General

  • Target

    70e2f9d2aa6647aaa726f610cbba7333ae7fd71294d5f50647bcbde5c84720e9

  • Size

    268KB

  • Sample

    220521-ng89vaghcj

  • MD5

    d2fc6e3008cc5b57ead4474c0238fe8c

  • SHA1

    616c342bd4241a6c2a642ef623561d872ead4533

  • SHA256

    70e2f9d2aa6647aaa726f610cbba7333ae7fd71294d5f50647bcbde5c84720e9

  • SHA512

    67403355a5b7e40c96e5d176e9d0cb9c168b8cf3023ac96da10a359fbdfca3478184fe920522e632098e81047bd7076a5504c5124adc3a2e844cb2fb8134b314

Malware Config

Targets

    • Target

      EDG9532020061711000056_32859_pdf.exe

    • Size

      317KB

    • MD5

      2778a85862dc9ac764541a0c34dce584

    • SHA1

      123bb7ddd48aca7c531ba892146157708754f463

    • SHA256

      9464eba54dd22af19c810637f246d9f6239a74f38ace5efddfbe8e37c5c64768

    • SHA512

      8a09bb6b83ea66d3e0e3f3166acc2276413e4b0fce84c024754e73a5d915fe1a577523c63cbd9cad325d0a6809156d0aa9f0be003bd0f5af03487e85f2c75f4d

    • UAC bypass

    • Windows security bypass

    • XpertRAT

      XpertRAT is a remote access trojan with various capabilities.

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Adds policy Run key to start application

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Modify Registry

6
T1112

Discovery

System Information Discovery

1
T1082

Tasks