xpertrat | 79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216

General

Target

79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe
Size

1.4MB
MD5

3046222c67a68d7cadabd19434355600
SHA1

633f3b57954d2b2d7c37386af772dc199b3c6db7
SHA256

79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216
SHA512

703dc8b72ec2bbafe4f8fa466b48b839af95a445df25c07b615d5471ba5bb6aad5ba76b66371bbb2d4d2426bbb09de88c9de017fee33b3be0007aa045b318b8e
SSDEEP

24576:mUQZGjqqIaSb5rUoMGa7WATGC11Jk220gPgFKU0p82QcNZdsCAEKA3NHNEgsNPDS:mUJGqI5lbmD11JkfKop8Rc+CnaNYp

Score

10^/10

xpertrat evasion persistence rat trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

FIX.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FIX.exe
Windows security bypass 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

FIX.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" FIX.exe
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	FIX.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	FIX.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\A440L3X3-W3L2-L8R1-T2B2-T227F2P4U7V3 = "C:\\Users\\Admin\\AppData\\Roaming\\A440L3X3-W3L2-L8R1-T2B2-T227F2P4U7V3\\A440L3X3-W3L2-L8R1-T2B2-T227F2P4U7V3.exe"	iexplore.exe

Executes dropped EXE 4 IoCs

Processes:

Black Inject.exeDOWS.exeFIX.exeFIX.exe

pid process

3244 Black Inject.exe
528 DOWS.exe
1760 FIX.exe
2796 FIX.exe

pid	process
3244	Black Inject.exe
528	DOWS.exe
1760	FIX.exe
2796	FIX.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exeDOWS.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	DOWS.exe

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

FIX.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" FIX.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	FIX.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\A440L3X3-W3L2-L8R1-T2B2-T227F2P4U7V3 = "C:\\Users\\Admin\\AppData\\Roaming\\A440L3X3-W3L2-L8R1-T2B2-T227F2P4U7V3\\A440L3X3-W3L2-L8R1-T2B2-T227F2P4U7V3.exe"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\A440L3X3-W3L2-L8R1-T2B2-T227F2P4U7V3 = "C:\\Users\\Admin\\AppData\\Roaming\\A440L3X3-W3L2-L8R1-T2B2-T227F2P4U7V3\\A440L3X3-W3L2-L8R1-T2B2-T227F2P4U7V3.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

FIX.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FIX.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

FIX.exeFIX.exe

description pid process target process

PID 1760 set thread context of 2796 1760 FIX.exe FIX.exe
PID 2796 set thread context of 4060 2796 FIX.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

iexplore.exe

description pid process

Token: SeDebugPrivilege 4060 iexplore.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exeBlack Inject.exeFIX.exeFIX.exeiexplore.exe

pid process

4868 79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe
3244 Black Inject.exe
1760 FIX.exe
2796 FIX.exe
4060 iexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	FIX.exe

description	pid	process	target process
PID 1760 set thread context of 2796	1760	FIX.exe	FIX.exe
PID 2796 set thread context of 4060	2796	FIX.exe	iexplore.exe

description	pid	process
Token: SeDebugPrivilege	4060	iexplore.exe

pid	process
4868	79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe
3244	Black Inject.exe
1760	FIX.exe
2796	FIX.exe
4060	iexplore.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exeDOWS.exeFIX.exeFIX.exeiexplore.exe

description	pid	process	target process
PID 4868 wrote to memory of 3244	4868	79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe	Black Inject.exe
PID 4868 wrote to memory of 3244	4868	79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe	Black Inject.exe
PID 4868 wrote to memory of 3244	4868	79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe	Black Inject.exe
PID 4868 wrote to memory of 528	4868	79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe	DOWS.exe
PID 4868 wrote to memory of 528	4868	79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe	DOWS.exe
PID 4868 wrote to memory of 528	4868	79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe	DOWS.exe
PID 528 wrote to memory of 1760	528	DOWS.exe	FIX.exe
PID 528 wrote to memory of 1760	528	DOWS.exe	FIX.exe
PID 528 wrote to memory of 1760	528	DOWS.exe	FIX.exe
PID 1760 wrote to memory of 2796	1760	FIX.exe	FIX.exe
PID 1760 wrote to memory of 2796	1760	FIX.exe	FIX.exe
PID 1760 wrote to memory of 2796	1760	FIX.exe	FIX.exe
PID 1760 wrote to memory of 2796	1760	FIX.exe	FIX.exe
PID 1760 wrote to memory of 2796	1760	FIX.exe	FIX.exe
PID 1760 wrote to memory of 2796	1760	FIX.exe	FIX.exe
PID 1760 wrote to memory of 2796	1760	FIX.exe	FIX.exe
PID 1760 wrote to memory of 2796	1760	FIX.exe	FIX.exe
PID 2796 wrote to memory of 4060	2796	FIX.exe	iexplore.exe
PID 2796 wrote to memory of 4060	2796	FIX.exe	iexplore.exe
PID 2796 wrote to memory of 4060	2796	FIX.exe	iexplore.exe
PID 2796 wrote to memory of 4060	2796	FIX.exe	iexplore.exe
PID 2796 wrote to memory of 4060	2796	FIX.exe	iexplore.exe
PID 2796 wrote to memory of 4060	2796	FIX.exe	iexplore.exe
PID 2796 wrote to memory of 4060	2796	FIX.exe	iexplore.exe
PID 2796 wrote to memory of 4060	2796	FIX.exe	iexplore.exe
PID 4060 wrote to memory of 5104	4060	iexplore.exe	notepad.exe
PID 4060 wrote to memory of 5104	4060	iexplore.exe	notepad.exe
PID 4060 wrote to memory of 5104	4060	iexplore.exe	notepad.exe
PID 4060 wrote to memory of 5104	4060	iexplore.exe	notepad.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

