Overview

overview

10

Static

static

gunzipped.exe

windows7-x64

10

gunzipped.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    84s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-08-2022 16:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gunzipped.exe

  • Size

    750KB

  • MD5

    9189c940a9577852d429131fac3f27e4

  • SHA1

    40705848169bf86aefed43e049f8976f97a4820b

  • SHA256

    99cabbad55b9ddaaa566e2f6878303e7081a8f112e2e1f3541a5e352af833b1d

  • SHA512

    3e6c9084afdc5857f05a575900dfe257189fb8046f443489bf2bc4cb083af2657c41e836fee61b56dc47a0b83c5b40ba78802ff59b92c78c8a0cf682968a13cc

Score
10/10
xpertratcollectionevasionpersistencerattrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Program crash 1 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
    "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3112
    • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
      "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
      2⤵
      • UAC bypass
      • Windows security bypass
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3920
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
        3⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2348
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\V1B5T2F0-T6S4-E5P1-P7G0-X443Q1A6T3M3\euunwhbbr0.txt"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3208
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\V1B5T2F0-T6S4-E5P1-P7G0-X443Q1A6T3M3\euunwhbbr1.txt"
          4⤵
          • Accesses Microsoft Outlook accounts
          PID:1336
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\V1B5T2F0-T6S4-E5P1-P7G0-X443Q1A6T3M3\euunwhbbr2.txt"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3460
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          /stext "C:\Users\Admin\AppData\Roaming\V1B5T2F0-T6S4-E5P1-P7G0-X443Q1A6T3M3\euunwhbbr3.txt"
          4⤵
            PID:1532
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 84
              5⤵
              • Program crash
              PID:4984
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            /stext "C:\Users\Admin\AppData\Roaming\V1B5T2F0-T6S4-E5P1-P7G0-X443Q1A6T3M3\euunwhbbr3.txt"
            4⤵
              PID:4196
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              /stext "C:\Users\Admin\AppData\Roaming\V1B5T2F0-T6S4-E5P1-P7G0-X443Q1A6T3M3\euunwhbbr4.txt"
              4⤵
                PID:4448
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1532 -ip 1532
          1⤵
            PID:4888

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          2
          T1060

          Privilege Escalation

          Bypass User Account Control

          1
          T1088

          Defense Evasion

          Bypass User Account Control

          1
          T1088

          Disabling Security Tools

          3
          T1089

          Modify Registry

          6
          T1112

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Email Collection

          1
          T1114

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\V1B5T2F0-T6S4-E5P1-P7G0-X443Q1A6T3M3\euunwhbbr2.txt
            Filesize

            3KB

            MD5

            f94dc819ca773f1e3cb27abbc9e7fa27

            SHA1

            9a7700efadc5ea09ab288544ef1e3cd876255086

            SHA256

            a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

            SHA512

            72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

            Download Submit
          • C:\Users\Admin\AppData\Roaming\V1B5T2F0-T6S4-E5P1-P7G0-X443Q1A6T3M3\euunwhbbr4.txt
            Filesize

            2B

            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

            Download Submit
          • memory/3112-131-0x00000000054A0000-0x0000000005A44000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/3112-132-0x0000000004FD0000-0x0000000005062000-memory.dmp
            Filesize

            584KB

            Download
          • memory/3112-133-0x0000000005130000-0x000000000513A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/3112-134-0x0000000009AA0000-0x0000000009B3C000-memory.dmp
            Filesize

            624KB

            Download
          • memory/3112-135-0x0000000009D00000-0x0000000009D66000-memory.dmp
            Filesize

            408KB

            Download
          • memory/3112-130-0x0000000000390000-0x0000000000452000-memory.dmp
            Filesize

            776KB

            Download
          • memory/3920-136-0x0000000000000000-mapping.dmp
            Download
          • memory/3920-142-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

            Download
          • memory/3920-143-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

            Download
          • memory/3920-139-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

            Download
          • memory/3920-137-0x0000000000400000-0x000000000042C000-memory.dmp
            Filesize

            176KB

            Download