Overview

overview

10

Static

static

3

09fefe8f2d...1f.exe

windows7-x64

10

09fefe8f2d...1f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    65s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    10-06-2023 18:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    09fefe8f2d0e20847f08ebd26e29741f.exe

  • Size

    752KB

  • MD5

    09fefe8f2d0e20847f08ebd26e29741f

  • SHA1

    235393276d1b017e89acf3c891056e2fbe759f2b

  • SHA256

    f74ab1efa874c19f32108d0719951e9b2a6ab0bb9f9b66c53145e75efec1684b

  • SHA512

    6276bdda653057ff61a1dd73c74f87aed96617df36289beb3e0d89a11c1c46f2f55d8a6e5ef551c1b129967c185bc74cddf981b3fc8d468c927c667bb30b10cd

  • SSDEEP

    12288:6ymn0lWxMzIHREJVk/bq4izoW/m7Ar+oxpjijYtxJ2uw7qVLF7QRbiGMTYRQ:bm0lWxMiQW/O4ue7G+upl1wGVLF7XGMZ

Score
10/10
xpertratsalescollectionevasionpersistencerattrojanupx

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

sales

C2

103.212.81.159:5134

Mutex

P0U4N118-N5L3-W331-B1K0-Y2V3O6B8B2Q6

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core payload 1 IoCs
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\09fefe8f2d0e20847f08ebd26e29741f.exe
    "C:\Users\Admin\AppData\Local\Temp\09fefe8f2d0e20847f08ebd26e29741f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tQcdUx.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:588
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tQcdUx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA803.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:468
    • C:\Users\Admin\AppData\Local\Temp\09fefe8f2d0e20847f08ebd26e29741f.exe
      "C:\Users\Admin\AppData\Local\Temp\09fefe8f2d0e20847f08ebd26e29741f.exe"
      2⤵
        PID:360
      • C:\Users\Admin\AppData\Local\Temp\09fefe8f2d0e20847f08ebd26e29741f.exe
        "C:\Users\Admin\AppData\Local\Temp\09fefe8f2d0e20847f08ebd26e29741f.exe"
        2⤵
          PID:1696
        • C:\Users\Admin\AppData\Local\Temp\09fefe8f2d0e20847f08ebd26e29741f.exe
          "C:\Users\Admin\AppData\Local\Temp\09fefe8f2d0e20847f08ebd26e29741f.exe"
          2⤵
            PID:908
          • C:\Users\Admin\AppData\Local\Temp\09fefe8f2d0e20847f08ebd26e29741f.exe
            "C:\Users\Admin\AppData\Local\Temp\09fefe8f2d0e20847f08ebd26e29741f.exe"
            2⤵
            • UAC bypass
            • Windows security bypass
            • Windows security modification
            • Checks whether UAC is enabled
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1848
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              C:\Users\Admin\AppData\Local\Temp\09fefe8f2d0e20847f08ebd26e29741f.exe
              3⤵
                PID:692
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                C:\Users\Admin\AppData\Local\Temp\09fefe8f2d0e20847f08ebd26e29741f.exe
                3⤵
                • Adds policy Run key to start application
                • Adds Run key to start application
                • Suspicious use of SetThreadContext
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1532
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  /stext "C:\Users\Admin\AppData\Roaming\P0U4N118-N5L3-W331-B1K0-Y2V3O6B8B2Q6\cxyxotujj0.txt"
                  4⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1040
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  /stext "C:\Users\Admin\AppData\Roaming\P0U4N118-N5L3-W331-B1K0-Y2V3O6B8B2Q6\cxyxotujj1.txt"
                  4⤵
                  • Accesses Microsoft Outlook accounts
                  PID:2016
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  /stext "C:\Users\Admin\AppData\Roaming\P0U4N118-N5L3-W331-B1K0-Y2V3O6B8B2Q6\cxyxotujj2.txt"
                  4⤵
                    PID:1208
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    /stext "C:\Users\Admin\AppData\Roaming\P0U4N118-N5L3-W331-B1K0-Y2V3O6B8B2Q6\cxyxotujj3.txt"
                    4⤵
                      PID:1796
                    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                      /stext "C:\Users\Admin\AppData\Roaming\P0U4N118-N5L3-W331-B1K0-Y2V3O6B8B2Q6\cxyxotujj4.txt"
                      4⤵
                        PID:1592

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\tmpA803.tmp
                  Filesize

