xpertrat | fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98

General

Target

fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
Size

358KB
MD5

d952cb0acf14545d0e6da5509db9088d
SHA1

9e4c5b31c821cc46f8eba61d65442f0bdbe67b98
SHA256

fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98
SHA512

e66869cc859af82d4ad9db0c877d949905e3f28876e1022f434083e6f26492e3edac72624ce3143ca85446f4bce7ed208e41f846c5bcb13af7343047c7df8ebc

Score

10^/10

xpertrat test evasion persistence rat trojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

C2

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4184-979-0x0000000000401364-mapping.dmp	xpertrat

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

4396 notepad.exe

pid	process
4396	notepad.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4844 4680 WerFault.exe iexplore.exe

pid	pid_target	process	target process
4844	4680	WerFault.exe	iexplore.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exefed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

description	pid	process	target process
PID 856 set thread context of 4636	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 4636 set thread context of 4680	4636	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	iexplore.exe
PID 4636 set thread context of 4184	4636	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exefed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exefed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

pid	process
1472	powershell.exe
1472	powershell.exe
1472	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
3164	powershell.exe
3164	powershell.exe
3164	powershell.exe
2152	powershell.exe
2152	powershell.exe
2152	powershell.exe
2056	powershell.exe
2056	powershell.exe
2056	powershell.exe
856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
4636	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
4636	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
4636	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
4636	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
4636	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
4636	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeIncreaseQuotaPrivilege	1472	powershell.exe
Token: SeSecurityPrivilege	1472	powershell.exe
Token: SeTakeOwnershipPrivilege	1472	powershell.exe
Token: SeLoadDriverPrivilege	1472	powershell.exe
Token: SeSystemProfilePrivilege	1472	powershell.exe
Token: SeSystemtimePrivilege	1472	powershell.exe
Token: SeProfSingleProcessPrivilege	1472	powershell.exe
Token: SeIncBasePriorityPrivilege	1472	powershell.exe
Token: SeCreatePagefilePrivilege	1472	powershell.exe
Token: SeBackupPrivilege	1472	powershell.exe
Token: SeRestorePrivilege	1472	powershell.exe
Token: SeShutdownPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeSystemEnvironmentPrivilege	1472	powershell.exe
Token: SeRemoteShutdownPrivilege	1472	powershell.exe
Token: SeUndockPrivilege	1472	powershell.exe
Token: SeManageVolumePrivilege	1472	powershell.exe
Token: 33	1472	powershell.exe
Token: 34	1472	powershell.exe
Token: 35	1472	powershell.exe
Token: 36	1472	powershell.exe
Token: SeIncreaseQuotaPrivilege	1472	powershell.exe
Token: SeSecurityPrivilege	1472	powershell.exe
Token: SeTakeOwnershipPrivilege	1472	powershell.exe
Token: SeLoadDriverPrivilege	1472	powershell.exe
Token: SeSystemProfilePrivilege	1472	powershell.exe
Token: SeSystemtimePrivilege	1472	powershell.exe
Token: SeProfSingleProcessPrivilege	1472	powershell.exe
Token: SeIncBasePriorityPrivilege	1472	powershell.exe
Token: SeCreatePagefilePrivilege	1472	powershell.exe
Token: SeBackupPrivilege	1472	powershell.exe
Token: SeRestorePrivilege	1472	powershell.exe
Token: SeShutdownPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeSystemEnvironmentPrivilege	1472	powershell.exe
Token: SeRemoteShutdownPrivilege	1472	powershell.exe
Token: SeUndockPrivilege	1472	powershell.exe
Token: SeManageVolumePrivilege	1472	powershell.exe
Token: 33	1472	powershell.exe
Token: 34	1472	powershell.exe
Token: 35	1472	powershell.exe
Token: 36	1472	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeIncreaseQuotaPrivilege	3524	powershell.exe
Token: SeSecurityPrivilege	3524	powershell.exe
Token: SeTakeOwnershipPrivilege	3524	powershell.exe
Token: SeLoadDriverPrivilege	3524	powershell.exe
Token: SeSystemProfilePrivilege	3524	powershell.exe
Token: SeSystemtimePrivilege	3524	powershell.exe
Token: SeProfSingleProcessPrivilege	3524	powershell.exe
Token: SeIncBasePriorityPrivilege	3524	powershell.exe
Token: SeCreatePagefilePrivilege	3524	powershell.exe
Token: SeBackupPrivilege	3524	powershell.exe
Token: SeRestorePrivilege	3524	powershell.exe
Token: SeShutdownPrivilege	3524	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeSystemEnvironmentPrivilege	3524	powershell.exe
Token: SeRemoteShutdownPrivilege	3524	powershell.exe
Token: SeUndockPrivilege	3524	powershell.exe
Token: SeManageVolumePrivilege	3524	powershell.exe
Token: 33	3524	powershell.exe
Token: 34	3524	powershell.exe
Token: 35	3524	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exeiexplore.exe

pid process

4636 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
4184 iexplore.exe

pid	process
4636	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
4184	iexplore.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exefed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exeiexplore.exe

description	pid	process	target process
PID 856 wrote to memory of 1472	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	powershell.exe
PID 856 wrote to memory of 1472	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	powershell.exe
PID 856 wrote to memory of 1472	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	powershell.exe
PID 856 wrote to memory of 3524	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	powershell.exe
PID 856 wrote to memory of 3524	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	powershell.exe
PID 856 wrote to memory of 3524	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	powershell.exe
PID 856 wrote to memory of 3164	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	powershell.exe
PID 856 wrote to memory of 3164	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	powershell.exe
PID 856 wrote to memory of 3164	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	powershell.exe
PID 856 wrote to memory of 2152	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	powershell.exe
PID 856 wrote to memory of 2152	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	powershell.exe
PID 856 wrote to memory of 2152	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	powershell.exe
PID 856 wrote to memory of 2056	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	powershell.exe
PID 856 wrote to memory of 2056	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	powershell.exe
PID 856 wrote to memory of 2056	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	powershell.exe
PID 856 wrote to memory of 4628	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 856 wrote to memory of 4628	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 856 wrote to memory of 4628	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 856 wrote to memory of 4636	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 856 wrote to memory of 4636	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 856 wrote to memory of 4636	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 856 wrote to memory of 4636	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 856 wrote to memory of 4636	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 856 wrote to memory of 4636	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 856 wrote to memory of 4636	856	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
PID 4636 wrote to memory of 4680	4636	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	iexplore.exe
PID 4636 wrote to memory of 4680	4636	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	iexplore.exe
PID 4636 wrote to memory of 4680	4636	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	iexplore.exe
PID 4636 wrote to memory of 4680	4636	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	iexplore.exe
PID 4636 wrote to memory of 4680	4636	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	iexplore.exe
PID 4636 wrote to memory of 4680	4636	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	iexplore.exe
PID 4636 wrote to memory of 4680	4636	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	iexplore.exe
PID 4636 wrote to memory of 4680	4636	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	iexplore.exe
PID 4636 wrote to memory of 4184	4636	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	iexplore.exe
PID 4636 wrote to memory of 4184	4636	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	iexplore.exe
PID 4636 wrote to memory of 4184	4636	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	iexplore.exe
PID 4636 wrote to memory of 4184	4636	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	iexplore.exe
PID 4636 wrote to memory of 4184	4636	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	iexplore.exe
PID 4636 wrote to memory of 4184	4636	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	iexplore.exe
PID 4636 wrote to memory of 4184	4636	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	iexplore.exe
PID 4636 wrote to memory of 4184	4636	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe	iexplore.exe
PID 4184 wrote to memory of 4396	4184	iexplore.exe	notepad.exe
PID 4184 wrote to memory of 4396	4184	iexplore.exe	notepad.exe
PID 4184 wrote to memory of 4396	4184	iexplore.exe	notepad.exe
PID 4184 wrote to memory of 4396	4184	iexplore.exe	notepad.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
"C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3164

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2056

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
2⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4636

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
3⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 100
4⤵
- Program crash
PID:4844

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\SysWOW64\notepad.exe
notepad.exe
4⤵
- Deletes itself
PID:4396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
a4022a7d2b113226b000be0705680813

SHA1
599e22d03201704127a045ca53ffb78f9ea3b6c3

SHA256
2557a14e476d55330043af2858dbf1377e24dba3fa9aedc369d5feefefb7f9a7

SHA512
40ef88632a4ad38a7d21c640a7f0c8cd7c76b8451f55dd758c15baa5a90f4f0938de409426570c4405362fd2d90fadd96d23d190e09692b5fbe2c87ebc8d3c60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d1ec9cd6560363ddd51286ee5be7f4cb

SHA1
7654334b1448bfb658f6a7f47fe2a481f32d04e9

SHA256
b69e201979648681a4ddecb5740fa147d2293a30e776ce88c33a559c7b077ba2

SHA512
49c4cef1aabc9f130ef8f11d11aaab8a0c717a233603e631811f2ec951d3409a35bb2428e8a511e077a6082d04ac66440d34da3b79d24e18368faa63a08a8d1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5d3520b624519918c2d1189a0d742305

SHA1
6f5c195e191184fdb979da0c11b5987f5f23c8f0

SHA256
30c9cac386ff3341cf12ef67bcfd1119ca2c7aa940a616bf2043bf072f1214dc

SHA512
8a4faa9b47a124fe2ea06325f0a05ad428bae576fada3e33063277d7ba7b6767f73992367afaf8201a369116ad6c5d1c7722e74d8ee6524f71f32485b4709c0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f15dab6f52e0cfb14d8c05bb65784476

SHA1
b98ac39358fe9308d316e0d70cecfa06079dc455

SHA256
3aafcbeb42525433579057f4ee0c0d72efeee392c167f623065065ba3b9bc326

SHA512
ebe42993718945444ece06d4b7fcfc6350efe2ea2a8a5504ac085404470a8b1a08d4715377dd83a3d02722f4bc02110d18682812683772aa64d74908ebd74e43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4c47e0799b229c363b13ee204c19e2ee

SHA1
dcb85af254ed6f2f6e6af751db64faec255458eb

SHA256
c5d7eab9f9fc0a305b79374145393d16d7e76084d88f6e26cd49e0908bd7d8b3

SHA512
86ab4ed36840c2036deb677e2830e43e1ac2b2f66d1d5225589a2208340597a3e75bc960e2874b9fe62ee2e0c6a78313096a0496c51ebb97aaf94108af7cc392

Download Submit
memory/856-118-0x0000000005210000-0x000000000570E000-memory.dmp

Filesize
5.0MB

Download
memory/856-119-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/856-117-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/856-114-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/856-116-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/1472-131-0x0000000007920000-0x0000000007921000-memory.dmp

Filesize
4KB

Download
memory/1472-154-0x0000000001243000-0x0000000001244000-memory.dmp

Filesize
4KB

Download
memory/1472-132-0x0000000007F00000-0x0000000007F01000-memory.dmp

Filesize
4KB

Download
memory/1472-133-0x00000000081F0000-0x00000000081F1000-memory.dmp

Filesize
4KB

Download
memory/1472-138-0x0000000008F90000-0x0000000008F91000-memory.dmp

Filesize
4KB

Download
memory/1472-139-0x0000000008E70000-0x0000000008E71000-memory.dmp

Filesize
4KB

Download
memory/1472-140-0x0000000008EE0000-0x0000000008EE1000-memory.dmp

Filesize
4KB

Download
memory/1472-128-0x0000000001242000-0x0000000001243000-memory.dmp

Filesize
4KB

Download
memory/1472-151-0x000000000A0B0000-0x000000000A0B1000-memory.dmp

Filesize
4KB

Download
memory/1472-130-0x0000000007BB0000-0x0000000007BB1000-memory.dmp

Filesize
4KB

Download
memory/1472-129-0x00000000078B0000-0x00000000078B1000-memory.dmp

Filesize
4KB

Download
memory/1472-127-0x0000000001240000-0x0000000001241000-memory.dmp

Filesize
4KB

Download
memory/1472-126-0x00000000077D0000-0x00000000077D1000-memory.dmp

Filesize
4KB

Download
memory/1472-125-0x0000000007730000-0x0000000007731000-memory.dmp

Filesize
4KB

Download
memory/1472-124-0x00000000070D0000-0x00000000070D1000-memory.dmp

Filesize
4KB

Download
memory/1472-123-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/1472-120-0x0000000000000000-mapping.dmp

Download
memory/2056-603-0x0000000006EB0000-0x0000000006EB1000-memory.dmp

Filesize
4KB

Download
memory/2056-692-0x0000000006EB3000-0x0000000006EB4000-memory.dmp

Filesize
4KB

Download
memory/2056-592-0x0000000000000000-mapping.dmp

Download
memory/2056-604-0x0000000006EB2000-0x0000000006EB3000-memory.dmp

Filesize
4KB

Download
memory/2152-443-0x0000000006822000-0x0000000006823000-memory.dmp

Filesize
4KB

Download
memory/2152-527-0x0000000006823000-0x0000000006824000-memory.dmp

Filesize
4KB

Download
memory/2152-413-0x0000000000000000-mapping.dmp

Download
memory/2152-442-0x0000000006820000-0x0000000006821000-memory.dmp

Filesize
4KB

Download
memory/3164-284-0x0000000001120000-0x0000000001121000-memory.dmp

Filesize
4KB

Download
memory/3164-286-0x0000000001122000-0x0000000001123000-memory.dmp

Filesize
4KB

Download
memory/3164-390-0x0000000001123000-0x0000000001124000-memory.dmp

Filesize
4KB

Download
memory/3164-276-0x0000000000000000-mapping.dmp

Download
memory/3524-227-0x0000000005093000-0x0000000005094000-memory.dmp

Filesize
4KB

Download
memory/3524-156-0x0000000005092000-0x0000000005093000-memory.dmp

Filesize
4KB

Download
memory/3524-155-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/3524-145-0x0000000000000000-mapping.dmp

Download
memory/4184-979-0x0000000000401364-mapping.dmp

Download
memory/4396-1016-0x0000000000000000-mapping.dmp

Download
memory/4636-854-0x00000000004010B8-mapping.dmp

Download
memory/4636-902-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4680-859-0x0000000000401364-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads