Overview

overview

10

Static

static

1

aee4349602...JC.rtf

windows7-x64

10

aee4349602...JC.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    138s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2023 16:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aee43496026aadd3bb0884c7fcd200758fde8c35940f0745628f4a0f480923c0_JC.rtf

  • Size

    92KB

  • MD5

    87dc64cd0d2d13f4897619c008540bcb

  • SHA1

    7f191350095893ebc3e1aa0e9e79dc083961e697

  • SHA256

    aee43496026aadd3bb0884c7fcd200758fde8c35940f0745628f4a0f480923c0

  • SHA512

    09e5d4f84ee2da4306cd4ddc97bebec6071b075e236ef861149daf30ae156d7e0b6f6882926eb7e0f841988424e07d283f505d9de4d91955e1f305961b05b755

  • SSDEEP

    768:ewAbZSibMX9gRWjFrOxpo0gcdOSY04ttpVtocQWILLIYGYsTqcmtDU9YHL:ewAlRQKxmidnY04ttpXoeyhGYsVmtYUL

Score
10/10
xpertratstrigioevasionpersistencerattrojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

STRIGIO

C2

sandshoe.myfirewall.org:5344

Mutex

I8N3F0X7-G4E2-P2S0-T0D7-R1N2H5T660I4

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core payload 1 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\aee43496026aadd3bb0884c7fcd200758fde8c35940f0745628f4a0f480923c0_JC.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2492
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2164
      • C:\Users\Admin\AppData\Roaming\sandshoebnf5783.exe
        "C:\Users\Admin\AppData\Roaming\sandshoebnf5783.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Users\Admin\AppData\Roaming\sandshoebnf5783.exe
          "C:\Users\Admin\AppData\Roaming\sandshoebnf5783.exe"
          3⤵
          • UAC bypass
          • Windows security bypass
          • Executes dropped EXE
          • Windows security modification
          • Checks whether UAC is enabled
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2544
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Roaming\sandshoebnf5783.exe
            4⤵
              PID:2428
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              C:\Users\Admin\AppData\Roaming\sandshoebnf5783.exe
              4⤵
              • Adds policy Run key to start application
              • Adds Run key to start application
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2168

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Exploitation for Client Execution

      1
      T1203

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Privilege Escalation

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Defense Evasion

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Impair Defenses

      3
      T1562

      Disable or Modify Tools

      3
      T1562.001

      Modify Registry

      7
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        0a32eb32ad27b80e48efb80408095c8b

        SHA1

        6b7e0cca0162f2937ab92f7a81d8e7f298eaf3a6

        SHA256

        3087cd84cfa022fa81bc4366e55930be2d432b54641c2b56c2e3277d9f421210

        SHA512

        0aeb5bc731dc9a258ff73a86b9498a33e1d23cf828936da324433d05623026a31b0eebc0922bffb9a603b45fdee0f7f9c23c756bb17d3c92a75550541ff63262

        Download Submit
      • C:\Users\Admin\AppData\Roaming\sandshoebnf5783.exe
        Filesize

        795KB

        MD5

        102dfca73df9a539a34b886349365381

        SHA1

        35b90a9ae3dc136502102017c0488c5fc028eae1

        SHA256

        27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9

        SHA512

        4335a75a836ebb5c9f589d36bd9b96fa6c3c751ff37caf23805317cdd5082fef0fb3ed198ebdb90cde6e9700d4b0ede2233b6bab8cb421d193c1099510733316

        Download Submit
      • C:\Users\Admin\AppData\Roaming\sandshoebnf5783.exe
        Filesize

        795KB

        MD5

        102dfca73df9a539a34b886349365381

        SHA1

        35b90a9ae3dc136502102017c0488c5fc028eae1

        SHA256

        27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9

        SHA512

        4335a75a836ebb5c9f589d36bd9b96fa6c3c751ff37caf23805317cdd5082fef0fb3ed198ebdb90cde6e9700d4b0ede2233b6bab8cb421d193c1099510733316

        Download Submit
      • C:\Users\Admin\AppData\Roaming\sandshoebnf5783.exe
        Filesize

        795KB

        MD5

        102dfca73df9a539a34b886349365381

        SHA1

        35b90a9ae3dc136502102017c0488c5fc028eae1

        SHA256

        27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9

        SHA512

        4335a75a836ebb5c9f589d36bd9b96fa6c3c751ff37caf23805317cdd5082fef0fb3ed198ebdb90cde6e9700d4b0ede2233b6bab8cb421d193c1099510733316

        Download Submit
      • C:\Users\Admin\AppData\Roaming\sandshoebnf5783.exe
        Filesize

        795KB

        MD5

        102dfca73df9a539a34b886349365381

        SHA1

        35b90a9ae3dc136502102017c0488c5fc028eae1

        SHA256

        27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9

        SHA512

        4335a75a836ebb5c9f589d36bd9b96fa6c3c751ff37caf23805317cdd5082fef0fb3ed198ebdb90cde6e9700d4b0ede2233b6bab8cb421d193c1099510733316

        Download Submit
      • \Users\Admin\AppData\Roaming\sandshoebnf5783.exe
        Filesize

        795KB

        MD5

        102dfca73df9a539a34b886349365381

        SHA1

        35b90a9ae3dc136502102017c0488c5fc028eae1

        SHA256

        27216219fbe93818c217c05b66b6586ab58bb000b1c9bc96da93561923f1fce9

        SHA512

        4335a75a836ebb5c9f589d36bd9b96fa6c3c751ff37caf23805317cdd5082fef0fb3ed198ebdb90cde6e9700d4b0ede2233b6bab8cb421d193c1099510733316

        Download Submit
      • memory/2168-44-0x0000000000400000-0x0000000000443000-memory.dmp
        Filesize

        268KB

        Download
      • memory/2544-32-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/2544-36-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/2544-51-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/2544-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2544-30-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/2544-28-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/2644-41-0x000000006B800000-0x000000006BEEE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2644-27-0x0000000005F00000-0x0000000005F6C000-memory.dmp
        Filesize

        432KB

        Download
      • memory/2644-24-0x000000006B800000-0x000000006BEEE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2644-26-0x0000000000620000-0x000000000062A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/2644-22-0x00000000005F0000-0x0000000000608000-memory.dmp
        Filesize

        96KB

        Download
      • memory/2644-17-0x0000000000D80000-0x0000000000DC0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2644-15-0x0000000001390000-0x000000000145C000-memory.dmp
        Filesize

        816KB

        Download
      • memory/2644-16-0x000000006B800000-0x000000006BEEE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/3004-23-0x000000007164D000-0x0000000071658000-memory.dmp
        Filesize

        44KB

        Download
      • memory/3004-2-0x000000007164D000-0x0000000071658000-memory.dmp
        Filesize

        44KB

        Download
      • memory/3004-0-0x000000002F1C1000-0x000000002F1C2000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3004-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3004-69-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3004-70-0x000000007164D000-0x0000000071658000-memory.dmp
        Filesize

        44KB

        Download