                  1KB

                  MD5

                  d5936962cd2da26e6be06668e383df0c

                  SHA1

                  6aa754a30c9f76c708c0154f0d8487067376c4d6

                  SHA256

                  570a24a06eca97d524c1850d49533933b5827e57a8d8cf24e52607d2b1a563d3

                  SHA512

                  0c7f91b053b39b94e868103f22124b5ecbcc71837646b8c8e8b579e806c99e6dd5242e8ec32630de6d6e78b5f4101c70e986f269e97dcebaea677698372defae

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\P0U4N118-N5L3-W331-B1K0-Y2V3O6B8B2Q6\P0U4N118-N5L3-W331-B1K0-Y2V3O6B8B2Q6.exe
                  Filesize

                  752KB

                  MD5

                  09fefe8f2d0e20847f08ebd26e29741f

                  SHA1

                  235393276d1b017e89acf3c891056e2fbe759f2b

                  SHA256

                  f74ab1efa874c19f32108d0719951e9b2a6ab0bb9f9b66c53145e75efec1684b

                  SHA512

                  6276bdda653057ff61a1dd73c74f87aed96617df36289beb3e0d89a11c1c46f2f55d8a6e5ef551c1b129967c185bc74cddf981b3fc8d468c927c667bb30b10cd

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\P0U4N118-N5L3-W331-B1K0-Y2V3O6B8B2Q6\cxyxotujj2.txt
                  Filesize

                  2B

                  MD5

                  f3b25701fe362ec84616a93a45ce9998

                  SHA1

                  d62636d8caec13f04e28442a0a6fa1afeb024bbb

                  SHA256

                  b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                  SHA512

                  98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\P0U4N118-N5L3-W331-B1K0-Y2V3O6B8B2Q6\cxyxotujj4.txt
                  Filesize

                  2B

                  MD5

                  f3b25701fe362ec84616a93a45ce9998

                  SHA1

                  d62636d8caec13f04e28442a0a6fa1afeb024bbb

                  SHA256

                  b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                  SHA512

                  98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                  Download Submit

                • memory/588-79-0x0000000002570000-0x00000000025B0000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/1040-94-0x0000000000400000-0x0000000000426000-memory.dmp

                  Filesize

                  152KB

                  Download

                • memory/1208-96-0x0000000000400000-0x0000000000459000-memory.dmp

                  Filesize

                  356KB

                  Download

                • memory/1532-80-0x0000000000400000-0x0000000000443000-memory.dmp

                  Filesize

                  268KB

                  Download

                • memory/1592-100-0x0000000000400000-0x0000000000415000-memory.dmp

                  Filesize

                  84KB

                  Download

                • memory/1796-99-0x0000000000400000-0x0000000000416000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/1848-66-0x0000000000400000-0x000000000042C000-memory.dmp

                  Filesize

                  176KB

                  Download

                • memory/1848-67-0x0000000000400000-0x000000000042C000-memory.dmp

                  Filesize

                  176KB

                  Download

                • memory/1848-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1848-68-0x0000000000400000-0x000000000042C000-memory.dmp

                  Filesize

                  176KB

                  Download

                • memory/1848-70-0x0000000000400000-0x000000000042C000-memory.dmp

                  Filesize

                  176KB

                  Download

                • memory/1848-78-0x0000000000400000-0x000000000042C000-memory.dmp

                  Filesize

                  176KB

                  Download

                • memory/1848-87-0x0000000000400000-0x000000000042C000-memory.dmp

                  Filesize

                  176KB

                  Download

                • memory/2016-95-0x0000000000400000-0x000000000041B000-memory.dmp

                  Filesize

                  108KB

                  Download

                • memory/2024-58-0x0000000000490000-0x000000000049C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/2024-54-0x0000000000B80000-0x0000000000C42000-memory.dmp

                  Filesize

                  776KB

                  Download

                • memory/2024-57-0x0000000004DC0000-0x0000000004E00000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/2024-56-0x0000000000440000-0x0000000000452000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/2024-59-0x0000000006010000-0x000000000607C000-memory.dmp

                  Filesize

                  432KB

                  Download

                • memory/2024-65-0x0000000004420000-0x0000000004454000-memory.dmp

                  Filesize

                  208KB

                  Download

                • memory/2024-55-0x0000000004DC0000-0x0000000004E00000-memory.dmp

                  Filesize

                  256KB

                  Download