xpertrat | b6b8326fd527390a435242178b6a45a973c4516d831669ce7527c5d97e90ab10

General

Target

66587368e39228edf1f6034794f17579.exe
Size

419KB
MD5

66587368e39228edf1f6034794f17579
SHA1

31268b1ac9bb83c698eadf5e74f65d58b12d2a50
SHA256

b6b8326fd527390a435242178b6a45a973c4516d831669ce7527c5d97e90ab10
SHA512

fdf02be618eb51fbdafa952b2eb60801d8448f0078c2127024ae2eb4d2542fdabad14bf0e5b127bea5c891a1986ed857032d1a519f3fc537e8296b7bb6a2d9f6

Score

10^/10

xpertrat special x evasion rat trojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

special X

C2

mertrerfeyy.duckdns.org:8494

gwtruwhgw.duckdns.org:8494

dfgrttuutii.duckdns.org:8494

Mutex

J0B4S3L1-T6W3-H2L6-N2T2-W4T8H1F1E6U4

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core Payload 40 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2404-128-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat
behavioral2/memory/2404-129-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/912-132-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1452-134-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3460-136-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2800-138-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2580-140-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2756-142-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3764-144-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/4016-146-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1560-148-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/940-150-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2276-152-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1172-154-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/500-156-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3496-158-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3408-160-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3180-162-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1548-164-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2112-166-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/188-168-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2568-170-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3192-172-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3228-174-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2192-176-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1100-178-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3184-180-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3964-182-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1832-184-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3828-186-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1892-188-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1324-190-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3672-192-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1564-194-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1968-196-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2360-198-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/192-200-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2444-202-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2040-204-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/812-206-0x0000000000401364-mapping.dmp	xpertrat

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

66587368e39228edf1f6034794f17579.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	66587368e39228edf1f6034794f17579.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

66587368e39228edf1f6034794f17579.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	66587368e39228edf1f6034794f17579.exe

Program crash 39 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3808	2404	WerFault.exe	iexplore.exe
1448	912	WerFault.exe	iexplore.exe
2364	1452	WerFault.exe	iexplore.exe
2672	3460	WerFault.exe	iexplore.exe
2224	2800	WerFault.exe	iexplore.exe
2568	2580	WerFault.exe	iexplore.exe
3860	2756	WerFault.exe	iexplore.exe
2288	3764	WerFault.exe	iexplore.exe
4024	4016	WerFault.exe	iexplore.exe
2748	1560	WerFault.exe	iexplore.exe
2316	940	WerFault.exe	iexplore.exe
2256	2276	WerFault.exe	iexplore.exe
3092	1172	WerFault.exe	iexplore.exe
2592	500	WerFault.exe	iexplore.exe
1844	3496	WerFault.exe	iexplore.exe
2104	3408	WerFault.exe	iexplore.exe
4044	3180	WerFault.exe	iexplore.exe
1968	1548	WerFault.exe	iexplore.exe
2760	2112	WerFault.exe	iexplore.exe
2488	188	WerFault.exe	iexplore.exe
3956	2568	WerFault.exe	iexplore.exe
516	3192	WerFault.exe	iexplore.exe
1280	3228	WerFault.exe	iexplore.exe
3100	2192	WerFault.exe	iexplore.exe
2856	1100	WerFault.exe	iexplore.exe
388	3184	WerFault.exe	iexplore.exe
2820	3964	WerFault.exe	iexplore.exe
1672	1832	WerFault.exe	iexplore.exe
2200	3828	WerFault.exe	iexplore.exe
420	1892	WerFault.exe	iexplore.exe
3604	1324	WerFault.exe	iexplore.exe
2104	3672	WerFault.exe	iexplore.exe
1232	1564	WerFault.exe	iexplore.exe
2844	1968	WerFault.exe	iexplore.exe
4076	2360	WerFault.exe	iexplore.exe
3876	192	WerFault.exe	iexplore.exe
3368	2444	WerFault.exe	iexplore.exe
2396	2040	WerFault.exe	iexplore.exe
3044	812	WerFault.exe	iexplore.exe

Suspicious use of SetThreadContext 40 IoCs

Processes:

