Overview

overview

10

Static

static

5

a9909b284f...cf.exe

windows7-x64

10

a9909b284f...cf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    31-07-2022 05:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a9909b284f46a9193235f980fecd71e69a6c0d7fbac8e8879f73d11e3816dacf.exe

  • Size

    1.2MB

  • MD5

    d58b1c2f540268bd9dd920455568d45f

  • SHA1

    58fa23062ee8e44912be9712eed62fbe753289fd

  • SHA256

    a9909b284f46a9193235f980fecd71e69a6c0d7fbac8e8879f73d11e3816dacf

  • SHA512

    f36c1bbf62b091647151751896b98c3edffbfc711c12f02db6ef588c5a4661d1f1c3b9a1615fb3405eb9298d06d4dade3ba3286291ff11b5fc980d2f1e4519c8

Score
10/10
xpertrathauk902evasionrattrojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Hauk902

C2

expertworldwithout.gleeze.com:4444

Mutex

R2Q3F8F6-L8M2-T1G2-O4Y1-C3N4I3V1R3O0

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core payload 5 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9909b284f46a9193235f980fecd71e69a6c0d7fbac8e8879f73d11e3816dacf.exe
    "C:\Users\Admin\AppData\Local\Temp\a9909b284f46a9193235f980fecd71e69a6c0d7fbac8e8879f73d11e3816dacf.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      2⤵
      • UAC bypass
      • Windows security bypass
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1792

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \RTYPLWYY\scp\ApiSetHost.AppExecutionAlias.exe
    Filesize

    1.2MB

    MD5

    f591ae538e02688695e52f9001d3c7a0

    SHA1

    ec7b5b90ec90c4aefba0992705f8fef4871ebcf2

    SHA256

    2f65ab1ea6a17423a3a30cc93d7a078ed8cae9ecf4b2d8d8c696134dbf925c3c

    SHA512

    efbc2bd25877dad56a3a8a621540bc6da0d7676838437d3e8c6e71e1500ad6b1ed39342a58898d4bddc0d728e27261b3dc6eaad1409a517d97deb38ef6fdd947

    Download Submit

  • memory/1484-60-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1484-69-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1792-61-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

    Download

  • memory/1792-64-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

    Download

  • memory/1792-68-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

    Download

  • memory/1792-71-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

    Download

  • memory/1996-54-0x0000000075B81000-0x0000000075B83000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1996-56-0x0000000000280000-0x0000000000290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1996-70-0x0000000000280000-0x0000000000290000-memory.dmp

    Filesize

    64KB

    Download