Overview

overview

10

Static

static

Specification.exe

windows7_x64

10

Specification.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    48s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    01-07-2022 10:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Specification.exe

  • Size

    717KB

  • MD5

    20796a16b1839afba1f87ed53e7bd841

  • SHA1

    d5bd0d0efc2059dbbf1eaaa30b1c859c313d9250

  • SHA256

    2d0474bfb8aced6c0aacc081936209dc9287827e20284160ceae3edca8a50184

  • SHA512

    ad809362c428bdd0d30f56e4fe8f4bfd7960849575451b33c642d5fc7d424e7eb355ec3caba95f02040a80d505db4f04edf363dd7dbdbe79df94ccb22dbce09f

Score
10/10
xpertratcollectionevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious use of SetThreadContext 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Specification.exe
    "C:\Users\Admin\AppData\Local\Temp\Specification.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:756
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
      • UAC bypass
      • Windows security bypass
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        3⤵
          PID:912
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          3⤵
          • Adds policy Run key to start application
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1848
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4\lbtnimrnh0.txt"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1876
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4\lbtnimrnh1.txt"
            4⤵
            • Accesses Microsoft Outlook accounts
            PID:608
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4\lbtnimrnh2.txt"
            4⤵
              PID:1940
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4\lbtnimrnh3.txt"
              4⤵
                PID:1648
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4\lbtnimrnh4.txt"
                4⤵
                  PID:1164
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  /stext "C:\Users\Admin\AppData\Roaming\Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4\lbtnimrnh4.txt"
                  4⤵
                    PID:1820

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4\lbtnimrnh2.txt
              Filesize

              2B

              MD5

              f3b25701fe362ec84616a93a45ce9998

              SHA1

              d62636d8caec13f04e28442a0a6fa1afeb024bbb

              SHA256

              b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

              SHA512

              98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4\lbtnimrnh4.txt
              Filesize

              2B

              MD5

              f3b25701fe362ec84616a93a45ce9998

              SHA1

              d62636d8caec13f04e28442a0a6fa1afeb024bbb

              SHA256

              b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

              SHA512

              98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

              Download Submit

            • memory/756-58-0x0000000000000000-mapping.dmp

              Download

            • memory/756-60-0x000000006F4C0000-0x000000006FA6B000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/756-61-0x000000006F4C0000-0x000000006FA6B000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/756-62-0x000000006F4C0000-0x000000006FA6B000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/1960-55-0x0000000075DE1000-0x0000000075DE3000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1960-56-0x0000000004300000-0x00000000043E0000-memory.dmp

              Filesize

              896KB

              Download

            • memory/1960-57-0x00000000047C0000-0x000000000480C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/1960-54-0x00000000008D0000-0x0000000000988000-memory.dmp

              Filesize

              736KB

              Download

            • memory/2024-63-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

              Download

            • memory/2024-68-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

              Download

            • memory/2024-69-0x00000000004010B8-mapping.dmp

              Download

            • memory/2024-74-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

              Download

            • memory/2024-75-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

              Download

            • memory/2024-66-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

              Download

            • memory/2024-64-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

              Download