Overview

overview

10

Static

static

79df6cbb29...16.exe

windows7-x64

10

79df6cbb29...16.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2022 04:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe

  • Size

    1.4MB

  • MD5

    3046222c67a68d7cadabd19434355600

  • SHA1

    633f3b57954d2b2d7c37386af772dc199b3c6db7

  • SHA256

    79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216

  • SHA512

    703dc8b72ec2bbafe4f8fa466b48b839af95a445df25c07b615d5471ba5bb6aad5ba76b66371bbb2d4d2426bbb09de88c9de017fee33b3be0007aa045b318b8e

  • SSDEEP

    24576:mUQZGjqqIaSb5rUoMGa7WATGC11Jk220gPgFKU0p82QcNZdsCAEKA3NHNEgsNPDS:mUJGqI5lbmD11JkfKop8Rc+CnaNYp

Score
10/10
xpertratevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe
    "C:\Users\Admin\AppData\Local\Temp\79df6cbb29cb39554f1061d71437c0c5b6351a398abcece971653b90f7d13216.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4868
    • C:\Users\Admin\AppData\Local\Temp\Black Inject.exe
      "C:\Users\Admin\AppData\Local\Temp\Black Inject.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3244
    • C:\Users\Admin\AppData\Local\Temp\DOWS.exe
      "C:\Users\Admin\AppData\Local\Temp\DOWS.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:528
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\FIX.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FIX.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1760
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\FIX.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FIX.exe"
          4⤵
          • UAC bypass
          • Windows security bypass
          • Executes dropped EXE
          • Windows security modification
          • Checks whether UAC is enabled
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2796
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\RarSFX0\FIX.exe
            5⤵
            • Adds policy Run key to start application
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4060
            • C:\Windows\SysWOW64\notepad.exe
              notepad.exe
              6⤵
                PID:5104

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Black Inject.exe
      Filesize

      32KB

      MD5

      8e7f0ab5708ed0bb3a34c0b1246bd8ea

      SHA1

      3dfce2eefcbc240bef5ca5dc536ecd623efdc537

      SHA256

      a24eb7a3f9e1e8382a455b3eccce575632103738217444565088def6f96b353d

      SHA512

      52ef0312612e79fab1871e8446cfadee3929337baa198a40c67035b27895f5f347fb6bb68c3cb565b46daa5aea1792530889457a3888d7fa495241cde5a84ba9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Black Inject.exe
      Filesize

      32KB

      MD5

      8e7f0ab5708ed0bb3a34c0b1246bd8ea

      SHA1

      3dfce2eefcbc240bef5ca5dc536ecd623efdc537

      SHA256

      a24eb7a3f9e1e8382a455b3eccce575632103738217444565088def6f96b353d

      SHA512

      52ef0312612e79fab1871e8446cfadee3929337baa198a40c67035b27895f5f347fb6bb68c3cb565b46daa5aea1792530889457a3888d7fa495241cde5a84ba9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DOWS.exe
      Filesize

      704KB

      MD5

      8d021cccaf91e5e4364f293ac9141100

      SHA1

      e60fc2fda9b75cf3a421c6438f105b5ea1c48cb6

      SHA256

      2abe3651a9fcb76fc2bfc7d41b53d75a0c4afb44ad4f683ff875eff0f14214aa

      SHA512

      48b8c59745dba92b9e91aa3032ee3a4e0126c978a7986e2b55fac9c09d1b83b060f250b071876cf445a6d9e8601405a0ece3b06bee1dec3157b06233fd3e62ac

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DOWS.exe
      Filesize

      704KB

      MD5

      8d021cccaf91e5e4364f293ac9141100

      SHA1

      e60fc2fda9b75cf3a421c6438f105b5ea1c48cb6

      SHA256

      2abe3651a9fcb76fc2bfc7d41b53d75a0c4afb44ad4f683ff875eff0f14214aa

      SHA512

      48b8c59745dba92b9e91aa3032ee3a4e0126c978a7986e2b55fac9c09d1b83b060f250b071876cf445a6d9e8601405a0ece3b06bee1dec3157b06233fd3e62ac

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\FIX.exe
      Filesize

      564KB

      MD5

      5075ce722c570cd61ef5c674f3551876

      SHA1

      9cf84d95886042c3232b5b5eecebb094c160ff9b

      SHA256

      90b84c2dadd8a427f19e26887185852bef6b019815374b14e91ed6658f75a932

      SHA512

      a3bee59ca57d7a9cc4139fbfada81679f6495e9ef4135f26bca5b97188645b004f519eb6439b9b99605cdde928c7db2705622ae31520a2a10d7a151aa5a4cc40

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\FIX.exe
      Filesize

      564KB

      MD5

      5075ce722c570cd61ef5c674f3551876

      SHA1

      9cf84d95886042c3232b5b5eecebb094c160ff9b

      SHA256

      90b84c2dadd8a427f19e26887185852bef6b019815374b14e91ed6658f75a932

      SHA512

      a3bee59ca57d7a9cc4139fbfada81679f6495e9ef4135f26bca5b97188645b004f519eb6439b9b99605cdde928c7db2705622ae31520a2a10d7a151aa5a4cc40

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\FIX.exe
      Filesize

      564KB

      MD5

      5075ce722c570cd61ef5c674f3551876

      SHA1

      9cf84d95886042c3232b5b5eecebb094c160ff9b

      SHA256

      90b84c2dadd8a427f19e26887185852bef6b019815374b14e91ed6658f75a932

      SHA512

      a3bee59ca57d7a9cc4139fbfada81679f6495e9ef4135f26bca5b97188645b004f519eb6439b9b99605cdde928c7db2705622ae31520a2a10d7a151aa5a4cc40

      Download Submit

    • memory/528-141-0x0000000000000000-mapping.dmp

      Download

    • memory/1760-150-0x0000000000400000-0x00000000004A5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/1760-145-0x0000000000000000-mapping.dmp

      Download

    • memory/1760-155-0x0000000000400000-0x00000000004A5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/1760-151-0x00000000001F0000-0x00000000001F3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2796-152-0x0000000000000000-mapping.dmp

      Download

    • memory/2796-153-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/2796-158-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/2796-161-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3244-136-0x0000000000000000-mapping.dmp

      Download

    • memory/4868-144-0x0000000000400000-0x00000000004CE000-memory.dmp

      Filesize

      824KB

      Download

    • memory/4868-135-0x0000000000030000-0x0000000000033000-memory.dmp

      Filesize

      12KB

      Download

    • memory/4868-134-0x0000000000400000-0x00000000004CE000-memory.dmp

      Filesize

      824KB

      Download

    • memory/5104-160-0x0000000000000000-mapping.dmp

      Download