xpertrat | 06febadb1cc71ef3987c339b7c862ea4cd32656c372c4f266cd1af68c355a0c0

General

Target

939a42faab70585cf4aed59c73425492.exe
Size

472KB
MD5

939a42faab70585cf4aed59c73425492
SHA1

ccc57ed7de341f637e1ba6e671105ec304bd2c4b
SHA256

06febadb1cc71ef3987c339b7c862ea4cd32656c372c4f266cd1af68c355a0c0
SHA512

04a845f4b4db9f8fb923a10db65a1cac6cce46f52aa46eaa124b7aa710e7d063555e93f93e26dfb9fa3c28425297d080f69025fcbc73801825154cbf659abe00

Score

10^/10

xpertrat special x evasion rat trojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

special X

C2

mertrerfeyy.duckdns.org:8494

gwtruwhgw.duckdns.org:8494

dfgrttuutii.duckdns.org:8494

Mutex

J0B4S3L1-T6W3-H2L6-N2T2-W4T8H1F1E6U4

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core Payload 38 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1264-128-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat
behavioral2/memory/1264-129-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2100-132-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1928-134-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2004-136-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/4000-138-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3200-140-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3936-142-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/696-144-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/4016-146-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/816-148-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1520-150-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1248-152-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/188-154-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1856-156-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2736-158-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/580-160-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2196-162-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3240-164-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/672-166-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3884-168-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/772-170-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3168-172-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1844-174-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/60-176-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2232-178-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2096-180-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1676-182-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3632-184-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2236-186-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1312-188-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2304-190-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1276-192-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1572-194-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/4032-196-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3580-198-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2296-200-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2500-202-0x0000000000401364-mapping.dmp	xpertrat

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

939a42faab70585cf4aed59c73425492.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	939a42faab70585cf4aed59c73425492.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

939a42faab70585cf4aed59c73425492.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	939a42faab70585cf4aed59c73425492.exe

Program crash 37 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2256	1264	WerFault.exe	iexplore.exe
3856	2100	WerFault.exe	iexplore.exe
3896	1928	WerFault.exe	iexplore.exe
3976	2004	WerFault.exe	iexplore.exe
2224	4000	WerFault.exe	iexplore.exe
3404	3200	WerFault.exe	iexplore.exe
1844	3936	WerFault.exe	iexplore.exe
1812	696	WerFault.exe	iexplore.exe
2264	4016	WerFault.exe	iexplore.exe
1524	816	WerFault.exe	iexplore.exe
2068	1520	WerFault.exe	iexplore.exe
820	1248	WerFault.exe	iexplore.exe
1816	188	WerFault.exe	iexplore.exe
3680	1856	WerFault.exe	iexplore.exe
1156	2736	WerFault.exe	iexplore.exe
3612	580	WerFault.exe	iexplore.exe
2316	2196	WerFault.exe	iexplore.exe
2116	3240	WerFault.exe	iexplore.exe
1316	672	WerFault.exe	iexplore.exe
4004	3884	WerFault.exe	iexplore.exe
416	772	WerFault.exe	iexplore.exe
2892	3168	WerFault.exe	iexplore.exe
1216	1844	WerFault.exe	iexplore.exe
824	60	WerFault.exe	iexplore.exe
504	2232	WerFault.exe	iexplore.exe
2756	2096	WerFault.exe	iexplore.exe
1536	1676	WerFault.exe	iexplore.exe
1896	3632	WerFault.exe	iexplore.exe
2348	2236	WerFault.exe	iexplore.exe
2480	1312	WerFault.exe	iexplore.exe
2540	2304	WerFault.exe	iexplore.exe
3172	1276	WerFault.exe	iexplore.exe
1128	1572	WerFault.exe	iexplore.exe
3880	4032	WerFault.exe	iexplore.exe
3976	3580	WerFault.exe	iexplore.exe
2224	2296	WerFault.exe	iexplore.exe
2892	2500	WerFault.exe	iexplore.exe

Suspicious use of SetThreadContext 38 IoCs

Processes:

939a42faab70585cf4aed59c73425492.exe939a42faab70585cf4aed59c73425492.exe

description	pid	process	target process
PID 636 set thread context of 3504	636	939a42faab70585cf4aed59c73425492.exe	939a42faab70585cf4aed59c73425492.exe
PID 3504 set thread context of 1264	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 2100	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 1928	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 2004	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 4000	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 3200	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 3936	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 696	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 4016	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 816	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 1520	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 1248	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 188	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 1856	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 2736	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 580	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 2196	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 3240	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 672	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 3884	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 772	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 3168	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 1844	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 60	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 2232	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 2096	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 1676	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 3632	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 2236	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 1312	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 2304	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 1276	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 1572	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 4032	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 3580	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 2296	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 set thread context of 2500	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

939a42faab70585cf4aed59c73425492.exe939a42faab70585cf4aed59c73425492.exe

pid	process
636	939a42faab70585cf4aed59c73425492.exe
636	939a42faab70585cf4aed59c73425492.exe
636	939a42faab70585cf4aed59c73425492.exe
636	939a42faab70585cf4aed59c73425492.exe
636	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe
3504	939a42faab70585cf4aed59c73425492.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

939a42faab70585cf4aed59c73425492.exe

description pid process

Token: SeDebugPrivilege 636 939a42faab70585cf4aed59c73425492.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

939a42faab70585cf4aed59c73425492.exe

pid process

3504 939a42faab70585cf4aed59c73425492.exe

description	pid	process
Token: SeDebugPrivilege	636	939a42faab70585cf4aed59c73425492.exe

pid	process
3504	939a42faab70585cf4aed59c73425492.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

939a42faab70585cf4aed59c73425492.exe939a42faab70585cf4aed59c73425492.exe

description	pid	process	target process
PID 636 wrote to memory of 2720	636	939a42faab70585cf4aed59c73425492.exe	939a42faab70585cf4aed59c73425492.exe
PID 636 wrote to memory of 2720	636	939a42faab70585cf4aed59c73425492.exe	939a42faab70585cf4aed59c73425492.exe
PID 636 wrote to memory of 2720	636	939a42faab70585cf4aed59c73425492.exe	939a42faab70585cf4aed59c73425492.exe
PID 636 wrote to memory of 3504	636	939a42faab70585cf4aed59c73425492.exe	939a42faab70585cf4aed59c73425492.exe
PID 636 wrote to memory of 3504	636	939a42faab70585cf4aed59c73425492.exe	939a42faab70585cf4aed59c73425492.exe
PID 636 wrote to memory of 3504	636	939a42faab70585cf4aed59c73425492.exe	939a42faab70585cf4aed59c73425492.exe
PID 636 wrote to memory of 3504	636	939a42faab70585cf4aed59c73425492.exe	939a42faab70585cf4aed59c73425492.exe
PID 636 wrote to memory of 3504	636	939a42faab70585cf4aed59c73425492.exe	939a42faab70585cf4aed59c73425492.exe
PID 636 wrote to memory of 3504	636	939a42faab70585cf4aed59c73425492.exe	939a42faab70585cf4aed59c73425492.exe
PID 636 wrote to memory of 3504	636	939a42faab70585cf4aed59c73425492.exe	939a42faab70585cf4aed59c73425492.exe
PID 3504 wrote to memory of 1264	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 1264	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 1264	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 1264	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 1264	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 1264	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 1264	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 1264	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 2100	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 2100	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 2100	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 2100	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 2100	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 2100	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 2100	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 2100	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 1928	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 1928	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 1928	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 1928	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 1928	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 1928	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 1928	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 1928	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 2004	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 2004	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 2004	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 2004	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 2004	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 2004	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 2004	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 2004	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 4000	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 4000	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 4000	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 4000	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 4000	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 4000	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 4000	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 4000	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 3200	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 3200	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 3200	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 3200	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 3200	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 3200	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 3200	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 3200	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 3936	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 3936	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 3936	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 3936	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 3936	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe
PID 3504 wrote to memory of 3936	3504	939a42faab70585cf4aed59c73425492.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

939a42faab70585cf4aed59c73425492.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	939a42faab70585cf4aed59c73425492.exe

C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
"C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
"{path}"
2⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
"{path}"
2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3504

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 24
4⤵
- Program crash
PID:2256

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 24
4⤵
- Program crash
PID:3856

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 24
4⤵
- Program crash
PID:3896

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 24
4⤵
- Program crash
PID:3976

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 24
4⤵
- Program crash
PID:2224

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 24
4⤵
- Program crash
PID:3404

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 24
4⤵
- Program crash
PID:1844

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 24
4⤵
- Program crash
PID:1812

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 24
4⤵
- Program crash
PID:2264

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 24
4⤵
- Program crash
PID:1524

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 24
4⤵
- Program crash
PID:2068

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 24
4⤵
- Program crash
PID:820

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 188 -s 24
4⤵
- Program crash
PID:1816

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 24
4⤵
- Program crash
PID:3680

