xpertrat | 3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa

General

Target

4ef7b35bd9151fc5538c06ae79a0e2fc.exe
Size

1.4MB
MD5

4ef7b35bd9151fc5538c06ae79a0e2fc
SHA1

c45198609f71e795ccc9e5a2ec1ad3162141da76
SHA256

3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa
SHA512

aef9ad91b889f4c615dc278ebedc0017a32b3024fef812ae90929dac7c83a0cb4a41fcb26d4bee2588ffebf50745cdd9174a73e44b83db99fefccf6e9b18615d

Score

10^/10

xpertrat test evasion persistence rat trojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

C2

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1592-1643-0x0000000000401364-mapping.dmp	xpertrat

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/368-1658-0x0000000000411654-mapping.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/2144-1662-0x0000000000442F04-mapping.dmp	WebBrowserPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/368-1658-0x0000000000411654-mapping.dmp	Nirsoft
behavioral2/memory/2144-1662-0x0000000000442F04-mapping.dmp	Nirsoft
behavioral2/memory/2308-1671-0x000000000040C2A8-mapping.dmp	Nirsoft

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1060 notepad.exe

pid	process
1060	notepad.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

4ef7b35bd9151fc5538c06ae79a0e2fc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	4ef7b35bd9151fc5538c06ae79a0e2fc.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

4ef7b35bd9151fc5538c06ae79a0e2fc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4ef7b35bd9151fc5538c06ae79a0e2fc.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2356	3460	WerFault.exe	iexplore.exe
2100	1544	WerFault.exe	iexplore.exe
1608	3008	WerFault.exe	iexplore.exe
2236	2524	WerFault.exe	iexplore.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

4ef7b35bd9151fc5538c06ae79a0e2fc.exe4ef7b35bd9151fc5538c06ae79a0e2fc.exeiexplore.exe

description	pid	process	target process
PID 656 set thread context of 2248	656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
PID 2248 set thread context of 3460	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 set thread context of 1544	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 set thread context of 3008	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 set thread context of 1592	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 1592 set thread context of 1308	1592	iexplore.exe	iexplore.exe
PID 1592 set thread context of 2524	1592	iexplore.exe	iexplore.exe
PID 1592 set thread context of 368	1592	iexplore.exe	iexplore.exe
PID 1592 set thread context of 2144	1592	iexplore.exe	iexplore.exe
PID 1592 set thread context of 2536	1592	iexplore.exe	iexplore.exe
PID 1592 set thread context of 2308	1592	iexplore.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

powershell.exepowershell.exepowershell.exe4ef7b35bd9151fc5538c06ae79a0e2fc.exe4ef7b35bd9151fc5538c06ae79a0e2fc.exeiexplore.exeiexplore.exe

pid	process
4012	powershell.exe
4012	powershell.exe
4012	powershell.exe
768	powershell.exe
768	powershell.exe
768	powershell.exe
2796	powershell.exe
2796	powershell.exe
2796	powershell.exe
656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
1308	iexplore.exe
1308	iexplore.exe
2144	iexplore.exe
2144	iexplore.exe
2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeIncreaseQuotaPrivilege	4012	powershell.exe
Token: SeSecurityPrivilege	4012	powershell.exe
Token: SeTakeOwnershipPrivilege	4012	powershell.exe
Token: SeLoadDriverPrivilege	4012	powershell.exe
Token: SeSystemProfilePrivilege	4012	powershell.exe
Token: SeSystemtimePrivilege	4012	powershell.exe
Token: SeProfSingleProcessPrivilege	4012	powershell.exe
Token: SeIncBasePriorityPrivilege	4012	powershell.exe
Token: SeCreatePagefilePrivilege	4012	powershell.exe
Token: SeBackupPrivilege	4012	powershell.exe
Token: SeRestorePrivilege	4012	powershell.exe
Token: SeShutdownPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeSystemEnvironmentPrivilege	4012	powershell.exe
Token: SeRemoteShutdownPrivilege	4012	powershell.exe
Token: SeUndockPrivilege	4012	powershell.exe
Token: SeManageVolumePrivilege	4012	powershell.exe
Token: 33	4012	powershell.exe
Token: 34	4012	powershell.exe
Token: 35	4012	powershell.exe
Token: 36	4012	powershell.exe
Token: SeIncreaseQuotaPrivilege	4012	powershell.exe
Token: SeSecurityPrivilege	4012	powershell.exe
Token: SeTakeOwnershipPrivilege	4012	powershell.exe
Token: SeLoadDriverPrivilege	4012	powershell.exe
Token: SeSystemProfilePrivilege	4012	powershell.exe
Token: SeSystemtimePrivilege	4012	powershell.exe
Token: SeProfSingleProcessPrivilege	4012	powershell.exe
Token: SeIncBasePriorityPrivilege	4012	powershell.exe
Token: SeCreatePagefilePrivilege	4012	powershell.exe
Token: SeBackupPrivilege	4012	powershell.exe
Token: SeRestorePrivilege	4012	powershell.exe
Token: SeShutdownPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeSystemEnvironmentPrivilege	4012	powershell.exe
Token: SeRemoteShutdownPrivilege	4012	powershell.exe
Token: SeUndockPrivilege	4012	powershell.exe
Token: SeManageVolumePrivilege	4012	powershell.exe
Token: 33	4012	powershell.exe
Token: 34	4012	powershell.exe
Token: 35	4012	powershell.exe
Token: 36	4012	powershell.exe
Token: SeIncreaseQuotaPrivilege	4012	powershell.exe
Token: SeSecurityPrivilege	4012	powershell.exe
Token: SeTakeOwnershipPrivilege	4012	powershell.exe
Token: SeLoadDriverPrivilege	4012	powershell.exe
Token: SeSystemProfilePrivilege	4012	powershell.exe
Token: SeSystemtimePrivilege	4012	powershell.exe
Token: SeProfSingleProcessPrivilege	4012	powershell.exe
Token: SeIncBasePriorityPrivilege	4012	powershell.exe
Token: SeCreatePagefilePrivilege	4012	powershell.exe
Token: SeBackupPrivilege	4012	powershell.exe
Token: SeRestorePrivilege	4012	powershell.exe
Token: SeShutdownPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeSystemEnvironmentPrivilege	4012	powershell.exe
Token: SeRemoteShutdownPrivilege	4012	powershell.exe
Token: SeUndockPrivilege	4012	powershell.exe
Token: SeManageVolumePrivilege	4012	powershell.exe
Token: 33	4012	powershell.exe
Token: 34	4012	powershell.exe
Token: 35	4012	powershell.exe
Token: 36	4012	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

