xpertrat | 6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2

General

Target

6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe
Size

172KB
MD5

e49ce76cfe71eb53e6ebc32b112ebdad
SHA1

e64787efdf916fa0e433e1ac4b462e89802ac1f4
SHA256

6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2
SHA512

3cd32ab45a84299398e4da9b843f5231e3ec9339e196ebb54a81d705c69aed28b0543853427f1eb34ac891741fcb57fba083d1e268385b42d69c0d44ad1b5ac1

Score

10^/10

xpertrat evasion persistence rat trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe

XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\U440S6D3-S1J8-U7Y6-U224-P8W7P5Y1L7L6 = "C:\\Users\\Admin\\AppData\\Roaming\\U440S6D3-S1J8-U7Y6-U224-P8W7P5Y1L7L6\\U440S6D3-S1J8-U7Y6-U224-P8W7P5Y1L7L6.exe"	iexplore.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\U440S6D3-S1J8-U7Y6-U224-P8W7P5Y1L7L6 = "C:\\Users\\Admin\\AppData\\Roaming\\U440S6D3-S1J8-U7Y6-U224-P8W7P5Y1L7L6\\U440S6D3-S1J8-U7Y6-U224-P8W7P5Y1L7L6.exe"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\U440S6D3-S1J8-U7Y6-U224-P8W7P5Y1L7L6 = "C:\\Users\\Admin\\AppData\\Roaming\\U440S6D3-S1J8-U7Y6-U224-P8W7P5Y1L7L6\\U440S6D3-S1J8-U7Y6-U224-P8W7P5Y1L7L6.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe

description	pid	process	target process
PID 4228 set thread context of 4512	4228	6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe

pid	process
4228	6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe
4228	6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe
4228	6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe
4228	6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

iexplore.exe

description pid process

Token: SeDebugPrivilege 4512 iexplore.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exeiexplore.exe

pid process

4228 6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe
4512 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	4512	iexplore.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exeiexplore.exe

description	pid	process	target process
PID 4228 wrote to memory of 4512	4228	6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe	iexplore.exe
PID 4228 wrote to memory of 4512	4228	6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe	iexplore.exe
PID 4228 wrote to memory of 4512	4228	6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe	iexplore.exe
PID 4228 wrote to memory of 4512	4228	6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe	iexplore.exe
PID 4228 wrote to memory of 4512	4228	6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe	iexplore.exe
PID 4228 wrote to memory of 4512	4228	6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe	iexplore.exe
PID 4228 wrote to memory of 4512	4228	6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe	iexplore.exe
PID 4228 wrote to memory of 4512	4228	6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe	iexplore.exe
PID 4512 wrote to memory of 3316	4512	iexplore.exe	notepad.exe
PID 4512 wrote to memory of 3316	4512	iexplore.exe	notepad.exe
PID 4512 wrote to memory of 3316	4512	iexplore.exe	notepad.exe
PID 4512 wrote to memory of 3316	4512	iexplore.exe	notepad.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe

C:\Users\Admin\AppData\Local\Temp\6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe
"C:\Users\Admin\AppData\Local\Temp\6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4228

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\6cdc19ff655d60c2f9f5ea1d4397efa91e20a60581509b90664c556c30db34c2.exe
2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4512