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 24
4⤵
- Program crash
PID:1156

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 24
4⤵
- Program crash
PID:3612

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 24
4⤵
- Program crash
PID:2316

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 24
4⤵
- Program crash
PID:2116

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 24
4⤵
- Program crash
PID:1316

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 24
4⤵
- Program crash
PID:4004

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 24
4⤵
- Program crash
PID:416

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 24
4⤵
- Program crash
PID:2892

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 24
4⤵
- Program crash
PID:1216

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 24
4⤵
- Program crash
PID:824

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 24
4⤵
- Program crash
PID:504

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 24
4⤵
- Program crash
PID:2756

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 24
4⤵
- Program crash
PID:1536

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 24
4⤵
- Program crash
PID:1896

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 24
4⤵
- Program crash
PID:2348

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 24
4⤵
- Program crash
PID:2480

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 24
4⤵
- Program crash
PID:2540

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 24
4⤵
- Program crash
PID:3172

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 24
4⤵
- Program crash
PID:1128

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 24
4⤵
- Program crash
PID:3880

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 24
4⤵
- Program crash
PID:3976

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 24
4⤵
- Program crash
PID:2224

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\939a42faab70585cf4aed59c73425492.exe
3⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 24
4⤵
- Program crash
PID:2892

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Modify Registry

4

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/60-176-0x0000000000401364-mapping.dmp

Download
memory/188-154-0x0000000000401364-mapping.dmp

Download
memory/580-160-0x0000000000401364-mapping.dmp

Download
memory/636-123-0x00000000075F0000-0x000000000761E000-memory.dmp

Filesize
184KB

Download
memory/636-117-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/636-120-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/636-121-0x00000000090E0000-0x00000000090E2000-memory.dmp

Filesize
8KB

Download
memory/636-122-0x0000000007420000-0x000000000749D000-memory.dmp

Filesize
500KB

Download
memory/636-116-0x0000000005DC0000-0x0000000005DC1000-memory.dmp

Filesize
4KB

Download
memory/636-118-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/636-119-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/636-114-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/672-166-0x0000000000401364-mapping.dmp

Download
memory/696-144-0x0000000000401364-mapping.dmp

Download
memory/772-170-0x0000000000401364-mapping.dmp

Download
memory/816-148-0x0000000000401364-mapping.dmp

Download
memory/1248-152-0x0000000000401364-mapping.dmp

Download
memory/1264-129-0x0000000000401364-mapping.dmp

Download
memory/1264-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1276-192-0x0000000000401364-mapping.dmp

Download
memory/1312-188-0x0000000000401364-mapping.dmp

Download
memory/1520-150-0x0000000000401364-mapping.dmp

Download
memory/1572-194-0x0000000000401364-mapping.dmp

Download
memory/1676-182-0x0000000000401364-mapping.dmp

Download
memory/1844-174-0x0000000000401364-mapping.dmp

Download
memory/1856-156-0x0000000000401364-mapping.dmp

Download
memory/1928-134-0x0000000000401364-mapping.dmp

Download
memory/2004-136-0x0000000000401364-mapping.dmp

Download
memory/2096-180-0x0000000000401364-mapping.dmp

Download
memory/2100-132-0x0000000000401364-mapping.dmp

Download
memory/2196-162-0x0000000000401364-mapping.dmp

Download
memory/2232-178-0x0000000000401364-mapping.dmp

Download
memory/2236-186-0x0000000000401364-mapping.dmp

Download
memory/2296-200-0x0000000000401364-mapping.dmp

Download
memory/2304-190-0x0000000000401364-mapping.dmp

Download
memory/2500-202-0x0000000000401364-mapping.dmp

Download
memory/2736-158-0x0000000000401364-mapping.dmp

Download
memory/3168-172-0x0000000000401364-mapping.dmp

Download
memory/3200-140-0x0000000000401364-mapping.dmp

Download
memory/3240-164-0x0000000000401364-mapping.dmp

Download
memory/3504-124-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3504-125-0x00000000004010B8-mapping.dmp

Download
memory/3504-130-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3580-198-0x0000000000401364-mapping.dmp

Download
memory/3632-184-0x0000000000401364-mapping.dmp

Download
memory/3884-168-0x0000000000401364-mapping.dmp

Download
memory/3936-142-0x0000000000401364-mapping.dmp

Download
memory/4000-138-0x0000000000401364-mapping.dmp

Download
memory/4016-146-0x0000000000401364-mapping.dmp

Download
memory/4032-196-0x0000000000401364-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads