Overview

overview

10

Static

static

Specification.exe

windows7_x64

10

Specification.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    01-07-2022 10:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Specification.exe

  • Size

    717KB

  • MD5

    20796a16b1839afba1f87ed53e7bd841

  • SHA1

    d5bd0d0efc2059dbbf1eaaa30b1c859c313d9250

  • SHA256

    2d0474bfb8aced6c0aacc081936209dc9287827e20284160ceae3edca8a50184

  • SHA512

    ad809362c428bdd0d30f56e4fe8f4bfd7960849575451b33c642d5fc7d424e7eb355ec3caba95f02040a80d505db4f04edf363dd7dbdbe79df94ccb22dbce09f

Score
10/10
xpertratevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Specification.exe
    "C:\Users\Admin\AppData\Local\Temp\Specification.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4908
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:740
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
        PID:4980
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        2⤵
          PID:4668
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          2⤵
          • UAC bypass
          • Windows security bypass
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3644
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
            3⤵
            • Adds policy Run key to start application
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:3584

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      2
      T1060

      Privilege Escalation

      Bypass User Account Control

      1
      T1088

      Defense Evasion

      Bypass User Account Control

      1
      T1088

      Disabling Security Tools

      2
      T1089

      Modify Registry

      4
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/740-140-0x0000000006230000-0x000000000624E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/740-137-0x0000000005150000-0x0000000005172000-memory.dmp
        Filesize

        136KB

        Download
      • memory/740-138-0x0000000005A40000-0x0000000005AA6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/740-139-0x0000000005B20000-0x0000000005B86000-memory.dmp
        Filesize

        408KB

        Download
      • memory/740-134-0x0000000000000000-mapping.dmp
        Download
      • memory/740-135-0x0000000002C70000-0x0000000002CA6000-memory.dmp
        Filesize

        216KB

        Download
      • memory/740-136-0x0000000005410000-0x0000000005A38000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/740-142-0x0000000006710000-0x000000000672A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/740-141-0x0000000007A70000-0x00000000080EA000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/3644-148-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/3644-152-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/3644-145-0x0000000000000000-mapping.dmp
        Download
      • memory/3644-146-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/3644-151-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/4668-144-0x0000000000000000-mapping.dmp
        Download
      • memory/4908-131-0x0000000005710000-0x0000000005CB4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4908-130-0x0000000000730000-0x00000000007E8000-memory.dmp
        Filesize

        736KB

        Download
      • memory/4908-133-0x0000000005180000-0x000000000518A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4908-132-0x0000000005200000-0x0000000005292000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4980-143-0x0000000000000000-mapping.dmp
        Download