Overview

overview

10

Static

static

3

cb1ccbc5c8...b6.exe

windows7-x64

10

cb1ccbc5c8...b6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-09-2023 09:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb1ccbc5c88657e1f63a2cd3b1c240b6.exe

  • Size

    604KB

  • MD5

    cb1ccbc5c88657e1f63a2cd3b1c240b6

  • SHA1

    f237f76e21cbe5edf11a33ba05265df25c665050

  • SHA256

    be15093a407e5b70f5539df5eb1c18d0aedee626f6dc7e9db262c29bfe39ba3c

  • SHA512

    0a08c6bb26268d1a902c9bbb28a583e364e565d745fa83a4bc3ef2d4ecd237a049f192467476bb0fd0f0c14addc8be4412481f8cb8e6a1a6dcec36d600d46298

  • SSDEEP

    12288:BYWAfDuHOXdZV8c5ZGdMc5aMWjrP8N3+Qk0Duy:BYWgTZScqpUP8NEA7

Score
10/10
xpertratstrigiocollectionevasionpersistencerattrojanupx

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

STRIGIO

C2

sandshoe.myfirewall.org:5344

Mutex

I8N3F0X7-G4E2-P2S0-T0D7-R1N2H5T660I4

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core payload 1 IoCs
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Program crash 5 IoCs
  • Suspicious use of SetThreadContext 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb1ccbc5c88657e1f63a2cd3b1c240b6.exe
    "C:\Users\Admin\AppData\Local\Temp\cb1ccbc5c88657e1f63a2cd3b1c240b6.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4092
    • C:\Users\Admin\AppData\Local\Temp\cb1ccbc5c88657e1f63a2cd3b1c240b6.exe
      "C:\Users\Admin\AppData\Local\Temp\cb1ccbc5c88657e1f63a2cd3b1c240b6.exe"
      2⤵
        PID:3932
      • C:\Users\Admin\AppData\Local\Temp\cb1ccbc5c88657e1f63a2cd3b1c240b6.exe
        "C:\Users\Admin\AppData\Local\Temp\cb1ccbc5c88657e1f63a2cd3b1c240b6.exe"
        2⤵
        • UAC bypass
        • Windows security bypass
        • Windows security modification
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2144
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\cb1ccbc5c88657e1f63a2cd3b1c240b6.exe
          3⤵
          • Adds policy Run key to start application
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3440
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\I8N3F0X7-G4E2-P2S0-T0D7-R1N2H5T660I4\kmprxupde0.txt"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3636
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\I8N3F0X7-G4E2-P2S0-T0D7-R1N2H5T660I4\kmprxupde1.txt"
            4⤵
            • Accesses Microsoft Outlook accounts
            PID:1304
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\I8N3F0X7-G4E2-P2S0-T0D7-R1N2H5T660I4\kmprxupde2.txt"
            4⤵
              PID:3852
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 84
                5⤵
                • Program crash
                PID:2916
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\I8N3F0X7-G4E2-P2S0-T0D7-R1N2H5T660I4\kmprxupde2.txt"
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:2168
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\I8N3F0X7-G4E2-P2S0-T0D7-R1N2H5T660I4\kmprxupde3.txt"
              4⤵
                PID:3068
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 84
                  5⤵
                  • Program crash
                  PID:2684
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\I8N3F0X7-G4E2-P2S0-T0D7-R1N2H5T660I4\kmprxupde3.txt"
                4⤵
                  PID:4084
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 92
                    5⤵
                    • Program crash
                    PID:1464
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 100
                    5⤵
                    • Program crash
                    PID:3248
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  /stext "C:\Users\Admin\AppData\Roaming\I8N3F0X7-G4E2-P2S0-T0D7-R1N2H5T660I4\kmprxupde3.txt"
                  4⤵
                    PID:1552
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    /stext "C:\Users\Admin\AppData\Roaming\I8N3F0X7-G4E2-P2S0-T0D7-R1N2H5T660I4\kmprxupde4.txt"
                    4⤵
                      PID:3632
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 84
                        5⤵
                        • Program crash
                        PID:1784
                    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                      /stext "C:\Users\Admin\AppData\Roaming\I8N3F0X7-G4E2-P2S0-T0D7-R1N2H5T660I4\kmprxupde4.txt"
                      4⤵
                        PID:1832
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3852 -ip 3852
                  1⤵
                    PID:3232
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3068 -ip 3068
                    1⤵
                      PID:5040
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4084 -ip 4084
                      1⤵
                        PID:3988
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4084 -ip 4084
                        1⤵
                          PID:3380
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3632 -ip 3632
                          1⤵
                            PID:3136

                          Network

                          MITRE ATT&CK Matrix ATT&CK v13

                          Initial Access

                          Execution

                          Persistence

                          Boot or Logon Autostart Execution

                          2
                          T1547

                          Registry Run Keys / Startup Folder

                          2
                          T1547.001

                          Privilege Escalation

                          Abuse Elevation Control Mechanism

                          1
                          T1548

                          Bypass User Account Control

                          1
                          T1548.002

                          Boot or Logon Autostart Execution

                          2
                          T1547

                          Registry Run Keys / Startup Folder

                          2
                          T1547.001

                          Defense Evasion

                          Abuse Elevation Control Mechanism

                          1
                          T1548

                          Bypass User Account Control

                          1
                          T1548.002

                          Impair Defenses

                          3
                          T1562

                          Disable or Modify Tools

                          3
                          T1562.001

                          Modify Registry

                          6
                          T1112

                          Credential Access

                          Discovery

                          System Information Discovery

                          1
                          T1082

                          Lateral Movement

                          Collection

                          Email Collection

                          1
                          T1114

                          Exfiltration

                          Command and Control

                          Impact

                          Resource Development

                          Reconnaissance

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Roaming\I8N3F0X7-G4E2-P2S0-T0D7-R1N2H5T660I4\kmprxupde2.txt
                            Filesize

                            3KB

                            MD5

                            f94dc819ca773f1e3cb27abbc9e7fa27

                            SHA1

                            9a7700efadc5ea09ab288544ef1e3cd876255086

                            SHA256

                            a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

                            SHA512

                            72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

                            Download Submit
                          • C:\Users\Admin\AppData\Roaming\I8N3F0X7-G4E2-P2S0-T0D7-R1N2H5T660I4\kmprxupde4.txt
                            Filesize

                            2B

                            MD5

                            f3b25701fe362ec84616a93a45ce9998

                            SHA1

                            d62636d8caec13f04e28442a0a6fa1afeb024bbb

                            SHA256

                            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                            SHA512

                            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                            Download Submit
                          • memory/1304-34-0x0000000000400000-0x000000000041B000-memory.dmp
                            Filesize

                            108KB

                            Download
                          • memory/1552-43-0x0000000000400000-0x0000000000416000-memory.dmp
                            Filesize

                            88KB

                            Download
                          • memory/1832-45-0x0000000000400000-0x0000000000415000-memory.dmp
                            Filesize

                            84KB

                            Download
                          • memory/2144-12-0x0000000000400000-0x000000000042C000-memory.dmp
                            Filesize

                            176KB

                            Download
                          • memory/2144-15-0x0000000000400000-0x000000000042C000-memory.dmp
                            Filesize

                            176KB

                            Download
                          • memory/2144-26-0x0000000000400000-0x000000000042C000-memory.dmp
                            Filesize

                            176KB

                            Download
                          • memory/2168-36-0x0000000000400000-0x0000000000459000-memory.dmp
                            Filesize

                            356KB

                            Download
                          • memory/3440-19-0x0000000000400000-0x0000000000443000-memory.dmp
                            Filesize

                            268KB

                            Download
                          • memory/3636-33-0x0000000000400000-0x0000000000426000-memory.dmp
                            Filesize

                            152KB

                            Download
                          • memory/4092-17-0x00000000744A0000-0x0000000074C50000-memory.dmp
                            Filesize

                            7.7MB

                            Download
                          • memory/4092-1-0x00000000744A0000-0x0000000074C50000-memory.dmp
                            Filesize

                            7.7MB

                            Download
                          • memory/4092-11-0x0000000009F50000-0x0000000009FBC000-memory.dmp
                            Filesize

                            432KB

                            Download
                          • memory/4092-6-0x0000000005170000-0x000000000520C000-memory.dmp
                            Filesize

                            624KB

                            Download
                          • memory/4092-10-0x0000000006510000-0x000000000651A000-memory.dmp
                            Filesize

                            40KB

                            Download
                          • memory/4092-9-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
                            Filesize

                            64KB

                            Download
                          • memory/4092-8-0x00000000744A0000-0x0000000074C50000-memory.dmp
                            Filesize

                            7.7MB

                            Download
                          • memory/4092-5-0x0000000002AE0000-0x0000000002AEA000-memory.dmp
                            Filesize

                            40KB

                            Download
                          • memory/4092-7-0x0000000005120000-0x0000000005138000-memory.dmp
                            Filesize

                            96KB

                            Download
                          • memory/4092-4-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
                            Filesize

                            64KB

                            Download
                          • memory/4092-3-0x0000000004E60000-0x0000000004EF2000-memory.dmp
                            Filesize

                            584KB

                            Download
                          • memory/4092-2-0x0000000005410000-0x00000000059B4000-memory.dmp
                            Filesize

                            5.6MB

                            Download
                          • memory/4092-0-0x00000000003B0000-0x000000000044A000-memory.dmp
                            Filesize

                            616KB

                            Download