0-X0H8-U2R3L6X771M5.exe"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\L8Q3J007-J4H2-S2W0-X0H8-U2R3L6X771M5 = "C:\\Users\\Admin\\AppData\\Roaming\\L8Q3J007-J4H2-S2W0-X0H8-U2R3L6X771M5\\L8Q3J007-J4H2-S2W0-X0H8-U2R3L6X771M5.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

Processes:

3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe

description	pid	process	target process
PID 4752 set thread context of 204	4752	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe
PID 204 set thread context of 4340	204	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe	iexplore.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe

pid	process
4752	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe
4752	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe
204	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe
204	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe
204	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe
204	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exeiexplore.exe

description	pid	process
Token: SeDebugPrivilege	4752	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe
Token: SeDebugPrivilege	4340	iexplore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exeiexplore.exe

pid process

204 3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe
4340 iexplore.exe

pid	process
204	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe
4340	iexplore.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe

description	pid	process	target process
PID 4752 wrote to memory of 204	4752	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe
PID 4752 wrote to memory of 204	4752	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe
PID 4752 wrote to memory of 204	4752	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe
PID 4752 wrote to memory of 204	4752	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe
PID 4752 wrote to memory of 204	4752	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe
PID 4752 wrote to memory of 204	4752	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe
PID 4752 wrote to memory of 204	4752	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe
PID 204 wrote to memory of 4340	204	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe	iexplore.exe
PID 204 wrote to memory of 4340	204	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe	iexplore.exe
PID 204 wrote to memory of 4340	204	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe	iexplore.exe
PID 204 wrote to memory of 4340	204	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe	iexplore.exe
PID 204 wrote to memory of 4340	204	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe	iexplore.exe
PID 204 wrote to memory of 4340	204	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe	iexplore.exe
PID 204 wrote to memory of 4340	204	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe	iexplore.exe
PID 204 wrote to memory of 4340	204	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe

C:\Users\Admin\AppData\Local\Temp\3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe
"C:\Users\Admin\AppData\Local\Temp\3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752

C:\Users\Admin\AppData\Local\Temp\3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe
C:\Users\Admin\AppData\Local\Temp\3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe
2⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:204

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\3617f700240f1deb93428b6b6adb492bef67bae7683427c9263f98d56694ca5c.exe
3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

3

Modify Registry

6