Overview

overview

8

Static

static

5

Rectify11I...er.exe

windows11-21h2-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Rectify11Installer.exe

  • Size

    170.6MB

  • Sample

    241119-qh6lfswmcy

  • MD5

    e497b004d373eab8d277e2d807b80b44

  • SHA1

    65b8299bdef21408d234d6837d750b7b69ef520d

  • SHA256

    3f036d5a03f82ab2c0aae5c5d91deff807156fd38ec5e7439fe84c8ab1bf19ac

  • SHA512

    090ae908214ca68e74d0522d7b05e899ac029d855e98228490a9998396e0fb90c4b8915d70e1e0379612561c86ca141666b71b31a68af4a1e9ef22be57ea403d

  • SSDEEP

    3145728:wfpSM+AZYrbp5xqq0oGx1hJJT1Ge7gohkA+vcUufhfKZuAS9BArD4/eOTC:0SM+AZYrbHxqqUj1G6LhC0npDA0yXLX

Score
8/10
defense_evasiondiscoveryexecutionpersistenceprivilege_escalation

Malware Config

Targets

    • Target

      Rectify11Installer.exe

    • Size

      170.6MB

    • MD5

      e497b004d373eab8d277e2d807b80b44

    • SHA1

      65b8299bdef21408d234d6837d750b7b69ef520d

    • SHA256

      3f036d5a03f82ab2c0aae5c5d91deff807156fd38ec5e7439fe84c8ab1bf19ac

    • SHA512

      090ae908214ca68e74d0522d7b05e899ac029d855e98228490a9998396e0fb90c4b8915d70e1e0379612561c86ca141666b71b31a68af4a1e9ef22be57ea403d

    • SSDEEP

      3145728:wfpSM+AZYrbp5xqq0oGx1hJJT1Ge7gohkA+vcUufhfKZuAS9BArD4/eOTC:0SM+AZYrbHxqqUj1G6LhC0npDA0yXLX

    Score
    8/10
    defense_evasiondiscoveryexecutionpersistenceprivilege_escalation

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: Clear Persistence

      remove IFEO.

      defense_evasion

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

3
T1546

Accessibility Features

1
T1546.008

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Power Settings

1
T1653

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

3
T1546

Accessibility Features

1
T1546.008

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Indicator Removal

1
T1070

Clear Persistence

1
T1070.009

Modify Registry

3
T1112

Credential Access

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

4
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Time Discovery

1
T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks