Analysis
-
max time kernel
76s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
28-04-2022 11:57
General
-
Target
gunzipped.exe
-
Size
892KB
-
MD5
76ee7c7ec27ac1d8ac5b42ce1813b3f4
-
SHA1
5cf06e9981723e56996ed0a7c19f677ca0e1d187
-
SHA256
6068e249773f4636d788ac7793a6184c02d3107fdbdc9209b0ebe59761883189
-
SHA512
ff5a6b7daffdba0d05823b79c6251eeb82f6c43bf21dd65c558367e205a0753740e9dc823dbc9e74c798e62dd6aeee8b43e8a394fbebd71e814d174bb3e6e4ed
Score
10/10
Malware Config
Signatures
-
UAC bypass 3 TTPs
-
Windows security bypass 2 TTPs
-
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Program crash 4 IoCs
-
Suspicious use of SetThreadContext 10 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\gunzipped.exe3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0\kytodjenr0.txt"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 845⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0\kytodjenr0.txt"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0\kytodjenr1.txt"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0\kytodjenr2.txt"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0\kytodjenr3.txt"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 125⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 205⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0\kytodjenr3.txt"4⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0\kytodjenr4.txt"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 845⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0\kytodjenr4.txt"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1900 -ip 19001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2940 -ip 29401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2940 -ip 29401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3972 -ip 39721⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0\kytodjenr2.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Roaming\I3O7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C0\kytodjenr4.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
memory/760-136-0x0000000000000000-mapping.dmp
-
memory/760-137-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/760-139-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/760-142-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/4924-130-0x00000000007C0000-0x00000000008A6000-memory.dmpFilesize
920KB
-
memory/4924-131-0x0000000005720000-0x0000000005CC4000-memory.dmpFilesize
5.6MB
-
memory/4924-132-0x0000000005250000-0x00000000052E2000-memory.dmpFilesize
584KB
-
memory/4924-133-0x0000000005410000-0x000000000541A000-memory.dmpFilesize
40KB
-
memory/4924-134-0x0000000007450000-0x00000000074EC000-memory.dmpFilesize
624KB
-
memory/4924-135-0x0000000008F60000-0x0000000008FC6000-memory.dmpFilesize
408KB