Analysis
-
max time kernel
48s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 10:38
General
-
Target
Specification.exe
-
Size
717KB
-
MD5
20796a16b1839afba1f87ed53e7bd841
-
SHA1
d5bd0d0efc2059dbbf1eaaa30b1c859c313d9250
-
SHA256
2d0474bfb8aced6c0aacc081936209dc9287827e20284160ceae3edca8a50184
-
SHA512
ad809362c428bdd0d30f56e4fe8f4bfd7960849575451b33c642d5fc7d424e7eb355ec3caba95f02040a80d505db4f04edf363dd7dbdbe79df94ccb22dbce09f
Score
10/10
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 1 IoCs
-
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Suspicious use of SetThreadContext 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Specification.exe"C:\Users\Admin\AppData\Local\Temp\Specification.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- UAC bypass
- Windows security bypass
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe3⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4\lbtnimrnh0.txt"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4\lbtnimrnh1.txt"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4\lbtnimrnh2.txt"4⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4\lbtnimrnh3.txt"4⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4\lbtnimrnh4.txt"4⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4\lbtnimrnh4.txt"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4\lbtnimrnh2.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4\lbtnimrnh4.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
memory/756-58-0x0000000000000000-mapping.dmp
-
memory/756-60-0x000000006F4C0000-0x000000006FA6B000-memory.dmpFilesize
5.7MB
-
memory/756-61-0x000000006F4C0000-0x000000006FA6B000-memory.dmpFilesize
5.7MB
-
memory/756-62-0x000000006F4C0000-0x000000006FA6B000-memory.dmpFilesize
5.7MB
-
memory/1960-55-0x0000000075DE1000-0x0000000075DE3000-memory.dmpFilesize
8KB
-
memory/1960-56-0x0000000004300000-0x00000000043E0000-memory.dmpFilesize
896KB
-
memory/1960-57-0x00000000047C0000-0x000000000480C000-memory.dmpFilesize
304KB
-
memory/1960-54-0x00000000008D0000-0x0000000000988000-memory.dmpFilesize
736KB
-
memory/2024-63-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2024-68-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2024-69-0x00000000004010B8-mapping.dmp
-
memory/2024-74-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2024-75-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2024-66-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2024-64-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB