Overview

overview

10

Static

static

Specification.exe

windows7_x64

10

Specification.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    68s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    01-07-2022 10:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Specification.exe

  • Size

    717KB

  • MD5

    20796a16b1839afba1f87ed53e7bd841

  • SHA1

    d5bd0d0efc2059dbbf1eaaa30b1c859c313d9250

  • SHA256

    2d0474bfb8aced6c0aacc081936209dc9287827e20284160ceae3edca8a50184

  • SHA512

    ad809362c428bdd0d30f56e4fe8f4bfd7960849575451b33c642d5fc7d424e7eb355ec3caba95f02040a80d505db4f04edf363dd7dbdbe79df94ccb22dbce09f

Score
10/10
xpertratcollectionevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious use of SetThreadContext 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Specification.exe
    "C:\Users\Admin\AppData\Local\Temp\Specification.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1472
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1956
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
      • UAC bypass
      • Windows security bypass
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        3⤵
          PID:848
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          3⤵
            PID:884
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
            3⤵
              PID:428
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
              3⤵
              • Adds policy Run key to start application
              • Adds Run key to start application
              • Suspicious use of SetThreadContext
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:268
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4\bqrqeitfj0.txt"
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1136
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4\bqrqeitfj1.txt"
                4⤵
                • Accesses Microsoft Outlook accounts
                PID:324
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4\bqrqeitfj2.txt"
                4⤵
                  PID:1996
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  /stext "C:\Users\Admin\AppData\Roaming\Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4\bqrqeitfj3.txt"
                  4⤵
                    PID:1096
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    /stext "C:\Users\Admin\AppData\Roaming\Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4\bqrqeitfj4.txt"
                    4⤵
                      PID:744

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Registry Run Keys / Startup Folder

              2
              T1060

              Privilege Escalation

              Bypass User Account Control

              1
              T1088

              Defense Evasion

              Bypass User Account Control

              1
              T1088

              Disabling Security Tools

              2
              T1089

              Modify Registry

              4
              T1112

              Credential Access

              Discovery

              System Information Discovery

              1
              T1082

              Lateral Movement

              Collection

              Email Collection

              1
              T1114

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4\bqrqeitfj2.txt
                Filesize

                2B

                MD5

                f3b25701fe362ec84616a93a45ce9998

                SHA1

                d62636d8caec13f04e28442a0a6fa1afeb024bbb

                SHA256

                b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                SHA512

                98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4\bqrqeitfj4.txt
                Filesize

                2B

                MD5

                f3b25701fe362ec84616a93a45ce9998

                SHA1

                d62636d8caec13f04e28442a0a6fa1afeb024bbb

                SHA256

                b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                SHA512

                98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                Download Submit
              • memory/1472-54-0x0000000000C90000-0x0000000000D48000-memory.dmp
                Filesize

                736KB

                Download
              • memory/1472-55-0x0000000074F21000-0x0000000074F23000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1472-56-0x0000000004B10000-0x0000000004BF0000-memory.dmp
                Filesize

                896KB

                Download
              • memory/1472-57-0x0000000004270000-0x00000000042BC000-memory.dmp
                Filesize

                304KB

                Download
              • memory/1664-69-0x00000000004010B8-mapping.dmp
                Download
              • memory/1664-63-0x0000000000400000-0x000000000042C000-memory.dmp
                Filesize

                176KB

                Download
              • memory/1664-64-0x0000000000400000-0x000000000042C000-memory.dmp
                Filesize

                176KB

                Download
              • memory/1664-66-0x0000000000400000-0x000000000042C000-memory.dmp
                Filesize

                176KB

                Download
              • memory/1664-68-0x0000000000400000-0x000000000042C000-memory.dmp
                Filesize

                176KB

                Download
              • memory/1664-74-0x0000000000400000-0x000000000042C000-memory.dmp
                Filesize

                176KB

                Download
              • memory/1664-75-0x0000000000400000-0x000000000042C000-memory.dmp
                Filesize

                176KB

                Download
              • memory/1956-62-0x000000006F5C0000-0x000000006FB6B000-memory.dmp
                Filesize

                5.7MB

                Download
              • memory/1956-61-0x000000006F5C0000-0x000000006FB6B000-memory.dmp
                Filesize

                5.7MB

                Download
              • memory/1956-60-0x000000006F5C0000-0x000000006FB6B000-memory.dmp
                Filesize

                5.7MB

                Download
              • memory/1956-58-0x0000000000000000-mapping.dmp
                Download