xpertrat | 85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

Analysis

max time kernel
146s
max time network
135s
platform
windows7_x64
resource
win7-en-20210916
submitted
20-09-2021 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6200b9b9789794de4a8d78f4ae96d22.exe
Size

292KB
MD5

f6200b9b9789794de4a8d78f4ae96d22
SHA1

1d18c71e7e4de5c6216653db5effba586345597c
SHA256

85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a
SHA512

5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

Score

10^/10

xpertrat test evasion persistence rat trojan upx

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/944-79-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat
behavioral1/memory/944-80-0x0000000000401364-mapping.dmp	xpertrat

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1120-90-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1120-91-0x0000000000411654-mapping.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1656-93-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral1/memory/1656-94-0x0000000000442F04-mapping.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1072-88-0x0000000000423BC0-mapping.dmp	Nirsoft
behavioral1/memory/1120-90-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1120-91-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/1656-93-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral1/memory/1656-94-0x0000000000442F04-mapping.dmp	Nirsoft
behavioral1/memory/792-104-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral1/memory/792-105-0x000000000040C2A8-mapping.dmp	Nirsoft

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1072-87-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/1480-101-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1372 notepad.exe

pid	process
1372	notepad.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

f6200b9b9789794de4a8d78f4ae96d22.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	f6200b9b9789794de4a8d78f4ae96d22.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f6200b9b9789794de4a8d78f4ae96d22.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f6200b9b9789794de4a8d78f4ae96d22.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

f6200b9b9789794de4a8d78f4ae96d22.exef6200b9b9789794de4a8d78f4ae96d22.exeiexplore.exe

description	pid	process	target process
PID 1244 set thread context of 1808	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	f6200b9b9789794de4a8d78f4ae96d22.exe
PID 1808 set thread context of 944	1808	f6200b9b9789794de4a8d78f4ae96d22.exe	iexplore.exe
PID 944 set thread context of 1072	944	iexplore.exe	iexplore.exe
PID 944 set thread context of 1120	944	iexplore.exe	iexplore.exe
PID 944 set thread context of 1656	944	iexplore.exe	iexplore.exe
PID 944 set thread context of 1720	944	iexplore.exe	iexplore.exe
PID 944 set thread context of 1584	944	iexplore.exe	iexplore.exe
PID 944 set thread context of 1480	944	iexplore.exe	iexplore.exe
PID 944 set thread context of 792	944	iexplore.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exef6200b9b9789794de4a8d78f4ae96d22.exef6200b9b9789794de4a8d78f4ae96d22.exe

pid	process
1860	powershell.exe
1484	powershell.exe
1488	powershell.exe
1732	powershell.exe
1244	f6200b9b9789794de4a8d78f4ae96d22.exe
1244	f6200b9b9789794de4a8d78f4ae96d22.exe
1244	f6200b9b9789794de4a8d78f4ae96d22.exe
1244	f6200b9b9789794de4a8d78f4ae96d22.exe
1244	f6200b9b9789794de4a8d78f4ae96d22.exe
1244	f6200b9b9789794de4a8d78f4ae96d22.exe
1808	f6200b9b9789794de4a8d78f4ae96d22.exe
1808	f6200b9b9789794de4a8d78f4ae96d22.exe
1808	f6200b9b9789794de4a8d78f4ae96d22.exe
1808	f6200b9b9789794de4a8d78f4ae96d22.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeIncreaseQuotaPrivilege	1484	powershell.exe
Token: SeSecurityPrivilege	1484	powershell.exe
Token: SeTakeOwnershipPrivilege	1484	powershell.exe
Token: SeLoadDriverPrivilege	1484	powershell.exe
Token: SeSystemProfilePrivilege	1484	powershell.exe
Token: SeSystemtimePrivilege	1484	powershell.exe
Token: SeProfSingleProcessPrivilege	1484	powershell.exe
Token: SeIncBasePriorityPrivilege	1484	powershell.exe
Token: SeCreatePagefilePrivilege	1484	powershell.exe
Token: SeBackupPrivilege	1484	powershell.exe
Token: SeRestorePrivilege	1484	powershell.exe
Token: SeShutdownPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeSystemEnvironmentPrivilege	1484	powershell.exe
Token: SeRemoteShutdownPrivilege	1484	powershell.exe
Token: SeUndockPrivilege	1484	powershell.exe
Token: SeManageVolumePrivilege	1484	powershell.exe
Token: 33	1484	powershell.exe
Token: 34	1484	powershell.exe
Token: 35	1484	powershell.exe
Token: SeIncreaseQuotaPrivilege	1488	powershell.exe
Token: SeSecurityPrivilege	1488	powershell.exe
Token: SeTakeOwnershipPrivilege	1488	powershell.exe
Token: SeLoadDriverPrivilege	1488	powershell.exe
Token: SeSystemProfilePrivilege	1488	powershell.exe
Token: SeSystemtimePrivilege	1488	powershell.exe
Token: SeProfSingleProcessPrivilege	1488	powershell.exe
Token: SeIncBasePriorityPrivilege	1488	powershell.exe
Token: SeCreatePagefilePrivilege	1488	powershell.exe
Token: SeBackupPrivilege	1488	powershell.exe
Token: SeRestorePrivilege	1488	powershell.exe
Token: SeShutdownPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeSystemEnvironmentPrivilege	1488	powershell.exe
Token: SeRemoteShutdownPrivilege	1488	powershell.exe
Token: SeUndockPrivilege	1488	powershell.exe
Token: SeManageVolumePrivilege	1488	powershell.exe
Token: 33	1488	powershell.exe
Token: 34	1488	powershell.exe
Token: 35	1488	powershell.exe
Token: SeIncreaseQuotaPrivilege	1860	powershell.exe
Token: SeSecurityPrivilege	1860	powershell.exe
Token: SeTakeOwnershipPrivilege	1860	powershell.exe
Token: SeLoadDriverPrivilege	1860	powershell.exe
Token: SeSystemProfilePrivilege	1860	powershell.exe
Token: SeSystemtimePrivilege	1860	powershell.exe
Token: SeProfSingleProcessPrivilege	1860	powershell.exe
Token: SeIncBasePriorityPrivilege	1860	powershell.exe
Token: SeCreatePagefilePrivilege	1860	powershell.exe
Token: SeBackupPrivilege	1860	powershell.exe
Token: SeRestorePrivilege	1860	powershell.exe
Token: SeShutdownPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeSystemEnvironmentPrivilege	1860	powershell.exe
Token: SeRemoteShutdownPrivilege	1860	powershell.exe
Token: SeUndockPrivilege	1860	powershell.exe
Token: SeManageVolumePrivilege	1860	powershell.exe
Token: 33	1860	powershell.exe
Token: 34	1860	powershell.exe
Token: 35	1860	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f6200b9b9789794de4a8d78f4ae96d22.exeiexplore.exe

pid process

1808 f6200b9b9789794de4a8d78f4ae96d22.exe
944 iexplore.exe

pid	process
1808	f6200b9b9789794de4a8d78f4ae96d22.exe
944	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f6200b9b9789794de4a8d78f4ae96d22.exef6200b9b9789794de4a8d78f4ae96d22.exeiexplore.exe

description	pid	process	target process
PID 1244 wrote to memory of 1488	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	powershell.exe
PID 1244 wrote to memory of 1488	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	powershell.exe
PID 1244 wrote to memory of 1488	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	powershell.exe
PID 1244 wrote to memory of 1488	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	powershell.exe
PID 1244 wrote to memory of 1484	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	powershell.exe
PID 1244 wrote to memory of 1484	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	powershell.exe
PID 1244 wrote to memory of 1484	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	powershell.exe
PID 1244 wrote to memory of 1484	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	powershell.exe
PID 1244 wrote to memory of 1860	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	powershell.exe
PID 1244 wrote to memory of 1860	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	powershell.exe
PID 1244 wrote to memory of 1860	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	powershell.exe
PID 1244 wrote to memory of 1860	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	powershell.exe
PID 1244 wrote to memory of 1732	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	powershell.exe
PID 1244 wrote to memory of 1732	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	powershell.exe
PID 1244 wrote to memory of 1732	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	powershell.exe
PID 1244 wrote to memory of 1732	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	powershell.exe
PID 1244 wrote to memory of 928	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	f6200b9b9789794de4a8d78f4ae96d22.exe
PID 1244 wrote to memory of 928	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	f6200b9b9789794de4a8d78f4ae96d22.exe
PID 1244 wrote to memory of 928	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	f6200b9b9789794de4a8d78f4ae96d22.exe
PID 1244 wrote to memory of 928	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	f6200b9b9789794de4a8d78f4ae96d22.exe
PID 1244 wrote to memory of 928	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	f6200b9b9789794de4a8d78f4ae96d22.exe
PID 1244 wrote to memory of 928	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	f6200b9b9789794de4a8d78f4ae96d22.exe
PID 1244 wrote to memory of 928	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	f6200b9b9789794de4a8d78f4ae96d22.exe
PID 1244 wrote to memory of 1808	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	f6200b9b9789794de4a8d78f4ae96d22.exe
PID 1244 wrote to memory of 1808	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	f6200b9b9789794de4a8d78f4ae96d22.exe
PID 1244 wrote to memory of 1808	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	f6200b9b9789794de4a8d78f4ae96d22.exe
PID 1244 wrote to memory of 1808	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	f6200b9b9789794de4a8d78f4ae96d22.exe
PID 1244 wrote to memory of 1808	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	f6200b9b9789794de4a8d78f4ae96d22.exe
PID 1244 wrote to memory of 1808	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	f6200b9b9789794de4a8d78f4ae96d22.exe
PID 1244 wrote to memory of 1808	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	f6200b9b9789794de4a8d78f4ae96d22.exe
PID 1244 wrote to memory of 1808	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	f6200b9b9789794de4a8d78f4ae96d22.exe
PID 1244 wrote to memory of 1808	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	f6200b9b9789794de4a8d78f4ae96d22.exe
PID 1244 wrote to memory of 1808	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	f6200b9b9789794de4a8d78f4ae96d22.exe
PID 1244 wrote to memory of 1808	1244	f6200b9b9789794de4a8d78f4ae96d22.exe	f6200b9b9789794de4a8d78f4ae96d22.exe
PID 1808 wrote to memory of 944	1808	f6200b9b9789794de4a8d78f4ae96d22.exe	iexplore.exe
PID 1808 wrote to memory of 944	1808	f6200b9b9789794de4a8d78f4ae96d22.exe	iexplore.exe
PID 1808 wrote to memory of 944	1808	f6200b9b9789794de4a8d78f4ae96d22.exe	iexplore.exe
PID 1808 wrote to memory of 944	1808	f6200b9b9789794de4a8d78f4ae96d22.exe	iexplore.exe
PID 1808 wrote to memory of 944	1808	f6200b9b9789794de4a8d78f4ae96d22.exe	iexplore.exe
PID 1808 wrote to memory of 944	1808	f6200b9b9789794de4a8d78f4ae96d22.exe	iexplore.exe
PID 1808 wrote to memory of 944	1808	f6200b9b9789794de4a8d78f4ae96d22.exe	iexplore.exe
PID 1808 wrote to memory of 944	1808	f6200b9b9789794de4a8d78f4ae96d22.exe	iexplore.exe
PID 1808 wrote to memory of 944	1808	f6200b9b9789794de4a8d78f4ae96d22.exe	iexplore.exe
PID 944 wrote to memory of 1372	944	iexplore.exe	notepad.exe
PID 944 wrote to memory of 1372	944	iexplore.exe	notepad.exe
PID 944 wrote to memory of 1372	944	iexplore.exe	notepad.exe
PID 944 wrote to memory of 1372	944	iexplore.exe	notepad.exe
PID 944 wrote to memory of 1372	944	iexplore.exe	notepad.exe
PID 944 wrote to memory of 1072	944	iexplore.exe	iexplore.exe
PID 944 wrote to memory of 1072	944	iexplore.exe	iexplore.exe
PID 944 wrote to memory of 1072	944	iexplore.exe	iexplore.exe
PID 944 wrote to memory of 1072	944	iexplore.exe	iexplore.exe
PID 944 wrote to memory of 1072	944	iexplore.exe	iexplore.exe
PID 944 wrote to memory of 1072	944	iexplore.exe	iexplore.exe
PID 944 wrote to memory of 1072	944	iexplore.exe	iexplore.exe
PID 944 wrote to memory of 1072	944	iexplore.exe	iexplore.exe
PID 944 wrote to memory of 1072	944	iexplore.exe	iexplore.exe
PID 944 wrote to memory of 1120	944	iexplore.exe	iexplore.exe
PID 944 wrote to memory of 1120	944	iexplore.exe	iexplore.exe
PID 944 wrote to memory of 1120	944	iexplore.exe	iexplore.exe
PID 944 wrote to memory of 1120	944	iexplore.exe	iexplore.exe
PID 944 wrote to memory of 1120	944	iexplore.exe	iexplore.exe
PID 944 wrote to memory of 1120	944	iexplore.exe	iexplore.exe
PID 944 wrote to memory of 1120	944	iexplore.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

f6200b9b9789794de4a8d78f4ae96d22.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f6200b9b9789794de4a8d78f4ae96d22.exe

C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
"C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.facebook.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.twitter.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
2⤵
PID:928

C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1808

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\f6200b9b9789794de4a8d78f4ae96d22.exe
3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\notepad.exe
notepad.exe
4⤵
- Deletes itself
PID:1372

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\devzyvbcn0.txt"
4⤵
PID:1072

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\devzyvbcn1.txt"
4⤵
PID:1120

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\devzyvbcn2.txt"
4⤵
PID:1656

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\devzyvbcn3.txt"
4⤵
PID:1720

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\devzyvbcn3.txt"
4⤵
PID:1584

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\devzyvbcn3.txt"
4⤵
PID:1480

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\devzyvbcn4.txt"
4⤵
PID:792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\devzyvbcn2.txt
MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\devzyvbcn4.txt
MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
22fc90d8ac25dc49776d3c9f0e7a5547

SHA1
ae7015f1cc68004e83101d80d358e0ad25e926c6

SHA256
6defbb76c5baea614faf72db098e2f4adf77d0831d92f6b87b965a8c1e0e4413

SHA512
0535abbcf8b474f1526b3939f879be4945ccfddc2fd1612d6c116bf87f3d9fd82329efe77302667586aac24a9af9637f90da2c0320d01df270ed0388bae9aa66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
22fc90d8ac25dc49776d3c9f0e7a5547

SHA1
ae7015f1cc68004e83101d80d358e0ad25e926c6

SHA256
6defbb76c5baea614faf72db098e2f4adf77d0831d92f6b87b965a8c1e0e4413

SHA512
0535abbcf8b474f1526b3939f879be4945ccfddc2fd1612d6c116bf87f3d9fd82329efe77302667586aac24a9af9637f90da2c0320d01df270ed0388bae9aa66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
22fc90d8ac25dc49776d3c9f0e7a5547

SHA1
ae7015f1cc68004e83101d80d358e0ad25e926c6

SHA256
6defbb76c5baea614faf72db098e2f4adf77d0831d92f6b87b965a8c1e0e4413

SHA512
0535abbcf8b474f1526b3939f879be4945ccfddc2fd1612d6c116bf87f3d9fd82329efe77302667586aac24a9af9637f90da2c0320d01df270ed0388bae9aa66

Download Submit
memory/792-105-0x000000000040C2A8-mapping.dmp

Download
memory/792-104-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/944-81-0x00000000005D0000-0x0000000000723000-memory.dmp

Filesize
1.3MB

Download
memory/944-80-0x0000000000401364-mapping.dmp

Download
memory/944-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1072-88-0x0000000000423BC0-mapping.dmp

Download
memory/1072-87-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1120-90-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1120-91-0x0000000000411654-mapping.dmp

Download
memory/1244-73-0x0000000004EA0000-0x0000000004EE6000-memory.dmp

Filesize
280KB

Download
memory/1244-74-0x0000000002080000-0x00000000020B0000-memory.dmp

Filesize
192KB

Download
memory/1244-53-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1244-55-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/1372-84-0x0000000000000000-mapping.dmp

Download
memory/1480-102-0x0000000000413750-mapping.dmp

Download
memory/1480-101-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1484-67-0x0000000002490000-0x00000000030DA000-memory.dmp

Filesize
12.3MB

Download
memory/1484-57-0x0000000000000000-mapping.dmp

Download
memory/1484-64-0x0000000002490000-0x00000000030DA000-memory.dmp

Filesize
12.3MB

Download
memory/1488-56-0x0000000000000000-mapping.dmp

Download
memory/1488-59-0x0000000076921000-0x0000000076923000-memory.dmp

Filesize
8KB

Download
memory/1488-68-0x00000000025C0000-0x000000000320A000-memory.dmp

Filesize
12.3MB

Download
memory/1488-65-0x00000000025C0000-0x000000000320A000-memory.dmp

Filesize
12.3MB

Download
memory/1584-100-0x0000000000413750-mapping.dmp

Download
memory/1656-93-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1656-94-0x0000000000442F04-mapping.dmp

Download
memory/1720-98-0x0000000000413750-mapping.dmp

Download
memory/1732-72-0x0000000002330000-0x0000000002F7A000-memory.dmp

Filesize
12.3MB

Download
memory/1732-69-0x0000000000000000-mapping.dmp

Download
memory/1808-75-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1808-76-0x00000000004010B8-mapping.dmp

Download
memory/1860-66-0x0000000002440000-0x000000000308A000-memory.dmp

Filesize
12.3MB

Download
memory/1860-58-0x0000000000000000-mapping.dmp

Download