xpertrat | e4b8184869d65a34fb9e0fb43d8b6c252cb153f7139485e3fde6d02cd6898242

Analysis

max time kernel
151s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
29-09-2021 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

452ea764a4f629c9c4d6880aa215928a.exe
Size

433KB
MD5

452ea764a4f629c9c4d6880aa215928a
SHA1

9b69fcd3856d302da2506e84f220b26dd926e061
SHA256

e4b8184869d65a34fb9e0fb43d8b6c252cb153f7139485e3fde6d02cd6898242
SHA512

c0898afc925e5a6099ca6ba8468aa6ef528b94f921036db0445dd5b2f575fbf4bb25994196fe4af387c43542720215b29422e241e6da172aad22c8824e2281a0

Score

10^/10

xpertrat test evasion rat trojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core Payload 31 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2992-123-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat
behavioral2/memory/2992-124-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1264-127-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3792-129-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3448-131-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1384-133-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2100-135-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/4064-137-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3440-139-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1828-141-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2712-143-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1168-145-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1008-147-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1648-149-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/412-151-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2452-153-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1256-155-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3900-157-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/4076-159-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2952-161-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1512-163-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/2068-165-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/744-167-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1160-169-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1804-171-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1336-173-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3148-175-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1548-177-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/1944-179-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3832-181-0x0000000000401364-mapping.dmp	xpertrat
behavioral2/memory/3528-183-0x0000000000401364-mapping.dmp	xpertrat

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

452ea764a4f629c9c4d6880aa215928a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	452ea764a4f629c9c4d6880aa215928a.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

452ea764a4f629c9c4d6880aa215928a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	452ea764a4f629c9c4d6880aa215928a.exe

Program crash 30 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4060	2992	WerFault.exe	iexplore.exe
1152	1264	WerFault.exe	iexplore.exe
3180	3792	WerFault.exe	iexplore.exe
796	3448	WerFault.exe	iexplore.exe
2312	1384	WerFault.exe	iexplore.exe
3728	2100	WerFault.exe	iexplore.exe
4016	4064	WerFault.exe	iexplore.exe
1764	3440	WerFault.exe	iexplore.exe
604	1828	WerFault.exe	iexplore.exe
1096	2712	WerFault.exe	iexplore.exe
1844	1168	WerFault.exe	iexplore.exe
3200	1008	WerFault.exe	iexplore.exe
1548	1648	WerFault.exe	iexplore.exe
1404	412	WerFault.exe	iexplore.exe
4092	2452	WerFault.exe	iexplore.exe
1156	1256	WerFault.exe	iexplore.exe
504	3900	WerFault.exe	iexplore.exe
2900	4076	WerFault.exe	iexplore.exe
1128	2952	WerFault.exe	iexplore.exe
2156	1512	WerFault.exe	iexplore.exe
2492	2068	WerFault.exe	iexplore.exe
3544	744	WerFault.exe	iexplore.exe
3928	1160	WerFault.exe	iexplore.exe
1496	1804	WerFault.exe	iexplore.exe
1240	1336	WerFault.exe	iexplore.exe
1800	3148	WerFault.exe	iexplore.exe
3924	1548	WerFault.exe	iexplore.exe
3408	1944	WerFault.exe	iexplore.exe
3724	3832	WerFault.exe	iexplore.exe
3564	3528	WerFault.exe	iexplore.exe

Suspicious use of SetThreadContext 31 IoCs

Processes:

452ea764a4f629c9c4d6880aa215928a.exe452ea764a4f629c9c4d6880aa215928a.exe

description	pid	process	target process
PID 1400 set thread context of 1440	1400	452ea764a4f629c9c4d6880aa215928a.exe	452ea764a4f629c9c4d6880aa215928a.exe
PID 1440 set thread context of 2992	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 1264	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 3792	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 3448	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 1384	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 2100	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 4064	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 3440	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 1828	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 2712	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 1168	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 1008	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 1648	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 412	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 2452	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 1256	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 3900	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 4076	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 2952	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 1512	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 2068	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 744	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 1160	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 1804	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 1336	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 3148	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 1548	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 1944	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 3832	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 set thread context of 3528	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

452ea764a4f629c9c4d6880aa215928a.exe452ea764a4f629c9c4d6880aa215928a.exe

pid	process
1400	452ea764a4f629c9c4d6880aa215928a.exe
1400	452ea764a4f629c9c4d6880aa215928a.exe
1400	452ea764a4f629c9c4d6880aa215928a.exe
1400	452ea764a4f629c9c4d6880aa215928a.exe
1400	452ea764a4f629c9c4d6880aa215928a.exe
1400	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe
1440	452ea764a4f629c9c4d6880aa215928a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

452ea764a4f629c9c4d6880aa215928a.exe

description pid process

Token: SeDebugPrivilege 1400 452ea764a4f629c9c4d6880aa215928a.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

452ea764a4f629c9c4d6880aa215928a.exe

pid process

1440 452ea764a4f629c9c4d6880aa215928a.exe

description	pid	process
Token: SeDebugPrivilege	1400	452ea764a4f629c9c4d6880aa215928a.exe

pid	process
1440	452ea764a4f629c9c4d6880aa215928a.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

452ea764a4f629c9c4d6880aa215928a.exe452ea764a4f629c9c4d6880aa215928a.exe

description	pid	process	target process
PID 1400 wrote to memory of 3020	1400	452ea764a4f629c9c4d6880aa215928a.exe	452ea764a4f629c9c4d6880aa215928a.exe
PID 1400 wrote to memory of 3020	1400	452ea764a4f629c9c4d6880aa215928a.exe	452ea764a4f629c9c4d6880aa215928a.exe
PID 1400 wrote to memory of 3020	1400	452ea764a4f629c9c4d6880aa215928a.exe	452ea764a4f629c9c4d6880aa215928a.exe
PID 1400 wrote to memory of 1440	1400	452ea764a4f629c9c4d6880aa215928a.exe	452ea764a4f629c9c4d6880aa215928a.exe
PID 1400 wrote to memory of 1440	1400	452ea764a4f629c9c4d6880aa215928a.exe	452ea764a4f629c9c4d6880aa215928a.exe
PID 1400 wrote to memory of 1440	1400	452ea764a4f629c9c4d6880aa215928a.exe	452ea764a4f629c9c4d6880aa215928a.exe
PID 1400 wrote to memory of 1440	1400	452ea764a4f629c9c4d6880aa215928a.exe	452ea764a4f629c9c4d6880aa215928a.exe
PID 1400 wrote to memory of 1440	1400	452ea764a4f629c9c4d6880aa215928a.exe	452ea764a4f629c9c4d6880aa215928a.exe
PID 1400 wrote to memory of 1440	1400	452ea764a4f629c9c4d6880aa215928a.exe	452ea764a4f629c9c4d6880aa215928a.exe
PID 1400 wrote to memory of 1440	1400	452ea764a4f629c9c4d6880aa215928a.exe	452ea764a4f629c9c4d6880aa215928a.exe
PID 1440 wrote to memory of 2992	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 2992	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 2992	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 2992	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 2992	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 2992	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 2992	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 2992	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 1264	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 1264	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 1264	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 1264	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 1264	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 1264	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 1264	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 1264	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 3792	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 3792	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 3792	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 3792	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 3792	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 3792	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 3792	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 3792	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 3448	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 3448	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 3448	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 3448	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 3448	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 3448	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 3448	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 3448	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 1384	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 1384	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 1384	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 1384	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 1384	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 1384	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 1384	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 1384	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 2100	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 2100	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 2100	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 2100	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 2100	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 2100	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 2100	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 2100	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 4064	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 4064	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 4064	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 4064	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 4064	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe
PID 1440 wrote to memory of 4064	1440	452ea764a4f629c9c4d6880aa215928a.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

452ea764a4f629c9c4d6880aa215928a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	452ea764a4f629c9c4d6880aa215928a.exe

C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
"C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
  C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
  2⤵
  PID:3020
- C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
  C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
  2⤵
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1440
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:2992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 24
      4⤵
      Program crash
      PID:4060
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:1264
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 24
      4⤵
      Program crash
      PID:1152
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:3792
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 24
      4⤵
      Program crash
      PID:3180
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:3448
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 24
      4⤵
      Program crash
      PID:796
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:1384
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 24
      4⤵
      Program crash
      PID:2312
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:2100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 24
      4⤵
      Program crash
      PID:3728
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:4064
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 24
      4⤵
      Program crash
      PID:4016
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:3440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 24
      4⤵
      Program crash
      PID:1764
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:1828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 24
      4⤵
      Program crash
      PID:604
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:2712
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 24
      4⤵
      Program crash
      PID:1096
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:1168
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 24
      4⤵
      Program crash
      PID:1844
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:1008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 24
      4⤵
      Program crash
      PID:3200
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:1648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 24
      4⤵
      Program crash
      PID:1548
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 24
      4⤵
      Program crash
      PID:1404
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:2452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 24
      4⤵
      Program crash
      PID:4092
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:1256
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 24
      4⤵
      Program crash
      PID:1156
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:3900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 24
      4⤵
      Program crash
      PID:504
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:4076
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 24
      4⤵
      Program crash
      PID:2900
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:2952
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 24
      4⤵
      Program crash
      PID:1128
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:1512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 24
      4⤵
      Program crash
      PID:2156
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:2068
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 24
      4⤵
      Program crash
      PID:2492
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:744
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 24
      4⤵
      Program crash
      PID:3544
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:1160
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 24
      4⤵
      Program crash
      PID:3928
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:1804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 24
      4⤵
      Program crash
      PID:1496
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:1336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 24
      4⤵
      Program crash
      PID:1240
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:3148
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 24
      4⤵
      Program crash
      PID:1800
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:1548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 24
      4⤵
      Program crash
      PID:3924
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:1944
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 24
      4⤵
      Program crash
      PID:3408
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:3832
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 24
      4⤵
      Program crash
      PID:3724
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\452ea764a4f629c9c4d6880aa215928a.exe
    3⤵
    PID:3528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 24
      4⤵
      Program crash
      PID:3564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/412-151-0x0000000000401364-mapping.dmp

Download
memory/744-167-0x0000000000401364-mapping.dmp

Download
memory/1008-147-0x0000000000401364-mapping.dmp

Download
memory/1160-169-0x0000000000401364-mapping.dmp

Download
memory/1168-145-0x0000000000401364-mapping.dmp

Download
memory/1256-155-0x0000000000401364-mapping.dmp

Download
memory/1264-127-0x0000000000401364-mapping.dmp

Download
memory/1336-173-0x0000000000401364-mapping.dmp

Download
memory/1384-133-0x0000000000401364-mapping.dmp

Download
memory/1400-118-0x00000000057E0000-0x0000000005810000-memory.dmp

Filesize
192KB

Download
memory/1400-114-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/1400-116-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/1400-117-0x00000000054E0000-0x0000000005529000-memory.dmp

Filesize
292KB

Download
memory/1440-119-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1440-125-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1440-120-0x00000000004010B8-mapping.dmp

Download
memory/1512-163-0x0000000000401364-mapping.dmp

Download
memory/1548-177-0x0000000000401364-mapping.dmp

Download
memory/1648-149-0x0000000000401364-mapping.dmp

Download
memory/1804-171-0x0000000000401364-mapping.dmp

Download
memory/1828-141-0x0000000000401364-mapping.dmp

Download
memory/1944-179-0x0000000000401364-mapping.dmp

Download
memory/2068-165-0x0000000000401364-mapping.dmp

Download
memory/2100-135-0x0000000000401364-mapping.dmp

Download
memory/2452-153-0x0000000000401364-mapping.dmp

Download
memory/2712-143-0x0000000000401364-mapping.dmp

Download
memory/2952-161-0x0000000000401364-mapping.dmp

Download
memory/2992-123-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2992-124-0x0000000000401364-mapping.dmp

Download
memory/3148-175-0x0000000000401364-mapping.dmp

Download
memory/3440-139-0x0000000000401364-mapping.dmp

Download
memory/3448-131-0x0000000000401364-mapping.dmp

Download
memory/3528-183-0x0000000000401364-mapping.dmp

Download
memory/3792-129-0x0000000000401364-mapping.dmp

Download
memory/3832-181-0x0000000000401364-mapping.dmp

Download
memory/3900-157-0x0000000000401364-mapping.dmp

Download
memory/4064-137-0x0000000000401364-mapping.dmp

Download
memory/4076-159-0x0000000000401364-mapping.dmp

Download