66587368e39228edf1f6034794f17579.exe66587368e39228edf1f6034794f17579.exe

description	pid	process	target process
PID 3692 set thread context of 3440	3692	66587368e39228edf1f6034794f17579.exe	66587368e39228edf1f6034794f17579.exe
PID 3440 set thread context of 2404	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 912	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 1452	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 3460	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 2800	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 2580	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 2756	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 3764	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 4016	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 1560	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 940	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 2276	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 1172	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 500	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 3496	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 3408	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 3180	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 1548	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 2112	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 188	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 2568	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 3192	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 3228	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 2192	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 1100	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 3184	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 3964	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 1832	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 3828	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 1892	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 1324	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 3672	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 1564	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 1968	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 2360	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 192	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 2444	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 2040	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 set thread context of 812	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

66587368e39228edf1f6034794f17579.exe

pid	process
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe
3440	66587368e39228edf1f6034794f17579.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

66587368e39228edf1f6034794f17579.exe

pid process

3440 66587368e39228edf1f6034794f17579.exe
Suspicious use of UnmapMainImage 3 IoCs

Processes:

iexplore.exe

pid process

4016 iexplore.exe
4016 iexplore.exe
4016 iexplore.exe

pid	process
4016	iexplore.exe
4016	iexplore.exe
4016	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

66587368e39228edf1f6034794f17579.exe66587368e39228edf1f6034794f17579.exe

description	pid	process	target process
PID 3692 wrote to memory of 3440	3692	66587368e39228edf1f6034794f17579.exe	66587368e39228edf1f6034794f17579.exe
PID 3692 wrote to memory of 3440	3692	66587368e39228edf1f6034794f17579.exe	66587368e39228edf1f6034794f17579.exe
PID 3692 wrote to memory of 3440	3692	66587368e39228edf1f6034794f17579.exe	66587368e39228edf1f6034794f17579.exe
PID 3692 wrote to memory of 3440	3692	66587368e39228edf1f6034794f17579.exe	66587368e39228edf1f6034794f17579.exe
PID 3692 wrote to memory of 3440	3692	66587368e39228edf1f6034794f17579.exe	66587368e39228edf1f6034794f17579.exe
PID 3692 wrote to memory of 3440	3692	66587368e39228edf1f6034794f17579.exe	66587368e39228edf1f6034794f17579.exe
PID 3692 wrote to memory of 3440	3692	66587368e39228edf1f6034794f17579.exe	66587368e39228edf1f6034794f17579.exe
PID 3440 wrote to memory of 2404	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2404	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2404	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2404	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2404	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2404	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2404	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2404	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 912	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 912	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 912	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 912	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 912	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 912	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 912	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 912	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 1452	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 1452	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 1452	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 1452	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 1452	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 1452	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 1452	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 1452	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 3460	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 3460	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 3460	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 3460	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 3460	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 3460	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 3460	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 3460	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2800	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2800	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2800	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2800	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2800	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2800	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2800	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2800	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2580	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2580	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2580	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2580	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2580	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2580	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2580	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2580	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2756	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2756	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2756	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2756	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2756	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2756	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2756	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 2756	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe
PID 3440 wrote to memory of 3764	3440	66587368e39228edf1f6034794f17579.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

66587368e39228edf1f6034794f17579.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	66587368e39228edf1f6034794f17579.exe

C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
"C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3692

C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
"{path}"
2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3440

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 24
4⤵
- Program crash
PID:3808

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 24
4⤵
- Program crash
PID:1448

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 24
4⤵
- Program crash
PID:2364

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 24
4⤵
- Program crash
PID:2672

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 24
4⤵
- Program crash
PID:2224

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 24
4⤵
- Program crash
PID:2568

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 24
4⤵
- Program crash
PID:3860

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 24
4⤵
- Program crash
PID:2288

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
- Suspicious use of UnmapMainImage
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 24
4⤵
- Program crash
PID:4024

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 24
4⤵
- Program crash
PID:2748

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 24
4⤵
- Program crash
PID:2316

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 24
4⤵
- Program crash
PID:2256

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 24
4⤵
- Program crash
PID:3092

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 500 -s 24
4⤵
- Program crash
PID:2592

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 24
4⤵
- Program crash
PID:1844

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 24
4⤵
- Program crash
PID:2104

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 24
4⤵
- Program crash
PID:4044

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 24
4⤵
- Program crash
PID:1968

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 24
4⤵
- Program crash
PID:2760

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 188 -s 24
4⤵
- Program crash
PID:2488

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 24
4⤵
- Program crash
PID:3956

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 24
4⤵
- Program crash
PID:516

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 24
4⤵
- Program crash
PID:1280

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 24
4⤵
- Program crash
PID:3100

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 24
4⤵
- Program crash
PID:2856

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 24
4⤵
- Program crash
PID:388

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 24
4⤵
- Program crash
PID:2820

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 24
4⤵
- Program crash
PID:1672

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 24
4⤵
- Program crash
PID:2200

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 24
4⤵
- Program crash
PID:420

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 24
4⤵
- Program crash
PID:3604

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 24
4⤵
- Program crash
PID:2104

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 24
4⤵
- Program crash
PID:1232

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 24
4⤵
- Program crash
PID:2844

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 24
4⤵
- Program crash
PID:4076

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 192 -s 24
4⤵
- Program crash
PID:3876

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 24
4⤵
- Program crash
PID:3368

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 24
4⤵
- Program crash
PID:2396

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\66587368e39228edf1f6034794f17579.exe
3⤵
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 24
4⤵
- Program crash
PID:3044

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Modify Registry

4

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/188-168-0x0000000000401364-mapping.dmp

Download
memory/192-200-0x0000000000401364-mapping.dmp

Download
memory/500-156-0x0000000000401364-mapping.dmp

Download
memory/812-206-0x0000000000401364-mapping.dmp

Download
memory/912-132-0x0000000000401364-mapping.dmp

Download
memory/940-150-0x0000000000401364-mapping.dmp

Download
memory/1100-178-0x0000000000401364-mapping.dmp

Download
memory/1172-154-0x0000000000401364-mapping.dmp

Download
memory/1324-190-0x0000000000401364-mapping.dmp

Download
memory/1452-134-0x0000000000401364-mapping.dmp

Download
memory/1548-164-0x0000000000401364-mapping.dmp

Download
memory/1560-148-0x0000000000401364-mapping.dmp

Download
memory/1564-194-0x0000000000401364-mapping.dmp

Download
memory/1832-184-0x0000000000401364-mapping.dmp

Download
memory/1892-188-0x0000000000401364-mapping.dmp

Download
memory/1968-196-0x0000000000401364-mapping.dmp

Download
memory/2040-204-0x0000000000401364-mapping.dmp

Download
memory/2112-166-0x0000000000401364-mapping.dmp

Download
memory/2192-176-0x0000000000401364-mapping.dmp

Download
memory/2276-152-0x0000000000401364-mapping.dmp

Download
memory/2360-198-0x0000000000401364-mapping.dmp

Download
memory/2404-129-0x0000000000401364-mapping.dmp

Download
memory/2404-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2444-202-0x0000000000401364-mapping.dmp

Download
memory/2568-170-0x0000000000401364-mapping.dmp

Download
memory/2580-140-0x0000000000401364-mapping.dmp

Download
memory/2756-142-0x0000000000401364-mapping.dmp

Download
memory/2800-138-0x0000000000401364-mapping.dmp

Download
memory/3180-162-0x0000000000401364-mapping.dmp

Download
memory/3184-180-0x0000000000401364-mapping.dmp

Download
memory/3192-172-0x0000000000401364-mapping.dmp

Download
memory/3228-174-0x0000000000401364-mapping.dmp

Download
memory/3408-160-0x0000000000401364-mapping.dmp

Download
memory/3440-130-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3440-124-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3440-125-0x00000000004010B8-mapping.dmp

Download
memory/3460-136-0x0000000000401364-mapping.dmp

Download
memory/3496-158-0x0000000000401364-mapping.dmp

Download
memory/3672-192-0x0000000000401364-mapping.dmp

Download
memory/3692-121-0x0000000004E00000-0x0000000004E02000-memory.dmp

Filesize
8KB

Download
memory/3692-114-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/3692-123-0x0000000006930000-0x000000000695E000-memory.dmp

Filesize
184KB

Download
memory/3692-122-0x0000000007030000-0x00000000070AD000-memory.dmp

Filesize
500KB

Download
memory/3692-120-0x0000000004AD0000-0x0000000004FCE000-memory.dmp

Filesize
5.0MB

Download
memory/3692-119-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/3692-118-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/3692-117-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/3692-116-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/3764-144-0x0000000000401364-mapping.dmp

Download
memory/3828-186-0x0000000000401364-mapping.dmp

Download
memory/3964-182-0x0000000000401364-mapping.dmp

Download
memory/4016-146-0x0000000000401364-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads