xpertrat | d5325b0dfdd73327d48c0e069567ce843a68f10d7fe0301a74dad13d6422eee2

General

Target

d76c5a676e641b431ac0a9dded9c505d.exe
Size

823KB
MD5

d76c5a676e641b431ac0a9dded9c505d
SHA1

62bc6251747312cc7307c2c49cf14d511d0bfcdd
SHA256

d5325b0dfdd73327d48c0e069567ce843a68f10d7fe0301a74dad13d6422eee2
SHA512

0c4c8206529fe1469476e2e51c01a6bf3d6a5444c223ed074925c324fe235214272d010ab42ce9478f2e31a7f7aff6d7eb885f569d7cc7ac67c27aa6c49b73c9

Score

10^/10

xpertrat xxx evasion rat trojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

XXX

C2

kapasky-antivirus.firewall-gateway.net:2054

kapasky-antivirus.firewall-gateway.net:4000

Mutex

U4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core Payload 37 IoCs

Processes:

resource	yara_rule
behavioral2/memory/904-128-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat
behavioral2/memory/904-129-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3628-132-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1576-134-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2292-136-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3828-138-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/744-140-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3992-142-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2584-144-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3876-146-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1428-148-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/936-150-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3988-152-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1388-154-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2144-156-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3316-158-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/4004-160-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3704-162-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/740-164-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3136-166-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2200-168-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2276-170-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3844-172-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3464-174-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3144-176-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3604-178-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1784-180-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3668-182-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1648-184-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1664-186-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/184-188-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2364-190-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2984-192-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2808-194-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3752-196-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3692-198-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2160-200-0x0000000000401364-mapping.dmp	xpertrat

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

d76c5a676e641b431ac0a9dded9c505d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	d76c5a676e641b431ac0a9dded9c505d.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

d76c5a676e641b431ac0a9dded9c505d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d76c5a676e641b431ac0a9dded9c505d.exe

Program crash 36 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4036	904	WerFault.exe	iexplore.exe
3012	3628	WerFault.exe	iexplore.exe
2112	1576	WerFault.exe	iexplore.exe
3852	2292	WerFault.exe	iexplore.exe
3968	3828	WerFault.exe	iexplore.exe
3164	744	WerFault.exe	iexplore.exe
3664	3992	WerFault.exe	iexplore.exe
488	2584	WerFault.exe	iexplore.exe
3336	3876	WerFault.exe	iexplore.exe
1760	1428	WerFault.exe	iexplore.exe
1944	936	WerFault.exe	iexplore.exe
216	3988	WerFault.exe	iexplore.exe
2460	1388	WerFault.exe	iexplore.exe
1800	2144	WerFault.exe	iexplore.exe
3404	3316	WerFault.exe	iexplore.exe
3596	4004	WerFault.exe	iexplore.exe
804	3704	WerFault.exe	iexplore.exe
3396	740	WerFault.exe	iexplore.exe
1464	3136	WerFault.exe	iexplore.exe
3012	2200	WerFault.exe	iexplore.exe
1552	2276	WerFault.exe	iexplore.exe
4084	3844	WerFault.exe	iexplore.exe
684	3464	WerFault.exe	iexplore.exe
1140	3144	WerFault.exe	iexplore.exe
1376	3604	WerFault.exe	iexplore.exe
3956	1784	WerFault.exe	iexplore.exe
768	3668	WerFault.exe	iexplore.exe
2828	1648	WerFault.exe	iexplore.exe
2312	1664	WerFault.exe	iexplore.exe
1244	184	WerFault.exe	iexplore.exe
1292	2364	WerFault.exe	iexplore.exe
3500	2984	WerFault.exe	iexplore.exe
1332	2808	WerFault.exe	iexplore.exe
1108	3752	WerFault.exe	iexplore.exe
500	3692	WerFault.exe	iexplore.exe
2212	2160	WerFault.exe	iexplore.exe

Suspicious use of SetThreadContext 37 IoCs

Processes:

d76c5a676e641b431ac0a9dded9c505d.exed76c5a676e641b431ac0a9dded9c505d.exe

description	pid	process	target process
PID 1108 set thread context of 3352	1108	d76c5a676e641b431ac0a9dded9c505d.exe	d76c5a676e641b431ac0a9dded9c505d.exe
PID 3352 set thread context of 904	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 3628	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 1576	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 2292	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 3828	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 744	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 3992	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 2584	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 3876	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 1428	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 936	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 3988	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 1388	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 2144	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 3316	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 4004	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 3704	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 740	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 3136	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 2200	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 2276	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 3844	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 3464	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 3144	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 3604	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 1784	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 3668	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 1648	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 1664	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 184	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 2364	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 2984	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 2808	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 3752	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 3692	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 set thread context of 2160	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d76c5a676e641b431ac0a9dded9c505d.exed76c5a676e641b431ac0a9dded9c505d.exe

pid	process
1108	d76c5a676e641b431ac0a9dded9c505d.exe
1108	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe
3352	d76c5a676e641b431ac0a9dded9c505d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

d76c5a676e641b431ac0a9dded9c505d.exe

description pid process

Token: SeDebugPrivilege 1108 d76c5a676e641b431ac0a9dded9c505d.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

d76c5a676e641b431ac0a9dded9c505d.exe

pid process

3352 d76c5a676e641b431ac0a9dded9c505d.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

iexplore.exe

pid process

3844 iexplore.exe
3844 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	1108	d76c5a676e641b431ac0a9dded9c505d.exe

pid	process
3352	d76c5a676e641b431ac0a9dded9c505d.exe

pid	process
3844	iexplore.exe
3844	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d76c5a676e641b431ac0a9dded9c505d.exed76c5a676e641b431ac0a9dded9c505d.exe

description	pid	process	target process
PID 1108 wrote to memory of 740	1108	d76c5a676e641b431ac0a9dded9c505d.exe	d76c5a676e641b431ac0a9dded9c505d.exe
PID 1108 wrote to memory of 740	1108	d76c5a676e641b431ac0a9dded9c505d.exe	d76c5a676e641b431ac0a9dded9c505d.exe
PID 1108 wrote to memory of 740	1108	d76c5a676e641b431ac0a9dded9c505d.exe	d76c5a676e641b431ac0a9dded9c505d.exe
PID 1108 wrote to memory of 3352	1108	d76c5a676e641b431ac0a9dded9c505d.exe	d76c5a676e641b431ac0a9dded9c505d.exe
PID 1108 wrote to memory of 3352	1108	d76c5a676e641b431ac0a9dded9c505d.exe	d76c5a676e641b431ac0a9dded9c505d.exe
PID 1108 wrote to memory of 3352	1108	d76c5a676e641b431ac0a9dded9c505d.exe	d76c5a676e641b431ac0a9dded9c505d.exe
PID 1108 wrote to memory of 3352	1108	d76c5a676e641b431ac0a9dded9c505d.exe	d76c5a676e641b431ac0a9dded9c505d.exe
PID 1108 wrote to memory of 3352	1108	d76c5a676e641b431ac0a9dded9c505d.exe	d76c5a676e641b431ac0a9dded9c505d.exe
PID 1108 wrote to memory of 3352	1108	d76c5a676e641b431ac0a9dded9c505d.exe	d76c5a676e641b431ac0a9dded9c505d.exe
PID 1108 wrote to memory of 3352	1108	d76c5a676e641b431ac0a9dded9c505d.exe	d76c5a676e641b431ac0a9dded9c505d.exe
PID 3352 wrote to memory of 904	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 904	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 904	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 904	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 904	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 904	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 904	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 904	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 3628	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 3628	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 3628	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 3628	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 3628	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 3628	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 3628	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 3628	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 1576	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 1576	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 1576	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 1576	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 1576	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 1576	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 1576	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 1576	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 2292	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 2292	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 2292	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 2292	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 2292	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 2292	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 2292	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 2292	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 3828	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 3828	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 3828	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 3828	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 3828	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 3828	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 3828	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 3828	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 744	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 744	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 744	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 744	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 744	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 744	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 744	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 744	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 3992	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 3992	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 3992	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 3992	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 3992	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe
PID 3352 wrote to memory of 3992	3352	d76c5a676e641b431ac0a9dded9c505d.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

d76c5a676e641b431ac0a9dded9c505d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d76c5a676e641b431ac0a9dded9c505d.exe

C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
"C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
"{path}"
2⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
"{path}"
2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3352

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 24
4⤵
- Program crash
PID:4036

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 24
4⤵
- Program crash
PID:3012

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 24
4⤵
- Program crash
PID:2112

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 24
4⤵
- Program crash
PID:3852

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 24
4⤵
- Program crash
PID:3968

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 24
4⤵
- Program crash
PID:3164

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 24
4⤵
- Program crash
PID:3664

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 24
4⤵
- Program crash
PID:488

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 24
4⤵
- Program crash
PID:3336

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 24
4⤵
- Program crash
PID:1760

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 24
4⤵
- Program crash
PID:1944

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 24
4⤵
- Program crash
PID:216

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 24
4⤵
- Program crash
PID:2460

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 24
4⤵
- Program crash
PID:1800

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 24
4⤵
- Program crash
PID:3404

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 24
4⤵
- Program crash
PID:3596

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 24
4⤵
- Program crash
PID:804

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 24
4⤵
- Program crash
PID:3396

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 24
4⤵
- Program crash
PID:1464

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 24
4⤵
- Program crash
PID:3012

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 24
4⤵
- Program crash
PID:1552

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
- Suspicious use of UnmapMainImage
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 24
4⤵
- Program crash
PID:4084

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 24
4⤵
- Program crash
PID:684

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 24
4⤵
- Program crash
PID:1140

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 24
4⤵
- Program crash
PID:1376

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 24
4⤵
- Program crash
PID:3956

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 24
4⤵
- Program crash
PID:768

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 24
4⤵
- Program crash
PID:2828

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 24
4⤵
- Program crash
PID:2312

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 24
4⤵
- Program crash
PID:1244

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 24
4⤵
- Program crash
PID:1292

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 24
4⤵
- Program crash
PID:3500

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 24
4⤵
- Program crash
PID:1332

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 24
4⤵
- Program crash
PID:1108

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 24
4⤵
- Program crash
PID:500

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d76c5a676e641b431ac0a9dded9c505d.exe
3⤵
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 24
4⤵
- Program crash
PID:2212

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Modify Registry

4

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/184-188-0x0000000000401364-mapping.dmp

Download
memory/740-164-0x0000000000401364-mapping.dmp

Download
memory/744-140-0x0000000000401364-mapping.dmp

Download
memory/904-129-0x0000000000401364-mapping.dmp

Download
memory/904-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/936-150-0x0000000000401364-mapping.dmp

Download
memory/1108-119-0x0000000005550000-0x0000000005A4E000-memory.dmp

Filesize
5.0MB

Download
memory/1108-122-0x0000000008D30000-0x0000000008DF4000-memory.dmp

Filesize
784KB

Download
memory/1108-123-0x000000000B4D0000-0x000000000B547000-memory.dmp

Filesize
476KB

Download
memory/1108-121-0x0000000008B00000-0x0000000008B01000-memory.dmp

Filesize
4KB

Download
memory/1108-114-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/1108-120-0x00000000059F0000-0x00000000059FE000-memory.dmp

Filesize
56KB

Download
memory/1108-118-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/1108-117-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/1108-116-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/1388-154-0x0000000000401364-mapping.dmp

Download
memory/1428-148-0x0000000000401364-mapping.dmp

Download
memory/1576-134-0x0000000000401364-mapping.dmp

Download
memory/1648-184-0x0000000000401364-mapping.dmp

Download
memory/1664-186-0x0000000000401364-mapping.dmp

Download
memory/1784-180-0x0000000000401364-mapping.dmp

Download
memory/2144-156-0x0000000000401364-mapping.dmp

Download
memory/2160-200-0x0000000000401364-mapping.dmp

Download
memory/2200-168-0x0000000000401364-mapping.dmp

Download
memory/2276-170-0x0000000000401364-mapping.dmp

Download
memory/2292-136-0x0000000000401364-mapping.dmp

Download
memory/2364-190-0x0000000000401364-mapping.dmp

Download
memory/2584-144-0x0000000000401364-mapping.dmp

Download
memory/2808-194-0x0000000000401364-mapping.dmp

Download
memory/2984-192-0x0000000000401364-mapping.dmp

Download
memory/3136-166-0x0000000000401364-mapping.dmp

Download
memory/3144-176-0x0000000000401364-mapping.dmp

Download
memory/3316-158-0x0000000000401364-mapping.dmp

Download
memory/3352-130-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3352-124-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3352-125-0x00000000004010B8-mapping.dmp

Download
memory/3464-174-0x0000000000401364-mapping.dmp

Download
memory/3604-178-0x0000000000401364-mapping.dmp

Download
memory/3628-132-0x0000000000401364-mapping.dmp

Download
memory/3668-182-0x0000000000401364-mapping.dmp

Download
memory/3692-198-0x0000000000401364-mapping.dmp

Download
memory/3704-162-0x0000000000401364-mapping.dmp

Download
memory/3752-196-0x0000000000401364-mapping.dmp

Download
memory/3828-138-0x0000000000401364-mapping.dmp

Download
memory/3844-172-0x0000000000401364-mapping.dmp

Download
memory/3876-146-0x0000000000401364-mapping.dmp

Download
memory/3988-152-0x0000000000401364-mapping.dmp

Download
memory/3992-142-0x0000000000401364-mapping.dmp

Download
memory/4004-160-0x0000000000401364-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads