Overview

overview

10

Static

static

gunzipped.exe

windows7_x64

10

gunzipped.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    67s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    13-05-2022 08:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gunzipped.exe

  • Size

    619KB

  • MD5

    5a31075c7e2eede32b52b7e32d16f560

  • SHA1

    1b0325131df5e081f802f907246da4f2331d60c0

  • SHA256

    d6d4f87e9126bf6792e3774f73f9c15e308328bca3f8fcef5f5d943a0904e137

  • SHA512

    d785092dd4cc6ef921c3f5f8146412ae1e4fd0891ed1493c72801f31adfc3b80aac258021d6c7fe97f03e52180f92349a00a3781581801748fad7339fc13bb1d

Score
10/10
xpertratcollectionevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
    "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:316
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1224
    • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
      "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
      2⤵
        PID:1120
      • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
        "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
        2⤵
        • Windows security modification
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:828
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
          3⤵
          • Adds policy Run key to start application
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1936
          • C:\Windows\SysWOW64\notepad.exe
            notepad.exe
            4⤵
            • Deletes itself
            PID:1824
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk0.txt"
            4⤵
              PID:824
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk0.txt"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1340
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk1.txt"
              4⤵
                PID:1236
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk1.txt"
                4⤵
                • Accesses Microsoft Outlook accounts
                PID:268
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk2.txt"
                4⤵
                  PID:1756
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk2.txt"
                  4⤵
                    PID:1640
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk2.txt"
                    4⤵
                      PID:772
                    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                      /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk3.txt"
                      4⤵
                        PID:1440
                      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                        /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk3.txt"
                        4⤵
                          PID:360
                        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                          /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk3.txt"
                          4⤵
                            PID:1988
                          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                            /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk4.txt"
                            4⤵
                              PID:892
                            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk4.txt"
                              4⤵
                                PID:1080

                        Network

                        MITRE ATT&CK Matrix ATT&CK v6

                        Initial Access

                        Execution

                        Persistence

                        Registry Run Keys / Startup Folder

                        2
                        T1060

                        Privilege Escalation

                        Bypass User Account Control

                        1
                        T1088

                        Defense Evasion

                        Bypass User Account Control

                        1
                        T1088

                        Disabling Security Tools

                        3
                        T1089

                        Modify Registry

                        6
                        T1112

                        Credential Access

                        Discovery

                        System Information Discovery

                        2
                        T1082

                        Lateral Movement

                        Collection

                        Email Collection

                        1
                        T1114

                        Exfiltration

                        Command and Control

                        Impact

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk2.txt
                          Filesize

                          2B

                          MD5

                          f3b25701fe362ec84616a93a45ce9998

                          SHA1

                          d62636d8caec13f04e28442a0a6fa1afeb024bbb

                          SHA256

                          b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                          SHA512

                          98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                          Download Submit
                        • C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\zrmspjbgk4.txt
                          Filesize

                          2B

                          MD5

                          f3b25701fe362ec84616a93a45ce9998

                          SHA1

                          d62636d8caec13f04e28442a0a6fa1afeb024bbb

                          SHA256

                          b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                          SHA512

                          98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                          Download Submit
                        • memory/316-54-0x00000000008E0000-0x0000000000982000-memory.dmp
                          Filesize

                          648KB

                          Download
                        • memory/316-55-0x0000000076431000-0x0000000076433000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/316-56-0x0000000000560000-0x0000000000568000-memory.dmp
                          Filesize

                          32KB

                          Download
                        • memory/316-57-0x0000000005D80000-0x0000000005E06000-memory.dmp
                          Filesize

                          536KB

                          Download
                        • memory/316-59-0x0000000004320000-0x0000000004356000-memory.dmp
                          Filesize

                          216KB

                          Download
                        • memory/828-73-0x0000000000400000-0x000000000042C000-memory.dmp
                          Filesize

                          176KB

                          Download
                        • memory/828-64-0x0000000000400000-0x000000000042C000-memory.dmp
                          Filesize

                          176KB

                          Download
                        • memory/828-66-0x0000000000400000-0x000000000042C000-memory.dmp
                          Filesize

                          176KB

                          Download
                        • memory/828-67-0x00000000004010B8-mapping.dmp
                          Download
                        • memory/828-62-0x0000000000400000-0x000000000042C000-memory.dmp
                          Filesize

                          176KB

                          Download
                        • memory/828-61-0x0000000000400000-0x000000000042C000-memory.dmp
                          Filesize

                          176KB

                          Download
                        • memory/1224-72-0x000000006F2F0000-0x000000006F89B000-memory.dmp
                          Filesize

                          5.7MB

                          Download
                        • memory/1224-58-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1824-74-0x0000000000000000-mapping.dmp
                          Download