Overview

overview

10

Static

static

GUM.exe

windows7-x64

10

GUM.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    31-07-2022 14:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GUM.exe

  • Size

    172KB

  • MD5

    81912e3dd162ce7c96114a84d0d58b29

  • SHA1

    2def8b1c48c9e550f57c9dab915c5232a7113d57

  • SHA256

    f91cf396d6cc0e3803aa25fd0770e9a252196ae616e032e4880668c8ded74dc0

  • SHA512

    893b3c4483d0a307cad24c73fce27bc4e02438439fc5b07d596146bdb92767e53e60642ff6264ce80891b10c0a7f2a3f5b397560a47ee6e1244d6e5e9a80f341

Score
10/10
xpertratevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 50 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 39 IoCs
  • Suspicious use of SetWindowsHookEx 40 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\GUM.exe
    "C:\Users\Admin\AppData\Local\Temp\GUM.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1728
    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
      C:\Users\Admin\AppData\Local\Temp\GUM.exe
      2⤵
        PID:600
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\GUM.exe
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1652
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\GUM.exe
        2⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:240
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\GUM.exe
        2⤵
          PID:2020
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\GUM.exe
          2⤵
            PID:2016
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\GUM.exe
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1720
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\GUM.exe
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1988
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\GUM.exe
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2004
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\GUM.exe
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1780
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\GUM.exe
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1952
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\GUM.exe
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:900
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\GUM.exe
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1212
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\GUM.exe
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1028
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\GUM.exe
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:688
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\GUM.exe
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:628
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\GUM.exe
            2⤵
              PID:1824
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              C:\Users\Admin\AppData\Local\Temp\GUM.exe
              2⤵
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:868
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              C:\Users\Admin\AppData\Local\Temp\GUM.exe
              2⤵
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:1172
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              C:\Users\Admin\AppData\Local\Temp\GUM.exe
              2⤵
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:696
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              C:\Users\Admin\AppData\Local\Temp\GUM.exe
              2⤵
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:852
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              C:\Users\Admin\AppData\Local\Temp\GUM.exe
              2⤵
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:1000
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              C:\Users\Admin\AppData\Local\Temp\GUM.exe
              2⤵
                PID:1604
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                C:\Users\Admin\AppData\Local\Temp\GUM.exe
                2⤵
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:972
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                C:\Users\Admin\AppData\Local\Temp\GUM.exe
                2⤵
                  PID:1940
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  C:\Users\Admin\AppData\Local\Temp\GUM.exe
                  2⤵
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:580
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  C:\Users\Admin\AppData\Local\Temp\GUM.exe
                  2⤵
                    PID:1704
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\GUM.exe
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:820
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\GUM.exe
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:396
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\GUM.exe
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:1348
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\GUM.exe
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:1576
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\GUM.exe
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:1924
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\GUM.exe
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:1904
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\GUM.exe
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:1628
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\GUM.exe
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:928
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\GUM.exe
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:1724
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\GUM.exe
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:1696
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\GUM.exe
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:1352
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\GUM.exe
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:1756
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\GUM.exe
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:1684
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\GUM.exe
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:1472
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\GUM.exe
                    2⤵
                      PID:296
                    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                      C:\Users\Admin\AppData\Local\Temp\GUM.exe
                      2⤵
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of SetWindowsHookEx
                      PID:952
                    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                      C:\Users\Admin\AppData\Local\Temp\GUM.exe
                      2⤵
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of SetWindowsHookEx
                      PID:1736
                    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                      C:\Users\Admin\AppData\Local\Temp\GUM.exe
                      2⤵
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of SetWindowsHookEx
                      PID:1616
                    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                      C:\Users\Admin\AppData\Local\Temp\GUM.exe
                      2⤵
                        PID:1112
                      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                        C:\Users\Admin\AppData\Local\Temp\GUM.exe
                        2⤵
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of SetWindowsHookEx
                        PID:1280
                      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                        C:\Users\Admin\AppData\Local\Temp\GUM.exe
                        2⤵
                          PID:556
                        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                          C:\Users\Admin\AppData\Local\Temp\GUM.exe
                          2⤵
                            PID:2000
                          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                            C:\Users\Admin\AppData\Local\Temp\GUM.exe
                            2⤵
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of SetWindowsHookEx
                            PID:1968
                          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                            C:\Users\Admin\AppData\Local\Temp\GUM.exe
                            2⤵
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of SetWindowsHookEx
                            PID:1876

                        Network

                        MITRE ATT&CK Matrix ATT&CK v6

                        Initial Access

                        Execution

                        Persistence

                        Registry Run Keys / Startup Folder

                        2
                        T1060

                        Privilege Escalation

                        Bypass User Account Control

                        1
                        T1088

                        Defense Evasion

                        Bypass User Account Control

                        1
                        T1088

                        Disabling Security Tools

                        3
                        T1089

                        Modify Registry

                        6
                        T1112

                        Credential Access

                        Discovery

                        System Information Discovery

                        1
                        T1082

                        Lateral Movement

                        Collection

                        Exfiltration

                        Command and Control

                        Impact

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • memory/1728-54-0x0000000076681000-0x0000000076683000-memory.dmp
                          Filesize

                          8KB

                          Download