Overview

overview

10

Static

static

gunzipped.exe

windows7_x64

10

gunzipped.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    69s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    13-05-2022 08:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gunzipped.exe

  • Size

    619KB

  • MD5

    5a31075c7e2eede32b52b7e32d16f560

  • SHA1

    1b0325131df5e081f802f907246da4f2331d60c0

  • SHA256

    d6d4f87e9126bf6792e3774f73f9c15e308328bca3f8fcef5f5d943a0904e137

  • SHA512

    d785092dd4cc6ef921c3f5f8146412ae1e4fd0891ed1493c72801f31adfc3b80aac258021d6c7fe97f03e52180f92349a00a3781581801748fad7339fc13bb1d

Score
10/10
xpertratcollectionevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
    "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1268
    • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
      "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
      2⤵
        PID:1144
      • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
        "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
        2⤵
        • Windows security modification
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:528
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
          3⤵
          • Adds policy Run key to start application
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1176
          • C:\Windows\SysWOW64\notepad.exe
            notepad.exe
            4⤵
            • Deletes itself
            PID:360
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\acolpqjcw0.txt"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:812
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\acolpqjcw1.txt"
            4⤵
            • Accesses Microsoft Outlook accounts
            PID:1192
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\acolpqjcw2.txt"
            4⤵
              PID:1464
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\acolpqjcw3.txt"
              4⤵
                PID:684
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\acolpqjcw4.txt"
                4⤵
                  PID:1996

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          2
          T1060

          Privilege Escalation

          Bypass User Account Control

          1
          T1088

          Defense Evasion

          Bypass User Account Control

          1
          T1088

          Disabling Security Tools

          3
          T1089

          Modify Registry

          6
          T1112

          Credential Access

          Discovery

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Email Collection

          1
          T1114

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\acolpqjcw2.txt
            Filesize

            2B

            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

            Download Submit
          • C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\acolpqjcw4.txt
            Filesize

            2B

            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

            Download Submit
          • memory/360-74-0x0000000000000000-mapping.dmp
            Download
          • memory/528-67-0x00000000004010B8-mapping.dmp
            Download
          • memory/528-72-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

            Download
          • memory/528-66-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

            Download
          • memory/528-61-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

            Download
          • memory/528-62-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

            Download
          • memory/528-64-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

            Download
          • memory/1268-58-0x0000000000000000-mapping.dmp
            Download
          • memory/1268-73-0x0000000074970000-0x0000000074F1B000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/1980-59-0x0000000002280000-0x00000000022B6000-memory.dmp
            Filesize

            216KB

            Download
          • memory/1980-54-0x00000000000A0000-0x0000000000142000-memory.dmp
            Filesize

            648KB

            Download
          • memory/1980-57-0x0000000005D90000-0x0000000005E16000-memory.dmp
            Filesize

            536KB

            Download
          • memory/1980-56-0x0000000000380000-0x0000000000388000-memory.dmp
            Filesize

            32KB

            Download
          • memory/1980-55-0x00000000768D1000-0x00000000768D3000-memory.dmp
            Filesize

            8KB

            Download