Malware Analysis Report

2024-10-23 20:10

Sample ID 210920-pl66qaggdk
Target f6200b9b9789794de4a8d78f4ae96d22.exe
SHA256 85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a
Tags
xpertrat test evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

Threat Level: Known bad

The file f6200b9b9789794de4a8d78f4ae96d22.exe was found to be: Known bad.

Malicious Activity Summary

xpertrat test evasion persistence rat trojan

UAC bypass

XpertRAT Core Payload

XpertRAT

Windows security bypass

NirSoft WebBrowserPassView

Nirsoft

NirSoft MailPassView

Adds policy Run key to start application

Windows security modification

Deletes itself

Program crash

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Enumerates physical storage devices

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-20 12:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-20 12:26

Reported

2021-09-20 12:29

Platform

win7v20210408

Max time kernel

96s

Max time network

85s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe"

Signatures

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2000 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2000 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2000 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2000 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2000 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2000 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2000 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2000 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2000 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2000 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2000 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe

"C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.facebook.com

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.bing.com udp
US 8.8.8.8:53 www.bing.com udp

Files

memory/2000-60-0x00000000000B0000-0x00000000000B1000-memory.dmp

memory/2000-62-0x00000000004E0000-0x00000000004E1000-memory.dmp

memory/1640-63-0x0000000000000000-mapping.dmp

memory/1536-64-0x0000000000000000-mapping.dmp

memory/1948-65-0x0000000000000000-mapping.dmp

memory/1948-66-0x0000000075D11000-0x0000000075D13000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 881f1385b43ca0ede56f6bd958eeb611
SHA1 9722f38e49e7a71640b69e4a6e996a986e495ba6
SHA256 cced10515f319890f385a59c643bdb0b11d6b1f003a1a4d59e70258fa087bc15
SHA512 ef23215ca8496d929febd477439d6e1dc1b33f0d727e764a6c9b7402a59659826817f4a50a93984bdff33df71942713227583fbd22b4263dc37493b5026f3958

memory/1640-70-0x0000000002330000-0x0000000002331000-memory.dmp

memory/1536-73-0x00000000047B0000-0x00000000047B1000-memory.dmp

memory/1948-75-0x0000000001F50000-0x0000000001F51000-memory.dmp

memory/1640-74-0x00000000048B0000-0x00000000048B1000-memory.dmp

memory/1536-76-0x00000000047F0000-0x00000000047F1000-memory.dmp

memory/1536-80-0x00000000047B2000-0x00000000047B3000-memory.dmp

memory/1948-79-0x0000000001F52000-0x0000000001F53000-memory.dmp

memory/1640-81-0x00000000048B2000-0x00000000048B3000-memory.dmp

memory/1640-82-0x0000000002580000-0x0000000002581000-memory.dmp

memory/1640-84-0x0000000004850000-0x0000000004851000-memory.dmp

memory/1536-88-0x0000000005650000-0x0000000005651000-memory.dmp

memory/1536-93-0x00000000056B0000-0x00000000056B1000-memory.dmp

memory/1536-94-0x00000000061D0000-0x00000000061D1000-memory.dmp

memory/1536-95-0x000000007EF30000-0x000000007EF31000-memory.dmp

memory/1536-102-0x0000000006280000-0x0000000006281000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_10a2719f-ab19-452c-9537-375fecbe5f96

MD5 df44874327d79bd75e4264cb8dc01811
SHA1 1396b06debed65ea93c24998d244edebd3c0209d
SHA256 55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181
SHA512 95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1abda922-9e0e-4200-89d0-60796083afcc

MD5 be4d72095faf84233ac17b94744f7084
SHA1 cc78ce5b9c57573bd214a8f423ee622b00ebb1ec
SHA256 b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc
SHA512 43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c9b427a0-6073-4eb8-9b09-f8e4712d7ab5

MD5 5e3c7184a75d42dda1a83606a45001d8
SHA1 94ca15637721d88f30eb4b6220b805c5be0360ed
SHA256 8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59
SHA512 fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bd47eb21-a96b-4ccd-99d7-0d9f3f6c10b6

MD5 75a8da7754349b38d64c87c938545b1b
SHA1 5c28c257d51f1c1587e29164cc03ea880c21b417
SHA256 bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96
SHA512 798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_60554f64-a36e-4439-8748-76f202d7cb75

MD5 02ff38ac870de39782aeee04d7b48231
SHA1 0390d39fa216c9b0ecdb38238304e518fb2b5095
SHA256 fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876
SHA512 24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6ccb18ff-7a22-469e-90e7-ccc861e1432b

MD5 b6d38f250ccc9003dd70efd3b778117f
SHA1 d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a
SHA256 4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265
SHA512 67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 abbbf9730d7b3e8a1b3f4b4d04d365ee
SHA1 502a47d8700d226c220a3f70d718bf0a5d7e9d10
SHA256 d80917b675fcd9ea1ea2270fb72410c4f5394046917b9f3f5f173f583df3d351
SHA512 eacaef462ff989c4dd2c7df29be67d8ca2563db2e4fd92dac6b613752d738f7871ac879cb337364b99b4774aacbee4b9baeeb232ae95f1aa688b434ced820cdb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 941a56db59fc0f6fbc482149be09e06d
SHA1 fd33a72c9b4aa6bc3c2cbfa8561da74a64902325
SHA256 3cf7dc240c7cf25ed65642e63f0562e5d75850bc676dc95909219875116af118
SHA512 bd512dd7e29b3ae8cc24a5d9dc9a09c0ff8bfd75c1a5df3151917dcb558a9832bc4887b585dd2d9ab69633e80ea1a4f15bb476b39a29390eb6097a2769686a34

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_32b21970-4839-4ac5-a2ad-cc925aecc47c

MD5 a725bb9fafcf91f3c6b7861a2bde6db2
SHA1 8bb5b83f3cc37ff1e5ea4f02acae38e72364c114
SHA256 51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431
SHA512 1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 941a56db59fc0f6fbc482149be09e06d
SHA1 fd33a72c9b4aa6bc3c2cbfa8561da74a64902325
SHA256 3cf7dc240c7cf25ed65642e63f0562e5d75850bc676dc95909219875116af118
SHA512 bd512dd7e29b3ae8cc24a5d9dc9a09c0ff8bfd75c1a5df3151917dcb558a9832bc4887b585dd2d9ab69633e80ea1a4f15bb476b39a29390eb6097a2769686a34

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_809ebb94-a573-4e32-bdea-38f69f48aae2

MD5 e36e413334d4226cfecaebdd90e31c04
SHA1 a70ab4d400261150d6ce6798cadc6e2539ec84c7
SHA256 fa3e9bdb2278858c97da8478ed573db4a6642363775b1530ab0b24571e2c0f4a
SHA512 f2cd799769189ca59190fee5b1a44f0a7ead22874763291462fbe86865cdba5ff2854279a0d918b3769ec4d8f4e9198b5ac4f30dc3325386da5b73e18af2ca63

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7bc5ca8a-50eb-4a28-856a-31595e01418a

MD5 597009ea0430a463753e0f5b1d1a249e
SHA1 4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62
SHA256 3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d
SHA512 5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 1ba061773e97b2394ed3e94f31a2a544
SHA1 c6e31cec9c1b2de06cc7edad1c907c62f3740f54
SHA256 87cf890651a63f8ae5ba07465279d0ea6bda26de6fec245702175137fcfd8d3c
SHA512 8d3abc340c8bde114ca72e67afc02a1a9d437834c289e06d66341bc48f385a55c42525c760bd593c09467d06e04aecb3a7ca18cb054a8e8d08a57d00b7ccd449

memory/1640-114-0x0000000006320000-0x0000000006321000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-20 12:26

Reported

2021-09-20 12:28

Platform

win10-en

Max time kernel

82s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe"

Signatures

UAC bypass

evasion trojan

Windows security bypass

evasion trojan

XpertRAT

rat xpertrat

XpertRAT Core Payload

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\notepad.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3388 set thread context of 4720 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
PID 4720 set thread context of 4764 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 set thread context of 4784 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 set thread context of 4796 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 set thread context of 4828 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 set thread context of 4860 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 set thread context of 4876 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 set thread context of 1600 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 set thread context of 1672 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 set thread context of 1824 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3388 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3388 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3388 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3388 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3388 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3388 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3388 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3388 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3388 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3388 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3388 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3388 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3388 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
PID 3388 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
PID 3388 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
PID 3388 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
PID 3388 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
PID 3388 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
PID 3388 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
PID 3388 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
PID 3388 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
PID 3388 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
PID 4720 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4720 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4720 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4720 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4720 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4720 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4720 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4720 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 1016 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 4764 wrote to memory of 1016 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 4764 wrote to memory of 1016 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 4764 wrote to memory of 1016 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 4764 wrote to memory of 4784 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4784 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4784 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4784 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4784 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4784 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4784 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4784 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4796 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4796 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4796 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4796 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4796 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4796 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4796 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4796 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4796 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4828 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4828 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4828 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4828 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4828 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4828 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4828 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4828 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4828 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4860 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4860 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4860 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 4764 wrote to memory of 4860 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe

"C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.facebook.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.twitter.com

C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe

C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe

C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe

C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe

C:\Windows\SysWOW64\notepad.exe

notepad.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ykgleybck0.txt"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ykgleybck1.txt"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 92

C:\Program Files (x86)\Internet Explorer\iexplore.exe

/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ykgleybck1.txt"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ykgleybck2.txt"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 92

C:\Program Files (x86)\Internet Explorer\iexplore.exe

/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ykgleybck2.txt"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 92

C:\Program Files (x86)\Internet Explorer\iexplore.exe

/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ykgleybck2.txt"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ykgleybck3.txt"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ykgleybck4.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 www.bing.com udp
US 8.8.8.8:53 www.bing.com udp
US 8.8.8.8:53 www.twitter.com udp
US 8.8.8.8:53 kapasky-antivirus.firewall-gateway.net udp
FR 146.59.132.186:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 146.59.132.186:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 146.59.132.186:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 146.59.132.186:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 146.59.132.186:4000 kapasky-antivirus.firewall-gateway.net tcp

Files

memory/3388-115-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/3388-117-0x0000000005040000-0x0000000005041000-memory.dmp

memory/3388-118-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

memory/3388-119-0x0000000004B70000-0x0000000004B71000-memory.dmp

memory/3388-120-0x0000000004B00000-0x0000000004B01000-memory.dmp

memory/3928-121-0x0000000000000000-mapping.dmp

memory/3888-122-0x0000000000000000-mapping.dmp

memory/3584-123-0x0000000000000000-mapping.dmp

memory/3928-130-0x0000000004D80000-0x0000000004D81000-memory.dmp

memory/3928-133-0x0000000007940000-0x0000000007941000-memory.dmp

memory/3888-136-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

memory/3928-137-0x0000000007300000-0x0000000007301000-memory.dmp

memory/3584-138-0x0000000000E50000-0x0000000000E51000-memory.dmp

memory/3584-139-0x0000000006B40000-0x0000000006B41000-memory.dmp

memory/3888-142-0x0000000006BA2000-0x0000000006BA3000-memory.dmp

memory/3928-143-0x0000000007302000-0x0000000007303000-memory.dmp

memory/3584-144-0x0000000000E52000-0x0000000000E53000-memory.dmp

memory/3888-145-0x00000000079B0000-0x00000000079B1000-memory.dmp

memory/3888-148-0x0000000007A90000-0x0000000007A91000-memory.dmp

memory/3584-151-0x0000000007580000-0x0000000007581000-memory.dmp

memory/3584-154-0x0000000007A10000-0x0000000007A11000-memory.dmp

memory/3928-157-0x00000000089F0000-0x00000000089F1000-memory.dmp

memory/3888-160-0x00000000082E0000-0x00000000082E1000-memory.dmp

memory/3928-171-0x00000000098B0000-0x00000000098B1000-memory.dmp

memory/3928-176-0x00000000095A0000-0x00000000095A1000-memory.dmp

memory/3928-179-0x00000000095C0000-0x00000000095C1000-memory.dmp

memory/3928-205-0x000000000A9D0000-0x000000000A9D1000-memory.dmp

memory/3888-208-0x0000000006BA3000-0x0000000006BA4000-memory.dmp

memory/3584-209-0x0000000000E53000-0x0000000000E54000-memory.dmp

memory/3928-210-0x0000000007303000-0x0000000007304000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 e71a0a7e48b10bde0a9c54387762f33e
SHA1 fed75947f1163b00096e24a46e67d9c21e7eeebd
SHA256 83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de
SHA512 394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3e77416d08e983c4998c643d5bcfac14
SHA1 ffe76fe7b9acaf48ebb11799618b111c362d5ab3
SHA256 fca58f3e1d9142142f68e503be69209cd16f7fa573b99a85f484898c68fac675
SHA512 298e863d5cf308cd50ff1687fb076fe882ff72e5bc2f7b4775e5c88efad6ca15fbe252620228eee8e6e896460dca1a25bfb7402390d77438be5e7862ef24997d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 e71a0a7e48b10bde0a9c54387762f33e
SHA1 fed75947f1163b00096e24a46e67d9c21e7eeebd
SHA256 83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de
SHA512 394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a

memory/3032-409-0x0000000000000000-mapping.dmp

memory/3032-413-0x0000000001030000-0x0000000001031000-memory.dmp

memory/3032-415-0x0000000001032000-0x0000000001033000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 27e87e2444e75e1df647adc5c9a43364
SHA1 b29220936e83725e2794e4523483214eea3cda35
SHA256 c4175db27f7e960f30cbcad7541b3157b3a31ed521f79c66820febca3e4c18e8
SHA512 f4dce6aeccda767db9e87ba00537ba46802da759cf0e2b2ae4b6ed515d3c7024277a4c92c95aac6905d9e2cbf7cec3ba0a02aaa8cbce1231262120e3ab8d8c75

memory/3032-455-0x0000000001033000-0x0000000001034000-memory.dmp

memory/3388-505-0x0000000006F10000-0x0000000006F56000-memory.dmp

memory/3388-506-0x0000000005010000-0x0000000005040000-memory.dmp

memory/4720-507-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4720-508-0x00000000004010B8-mapping.dmp

memory/4720-511-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4764-513-0x0000000000401364-mapping.dmp

memory/1016-520-0x0000000000000000-mapping.dmp

memory/4784-522-0x0000000000423BC0-mapping.dmp

memory/4796-526-0x0000000000411654-mapping.dmp

memory/4828-528-0x0000000000411654-mapping.dmp

memory/4860-532-0x0000000000442F04-mapping.dmp

memory/4876-534-0x0000000000442F04-mapping.dmp

memory/1600-536-0x0000000000442F04-mapping.dmp

C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ykgleybck2.txt

MD5 f94dc819ca773f1e3cb27abbc9e7fa27
SHA1 9a7700efadc5ea09ab288544ef1e3cd876255086
SHA256 a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA512 72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

memory/1672-541-0x0000000000413750-mapping.dmp

memory/1824-545-0x000000000040C2A8-mapping.dmp

C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ykgleybck4.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84