Malware Analysis Report

2024-10-23 20:10

Sample ID 210920-s87bsahben
Target 85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a
SHA256 85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a
Tags
xpertrat test evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a

Threat Level: Known bad

The file 85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a was found to be: Known bad.

Malicious Activity Summary

xpertrat test evasion persistence rat trojan

UAC bypass

Windows security bypass

XpertRAT Core Payload

XpertRAT

Adds policy Run key to start application

Deletes itself

Windows security modification

Checks whether UAC is enabled

Adds Run key to start application

Program crash

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

System policy modification

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-20 15:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-20 15:48

Reported

2021-09-20 15:51

Platform

win10-en-20210920

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe"

Signatures

UAC bypass

evasion trojan

Windows security bypass

evasion trojan

XpertRAT

rat xpertrat

XpertRAT Core Payload

Description Indicator Process Target
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\notepad.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe
PID 2348 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe
PID 2348 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe
PID 2348 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe
PID 2348 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe
PID 2348 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe
PID 2348 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe
PID 1008 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1008 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1008 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1008 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1008 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1008 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1008 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1008 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1008 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1008 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1008 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1008 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1008 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1008 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1008 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1008 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3800 wrote to memory of 2472 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 3800 wrote to memory of 2472 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 3800 wrote to memory of 2472 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 3800 wrote to memory of 2472 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe

"C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.facebook.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.twitter.com

C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe

C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 100

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a.exe

C:\Windows\SysWOW64\notepad.exe

notepad.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.bing.com udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 www.twitter.com udp
US 8.8.8.8:53 kapasky-antivirus.firewall-gateway.net udp
FR 146.59.132.186:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 146.59.132.186:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 146.59.132.186:4000 kapasky-antivirus.firewall-gateway.net tcp
US 8.8.8.8:53 kapasky-antivirus.firewall-gateway.net udp
FR 146.59.132.186:4000 kapasky-antivirus.firewall-gateway.net tcp

Files

memory/2348-115-0x0000000000470000-0x0000000000471000-memory.dmp

memory/2348-117-0x00000000052D0000-0x00000000052D1000-memory.dmp

memory/2348-118-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

memory/2348-119-0x0000000004CC0000-0x0000000004D52000-memory.dmp

memory/2348-120-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

memory/3128-121-0x0000000000000000-mapping.dmp

memory/3460-122-0x0000000000000000-mapping.dmp

memory/2724-123-0x0000000000000000-mapping.dmp

memory/2724-130-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

memory/3460-133-0x0000000007940000-0x0000000007941000-memory.dmp

memory/2724-137-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/3128-136-0x00000000067C0000-0x00000000067C1000-memory.dmp

memory/3128-139-0x00000000067C2000-0x00000000067C3000-memory.dmp

memory/3460-138-0x0000000004E30000-0x0000000004E31000-memory.dmp

memory/3460-140-0x0000000004E32000-0x0000000004E33000-memory.dmp

memory/2724-141-0x0000000000EE2000-0x0000000000EE3000-memory.dmp

memory/3128-142-0x0000000006C60000-0x0000000006C61000-memory.dmp

memory/3128-146-0x0000000006D70000-0x0000000006D71000-memory.dmp

memory/2724-148-0x0000000007640000-0x0000000007641000-memory.dmp

memory/3128-151-0x0000000007610000-0x0000000007611000-memory.dmp

memory/3128-154-0x0000000007550000-0x0000000007551000-memory.dmp

memory/3460-157-0x0000000008780000-0x0000000008781000-memory.dmp

memory/3460-160-0x00000000089C0000-0x00000000089C1000-memory.dmp

memory/2724-173-0x0000000008B70000-0x0000000008B71000-memory.dmp

memory/3460-178-0x0000000009730000-0x0000000009731000-memory.dmp

memory/3460-180-0x0000000009780000-0x0000000009781000-memory.dmp

memory/2724-203-0x0000000009C90000-0x0000000009C91000-memory.dmp

memory/2724-207-0x0000000000EE3000-0x0000000000EE4000-memory.dmp

memory/3460-209-0x0000000004E33000-0x0000000004E34000-memory.dmp

memory/3128-208-0x00000000067C3000-0x00000000067C4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ad6bde808bdc16964ad7a372e7b73cfd
SHA1 2194901b8e870a408b4aa4d0534d9df9c6060b9d
SHA256 4025d9a34e53b11408497c52a42f477697c240c351e6ba44404fee866730a45b
SHA512 57aad0c89654751afc3e8f71924a5a9de569e88c55f05b5cab18491960bc9d09ee7f7d106cea3c3ac09b8099efaff52fd47645f7e6869d0f06cee3d60d66a66f

memory/1896-407-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 517212a16fbab4b6cf90069cfeadc27f
SHA1 755aafbaa6e73cdf728cb198e7d0af1623ed6459
SHA256 dd3143f6dea807befafc7bac40a2aee4a52e8f09af9665e26569a2b7883eec88
SHA512 dc20545e5b22185a060b918691406b8b070ec727298b76c7064c29047aa90054df95ad8433eebfddde8893bf501ee808bc3f0b7ecf00c8d30b161f83bce8de8e

memory/1896-421-0x0000000001182000-0x0000000001183000-memory.dmp

memory/1896-420-0x0000000001180000-0x0000000001181000-memory.dmp

memory/1896-434-0x0000000001183000-0x0000000001184000-memory.dmp

memory/2348-503-0x0000000007130000-0x0000000007176000-memory.dmp

memory/2348-504-0x0000000004F50000-0x0000000004F80000-memory.dmp

memory/1008-505-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1008-506-0x00000000004010B8-mapping.dmp

memory/1336-510-0x0000000000401364-mapping.dmp

memory/1008-511-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3800-513-0x0000000000401364-mapping.dmp

memory/2472-521-0x0000000000000000-mapping.dmp