Overview

overview

10

Static

static

gunzipped.exe

windows7_x64

10

gunzipped.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    13-05-2022 08:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gunzipped.exe

  • Size

    619KB

  • MD5

    5a31075c7e2eede32b52b7e32d16f560

  • SHA1

    1b0325131df5e081f802f907246da4f2331d60c0

  • SHA256

    d6d4f87e9126bf6792e3774f73f9c15e308328bca3f8fcef5f5d943a0904e137

  • SHA512

    d785092dd4cc6ef921c3f5f8146412ae1e4fd0891ed1493c72801f31adfc3b80aac258021d6c7fe97f03e52180f92349a00a3781581801748fad7339fc13bb1d

Score
10/10
xpertratcollectionevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Program crash 3 IoCs
  • Suspicious use of SetThreadContext 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
    "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1472
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:432
    • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
      "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
      2⤵
        PID:1144
      • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
        "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
        2⤵
          PID:3992
        • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
          "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
          2⤵
          • Windows security modification
          • Checks whether UAC is enabled
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:5008
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
            3⤵
            • Adds policy Run key to start application
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:996
            • C:\Windows\SysWOW64\notepad.exe
              notepad.exe
              4⤵
                PID:3204
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\vrnijwxtu0.txt"
                4⤵
                  PID:3744
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 84
                    5⤵
                    • Program crash
                    PID:1556
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\vrnijwxtu0.txt"
                  4⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4460
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\vrnijwxtu1.txt"
                  4⤵
                  • Accesses Microsoft Outlook accounts
                  PID:3352
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\vrnijwxtu2.txt"
                  4⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2776
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\vrnijwxtu3.txt"
                  4⤵
                    PID:3212
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 84
                      5⤵
                      • Program crash
                      PID:3816
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\vrnijwxtu3.txt"
                    4⤵
                      PID:5076
                    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                      /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\vrnijwxtu4.txt"
                      4⤵
                        PID:4208
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 84
                          5⤵
                          • Program crash
                          PID:2920
                      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                        /stext "C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\vrnijwxtu4.txt"
                        4⤵
                          PID:1364
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3744 -ip 3744
                    1⤵
                      PID:5056
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3212 -ip 3212
                      1⤵
                        PID:3396
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4208 -ip 4208
                        1⤵
                          PID:2320
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
                          1⤵
                            PID:4744

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\vrnijwxtu2.txt
                            Filesize

                            3KB

                            MD5

                            f94dc819ca773f1e3cb27abbc9e7fa27

                            SHA1

                            9a7700efadc5ea09ab288544ef1e3cd876255086

                            SHA256

                            a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

                            SHA512

                            72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\H7M3F0W6-F4D2-O1S0-S0D7-Q1N2H5T660I4\vrnijwxtu4.txt
                            Filesize

                            2B

                            MD5

                            f3b25701fe362ec84616a93a45ce9998

                            SHA1

                            d62636d8caec13f04e28442a0a6fa1afeb024bbb

                            SHA256

                            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                            SHA512

                            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                            Download Submit

                          • memory/432-154-0x0000000006C10000-0x0000000006C2E000-memory.dmp

                            Filesize

                            120KB

                            Download

                          • memory/432-157-0x00000000079F0000-0x00000000079FA000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/432-161-0x0000000007CA0000-0x0000000007CA8000-memory.dmp

                            Filesize

                            32KB

                            Download

                          • memory/432-160-0x0000000007CC0000-0x0000000007CDA000-memory.dmp

                            Filesize

                            104KB

                            Download

                          • memory/432-159-0x0000000007BB0000-0x0000000007BBE000-memory.dmp

                            Filesize

                            56KB

                            Download

                          • memory/432-158-0x0000000007C00000-0x0000000007C96000-memory.dmp

                            Filesize

                            600KB

                            Download

                          • memory/432-138-0x0000000002D60000-0x0000000002D96000-memory.dmp

                            Filesize

                            216KB

                            Download

                          • memory/432-156-0x0000000007980000-0x000000000799A000-memory.dmp

                            Filesize

                            104KB

                            Download

                          • memory/432-155-0x0000000007FC0000-0x000000000863A000-memory.dmp

                            Filesize

                            6.5MB

                            Download

                          • memory/432-153-0x000000006FEC0000-0x000000006FF0C000-memory.dmp

                            Filesize

                            304KB

                            Download

                          • memory/432-152-0x0000000006C30000-0x0000000006C62000-memory.dmp

                            Filesize

                            200KB

                            Download

                          • memory/432-151-0x0000000006670000-0x000000000668E000-memory.dmp

                            Filesize

                            120KB

                            Download

                          • memory/432-147-0x00000000056A0000-0x00000000056C2000-memory.dmp

                            Filesize

                            136KB

                            Download

                          • memory/432-148-0x0000000005F70000-0x0000000005FD6000-memory.dmp

                            Filesize

                            408KB

                            Download

                          • memory/432-145-0x0000000005840000-0x0000000005E68000-memory.dmp

                            Filesize

                            6.2MB

                            Download

                          • memory/432-136-0x0000000000000000-mapping.dmp

                            Download

                          • memory/1144-137-0x0000000000000000-mapping.dmp

                            Download

                          • memory/1472-130-0x0000000000710000-0x00000000007B2000-memory.dmp

                            Filesize

                            648KB

                            Download

                          • memory/1472-133-0x00000000051F0000-0x00000000051FA000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/1472-134-0x0000000008AB0000-0x0000000008B4C000-memory.dmp

                            Filesize

                            624KB

                            Download

                          • memory/1472-135-0x0000000008FE0000-0x0000000009046000-memory.dmp

                            Filesize

                            408KB

                            Download

                          • memory/1472-132-0x0000000005150000-0x00000000051E2000-memory.dmp

                            Filesize

                            584KB

                            Download

                          • memory/1472-131-0x0000000005830000-0x0000000005DD4000-memory.dmp

                            Filesize

                            5.6MB

                            Download

                          • memory/3204-150-0x0000000000000000-mapping.dmp

                            Download

                          • memory/3992-139-0x0000000000000000-mapping.dmp

                            Download

                          • memory/5008-141-0x0000000000400000-0x000000000042C000-memory.dmp

                            Filesize

                            176KB

                            Download

                          • memory/5008-140-0x0000000000000000-mapping.dmp

                            Download

                          • memory/5008-143-0x0000000000400000-0x000000000042C000-memory.dmp

                            Filesize

                            176KB

                            Download

                          • memory/5008-149-0x0000000000400000-0x000000000042C000-memory.dmp

                            Filesize

                            176KB

                            Download