Overview

overview

10

Static

static

EMECA20_Ge...df.exe

windows7_x64

10

EMECA20_Ge...df.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 00:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EMECA20_GeneralBrochureEN_web_pdf.exe

  • Size

    981KB

  • MD5

    0816345b69321795af4a24159d3545b7

  • SHA1

    4b743df38e5f214bf85b85c95851bf75d08683a1

  • SHA256

    f79b985c1bf0b6708864ec45d12917c2e130dc53408b648b893179874f8e4b97

  • SHA512

    5ad6e41c75500c95b40f5866f265a927e252ec9ed8adc59c003180efd7627f5fff0c276d3b93ffd77263de8008125152db2ce8f657da993bb88a31249298e7b6

Score
10/10
xpertratevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\EMECA20_GeneralBrochureEN_web_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\EMECA20_GeneralBrochureEN_web_pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4284
    • C:\Users\Admin\AppData\Local\Temp\EMECA20_GeneralBrochureEN_web_pdf.exe
      "{path}"
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4072
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\EMECA20_GeneralBrochureEN_web_pdf.exe
        3⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4012
        • C:\Windows\SysWOW64\notepad.exe
          notepad.exe
          4⤵
            PID:1952

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1952-141-0x0000000000000000-mapping.dmp

      Download

    • memory/4072-134-0x0000000000000000-mapping.dmp

      Download

    • memory/4072-135-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/4072-137-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/4072-140-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/4284-130-0x0000000000430000-0x000000000052A000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/4284-131-0x0000000005630000-0x0000000005BD4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4284-132-0x00000000052A0000-0x0000000005332000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4284-133-0x00000000053E0000-0x000000000547C000-memory.dmp

      Filesize

      624KB

      Download