FIX.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FIX.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	FIX.exe

C:\Users\Admin\AppData\Local\Temp\79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe
"C:\Users\Admin\AppData\Local\Temp\79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4868

C:\Users\Admin\AppData\Local\Temp\Black Inject.exe
"C:\Users\Admin\AppData\Local\Temp\Black Inject.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3244

C:\Users\Admin\AppData\Local\Temp\DOWS.exe
"C:\Users\Admin\AppData\Local\Temp\DOWS.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:528

C:\Users\Admin\AppData\Local\Temp\RarSFX0\FIX.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\FIX.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\RarSFX0\FIX.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\FIX.exe"
4⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2796

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FIX.exe
5⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\notepad.exe
notepad.exe
6⤵
PID:5104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Black Inject.exe

Filesize
32KB

MD5
8e7f0ab5708ed0bb3a34c0b1246bd8ea

SHA1
3dfce2eefcbc240bef5ca5dc536ecd623efdc537

SHA256
a24eb7a3f9e1e8382a455b3eccce575632103738217444565088def6f96b353d

SHA512
52ef0312612e79fab1871e8446cfadee3929337baa198a40c67035b27895f5f347fb6bb68c3cb565b46daa5aea1792530889457a3888d7fa495241cde5a84ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Black Inject.exe

Filesize
32KB

MD5
8e7f0ab5708ed0bb3a34c0b1246bd8ea

SHA1
3dfce2eefcbc240bef5ca5dc536ecd623efdc537

SHA256
a24eb7a3f9e1e8382a455b3eccce575632103738217444565088def6f96b353d

SHA512
52ef0312612e79fab1871e8446cfadee3929337baa198a40c67035b27895f5f347fb6bb68c3cb565b46daa5aea1792530889457a3888d7fa495241cde5a84ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOWS.exe

Filesize
704KB

MD5
8d021cccaf91e5e4364f293ac9141100

SHA1
e60fc2fda9b75cf3a421c6438f105b5ea1c48cb6

SHA256
2abe3651a9fcb76fc2bfc7d41b53d75a0c4afb44ad4f683ff875eff0f14214aa

SHA512
48b8c59745dba92b9e91aa3032ee3a4e0126c978a7986e2b55fac9c09d1b83b060f250b071876cf445a6d9e8601405a0ece3b06bee1dec3157b06233fd3e62ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOWS.exe

Filesize
704KB

MD5
8d021cccaf91e5e4364f293ac9141100

SHA1
e60fc2fda9b75cf3a421c6438f105b5ea1c48cb6

SHA256
2abe3651a9fcb76fc2bfc7d41b53d75a0c4afb44ad4f683ff875eff0f14214aa

SHA512
48b8c59745dba92b9e91aa3032ee3a4e0126c978a7986e2b55fac9c09d1b83b060f250b071876cf445a6d9e8601405a0ece3b06bee1dec3157b06233fd3e62ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FIX.exe

Filesize
564KB

MD5
5075ce722c570cd61ef5c674f3551876

SHA1
9cf84d95886042c3232b5b5eecebb094c160ff9b

SHA256
90b84c2dadd8a427f19e26887185852bef6b019815374b14e91ed6658f75a932

SHA512
a3bee59ca57d7a9cc4139fbfada81679f6495e9ef4135f26bca5b97188645b004f519eb6439b9b99605cdde928c7db2705622ae31520a2a10d7a151aa5a4cc40

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FIX.exe

Filesize
564KB

MD5
5075ce722c570cd61ef5c674f3551876

SHA1
9cf84d95886042c3232b5b5eecebb094c160ff9b

SHA256
90b84c2dadd8a427f19e26887185852bef6b019815374b14e91ed6658f75a932

SHA512
a3bee59ca57d7a9cc4139fbfada81679f6495e9ef4135f26bca5b97188645b004f519eb6439b9b99605cdde928c7db2705622ae31520a2a10d7a151aa5a4cc40

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FIX.exe

Filesize
564KB

MD5
5075ce722c570cd61ef5c674f3551876

SHA1
9cf84d95886042c3232b5b5eecebb094c160ff9b

SHA256
90b84c2dadd8a427f19e26887185852bef6b019815374b14e91ed6658f75a932

SHA512
a3bee59ca57d7a9cc4139fbfada81679f6495e9ef4135f26bca5b97188645b004f519eb6439b9b99605cdde928c7db2705622ae31520a2a10d7a151aa5a4cc40

Download Submit
memory/528-141-0x0000000000000000-mapping.dmp

Download
memory/1760-150-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1760-145-0x0000000000000000-mapping.dmp

Download
memory/1760-155-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1760-151-0x00000000001F0000-0x00000000001F3000-memory.dmp

Filesize
12KB

Download
memory/2796-152-0x0000000000000000-mapping.dmp

Download
memory/2796-153-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2796-158-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2796-161-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3244-136-0x0000000000000000-mapping.dmp

Download
memory/4868-144-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/4868-135-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/4868-134-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/5104-160-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads