Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
13-05-2022 08:44
General
-
Target
gunzipped.exe
-
Size
619KB
-
MD5
5a31075c7e2eede32b52b7e32d16f560
-
SHA1
1b0325131df5e081f802f907246da4f2331d60c0
-
SHA256
d6d4f87e9126bf6792e3774f73f9c15e308328bca3f8fcef5f5d943a0904e137
-
SHA512
d785092dd4cc6ef921c3f5f8146412ae1e4fd0891ed1493c72801f31adfc3b80aac258021d6c7fe97f03e52180f92349a00a3781581801748fad7339fc13bb1d
Score
10/10
Malware Config
Signatures
-
UAC bypass 3 TTPs
-
Windows security bypass 2 TTPs
-
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Windows security modification 2 TTPs 1 IoCs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Program crash 3 IoCs
-
Suspicious use of SetThreadContext 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\gunzipped.exe3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe4⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\vrnijwxtu0.txt"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 845⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\vrnijwxtu0.txt"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\vrnijwxtu1.txt"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\vrnijwxtu2.txt"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\vrnijwxtu3.txt"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 845⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\vrnijwxtu3.txt"4⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\vrnijwxtu4.txt"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 845⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\vrnijwxtu4.txt"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3744 -ip 37441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3212 -ip 32121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4208 -ip 42081⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\vrnijwxtu2.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\vrnijwxtu4.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
memory/432-154-0x0000000006C10000-0x0000000006C2E000-memory.dmpFilesize
120KB
-
memory/432-157-0x00000000079F0000-0x00000000079FA000-memory.dmpFilesize
40KB
-
memory/432-161-0x0000000007CA0000-0x0000000007CA8000-memory.dmpFilesize
32KB
-
memory/432-160-0x0000000007CC0000-0x0000000007CDA000-memory.dmpFilesize
104KB
-
memory/432-159-0x0000000007BB0000-0x0000000007BBE000-memory.dmpFilesize
56KB
-
memory/432-158-0x0000000007C00000-0x0000000007C96000-memory.dmpFilesize
600KB
-
memory/432-138-0x0000000002D60000-0x0000000002D96000-memory.dmpFilesize
216KB
-
memory/432-156-0x0000000007980000-0x000000000799A000-memory.dmpFilesize
104KB
-
memory/432-155-0x0000000007FC0000-0x000000000863A000-memory.dmpFilesize
6.5MB
-
memory/432-153-0x000000006FEC0000-0x000000006FF0C000-memory.dmpFilesize
304KB
-
memory/432-152-0x0000000006C30000-0x0000000006C62000-memory.dmpFilesize
200KB
-
memory/432-151-0x0000000006670000-0x000000000668E000-memory.dmpFilesize
120KB
-
memory/432-147-0x00000000056A0000-0x00000000056C2000-memory.dmpFilesize
136KB
-
memory/432-148-0x0000000005F70000-0x0000000005FD6000-memory.dmpFilesize
408KB
-
memory/432-145-0x0000000005840000-0x0000000005E68000-memory.dmpFilesize
6.2MB
-
memory/432-136-0x0000000000000000-mapping.dmp
-
memory/1144-137-0x0000000000000000-mapping.dmp
-
memory/1472-130-0x0000000000710000-0x00000000007B2000-memory.dmpFilesize
648KB
-
memory/1472-133-0x00000000051F0000-0x00000000051FA000-memory.dmpFilesize
40KB
-
memory/1472-134-0x0000000008AB0000-0x0000000008B4C000-memory.dmpFilesize
624KB
-
memory/1472-135-0x0000000008FE0000-0x0000000009046000-memory.dmpFilesize
408KB
-
memory/1472-132-0x0000000005150000-0x00000000051E2000-memory.dmpFilesize
584KB
-
memory/1472-131-0x0000000005830000-0x0000000005DD4000-memory.dmpFilesize
5.6MB
-
memory/3204-150-0x0000000000000000-mapping.dmp
-
memory/3992-139-0x0000000000000000-mapping.dmp
-
memory/5008-141-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/5008-140-0x0000000000000000-mapping.dmp
-
memory/5008-143-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/5008-149-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB