Overview

overview

10

Static

static

gunzipped.exe

windows7_x64

10

gunzipped.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    27-10-2020 10:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gunzipped.exe

  • Size

    765KB

  • MD5

    2f7687172e06c6868282ba3e1428aaeb

  • SHA1

    3c280b0e41b375b1748884eb1e3413c79f8c5c9a

  • SHA256

    88b664781d7b10fc5130cf6453fbde5b26b129f0e2f5e002d62be833b0fcd020

  • SHA512

    952301e069759ffb1c7cb71088525cd7c3460398e251d9c375a8dcb9123d3cf41e1fc4f19114ab7eae849acb3c044ccba39ec28184bb7f5197b4a3acbc406151

Score
10/10
xpertrattestevasionpersistencerattrojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

C2

185.244.30.211:4576

Mutex

G2L6E3O1-E775-G5K4-R4C2-P5F660S1R4A8

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core Payload 3 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
    "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1880
    • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
      "{path}"
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:796
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
        3⤵
          PID:1468
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
          3⤵
            PID:1048
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
            3⤵
            • Adds policy Run key to start application
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1108
            • C:\Windows\SysWOW64\notepad.exe
              notepad.exe
              4⤵
              • Deletes itself
              PID:1712

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      2
      T1060

      Privilege Escalation

      Bypass User Account Control

      1
      T1088

      Defense Evasion

      Bypass User Account Control

      1
      T1088

      Disabling Security Tools

      3
      T1089

      Modify Registry

      6
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/796-6-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/796-22-0x0000000002AA0000-0x0000000002AA4000-memory.dmp
        Filesize

        16KB

        Download
      • memory/796-21-0x0000000000970000-0x0000000000974000-memory.dmp
        Filesize

        16KB

        Download
      • memory/796-7-0x00000000004010B8-mapping.dmp
        Download
      • memory/1048-14-0x0000000000401364-mapping.dmp
        Download
      • memory/1108-15-0x0000000000400000-0x0000000000443000-memory.dmp
        Filesize

        268KB

        Download
      • memory/1108-16-0x0000000000401364-mapping.dmp
        Download
      • memory/1108-17-0x0000000000400000-0x0000000000443000-memory.dmp
        Filesize

        268KB

        Download
      • memory/1468-12-0x0000000000401364-mapping.dmp
        Download
      • memory/1712-20-0x0000000000000000-mapping.dmp
        Download
      • memory/1880-5-0x0000000007660000-0x00000000076D7000-memory.dmp
        Filesize

        476KB

        Download
      • memory/1880-4-0x00000000004B0000-0x00000000004C6000-memory.dmp
        Filesize

        88KB

        Download
      • memory/1880-0-0x00000000749F0000-0x00000000750DE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/1880-3-0x0000000001220000-0x00000000012A5000-memory.dmp
        Filesize

        532KB

        Download
      • memory/1880-1-0x00000000013A0000-0x00000000013A1000-memory.dmp
        Filesize

        4KB

        Download