Overview

overview

10

Static

static

gunzipped.exe

windows7_x64

1

gunzipped.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    193s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    15-03-2022 17:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gunzipped.exe

  • Size

    773KB

  • MD5

    fd5a0326a71e89b2ff144ea336fac113

  • SHA1

    aa6b046a0ed889b59cdb0ee9a957c4c6d542e233

  • SHA256

    bda50ff249b947617d9551c717e78131ed32bf77db9dc5b7591d3e1af6cb2f1a

  • SHA512

    51a75041b8fe9dab9cb51e28b39a497eff7ccb4c81311223ec92492cd3ddcfb6bc91ebf555f61a8b25423d81fd692920b44980ab306acb3b8451b633f297b800

Score
10/10
xpertratcollectionevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Program crash 4 IoCs
  • Suspicious use of SetThreadContext 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
    "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
      "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:520
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
        3⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2276
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6\olhvsheey0.txt"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2992
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6\olhvsheey1.txt"
          4⤵
          • Accesses Microsoft Outlook accounts
          PID:4016
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6\olhvsheey2.txt"
          4⤵
            PID:2096
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 84
              5⤵
              • Program crash
              PID:4272
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6\olhvsheey2.txt"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3092
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6\olhvsheey3.txt"
            4⤵
              PID:3408
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 92
                5⤵
                • Program crash
                PID:2308
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 100
                5⤵
                • Program crash
                PID:4716
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6\olhvsheey3.txt"
              4⤵
                PID:3160
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 84
                  5⤵
                  • Program crash
                  PID:4284
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6\olhvsheey3.txt"
                4⤵
                  PID:5060
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  /stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6\olhvsheey4.txt"
                  4⤵
                    PID:5108
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 2096 -ip 2096
              1⤵
                PID:1420
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 3408 -ip 3408
                1⤵
                  PID:3788
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3408 -ip 3408
                  1⤵
                    PID:216
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3160 -ip 3160
                    1⤵
                      PID:4676

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Persistence

                    Registry Run Keys / Startup Folder

                    2
                    T1060

                    Privilege Escalation

                    Bypass User Account Control

                    1
                    T1088

                    Defense Evasion

                    Bypass User Account Control

                    1
                    T1088

                    Disabling Security Tools

                    3
                    T1089

                    Modify Registry

                    6
                    T1112

                    Credential Access

                    Discovery

                    System Information Discovery

                    1
                    T1082

                    Lateral Movement

                    Collection

                    Email Collection

                    1
                    T1114

                    Exfiltration

                    Command and Control

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6\olhvsheey2.txt
                      MD5

                      f94dc819ca773f1e3cb27abbc9e7fa27

                      SHA1

                      9a7700efadc5ea09ab288544ef1e3cd876255086

                      SHA256

                      a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

                      SHA512

                      72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

                      Download Submit
                    • C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-W113-K7R6L4T0H6H6\olhvsheey4.txt
                      MD5

                      f3b25701fe362ec84616a93a45ce9998

                      SHA1

                      d62636d8caec13f04e28442a0a6fa1afeb024bbb

                      SHA256

                      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                      SHA512

                      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                      Download Submit
                    • memory/520-137-0x0000000000400000-0x000000000042C000-memory.dmp
                      Filesize

                      176KB

                      Download
                    • memory/520-139-0x0000000000400000-0x000000000042C000-memory.dmp
                      Filesize

                      176KB

                      Download
                    • memory/1624-130-0x0000000000DC0000-0x0000000000E88000-memory.dmp
                      Filesize

                      800KB

                      Download
                    • memory/1624-131-0x0000000005E40000-0x00000000063E4000-memory.dmp
                      Filesize

                      5.6MB

                      Download
                    • memory/1624-132-0x0000000005890000-0x0000000005922000-memory.dmp
                      Filesize

                      584KB

                      Download
                    • memory/1624-133-0x0000000075370000-0x0000000075B20000-memory.dmp
                      Filesize

                      7.7MB

                      Download
                    • memory/1624-134-0x0000000005840000-0x000000000584A000-memory.dmp
                      Filesize

                      40KB

                      Download
                    • memory/1624-135-0x0000000005790000-0x0000000005822000-memory.dmp
                      Filesize

                      584KB

                      Download
                    • memory/1624-136-0x00000000095A0000-0x000000000963C000-memory.dmp
                      Filesize

                      624KB

                      Download