4ef7b35bd9151fc5538c06ae79a0e2fc.exeiexplore.exe

pid process

2248 4ef7b35bd9151fc5538c06ae79a0e2fc.exe
1592 iexplore.exe

pid	process
2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
1592	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4ef7b35bd9151fc5538c06ae79a0e2fc.exe4ef7b35bd9151fc5538c06ae79a0e2fc.exeiexplore.exe

description	pid	process	target process
PID 656 wrote to memory of 4012	656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	powershell.exe
PID 656 wrote to memory of 4012	656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	powershell.exe
PID 656 wrote to memory of 4012	656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	powershell.exe
PID 656 wrote to memory of 768	656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	powershell.exe
PID 656 wrote to memory of 768	656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	powershell.exe
PID 656 wrote to memory of 768	656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	powershell.exe
PID 656 wrote to memory of 2796	656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	powershell.exe
PID 656 wrote to memory of 2796	656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	powershell.exe
PID 656 wrote to memory of 2796	656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	powershell.exe
PID 656 wrote to memory of 3940	656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
PID 656 wrote to memory of 3940	656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
PID 656 wrote to memory of 3940	656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
PID 656 wrote to memory of 2248	656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
PID 656 wrote to memory of 2248	656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
PID 656 wrote to memory of 2248	656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
PID 656 wrote to memory of 2248	656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
PID 656 wrote to memory of 2248	656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
PID 656 wrote to memory of 2248	656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
PID 656 wrote to memory of 2248	656	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	4ef7b35bd9151fc5538c06ae79a0e2fc.exe
PID 2248 wrote to memory of 3460	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 3460	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 3460	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 3460	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 3460	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 3460	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 3460	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 3460	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 1544	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 1544	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 1544	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 1544	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 1544	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 1544	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 1544	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 1544	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 3008	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 3008	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 3008	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 3008	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 3008	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 3008	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 3008	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 3008	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 1592	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 1592	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 1592	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 1592	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 1592	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 1592	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 1592	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 2248 wrote to memory of 1592	2248	4ef7b35bd9151fc5538c06ae79a0e2fc.exe	iexplore.exe
PID 1592 wrote to memory of 1060	1592	iexplore.exe	notepad.exe
PID 1592 wrote to memory of 1060	1592	iexplore.exe	notepad.exe
PID 1592 wrote to memory of 1060	1592	iexplore.exe	notepad.exe
PID 1592 wrote to memory of 1060	1592	iexplore.exe	notepad.exe
PID 1592 wrote to memory of 1308	1592	iexplore.exe	iexplore.exe
PID 1592 wrote to memory of 1308	1592	iexplore.exe	iexplore.exe
PID 1592 wrote to memory of 1308	1592	iexplore.exe	iexplore.exe
PID 1592 wrote to memory of 1308	1592	iexplore.exe	iexplore.exe
PID 1592 wrote to memory of 1308	1592	iexplore.exe	iexplore.exe
PID 1592 wrote to memory of 1308	1592	iexplore.exe	iexplore.exe
PID 1592 wrote to memory of 1308	1592	iexplore.exe	iexplore.exe
PID 1592 wrote to memory of 1308	1592	iexplore.exe	iexplore.exe
PID 1592 wrote to memory of 2524	1592	iexplore.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

4ef7b35bd9151fc5538c06ae79a0e2fc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4ef7b35bd9151fc5538c06ae79a0e2fc.exe

C:\Users\Admin\AppData\Local\Temp\4ef7b35bd9151fc5538c06ae79a0e2fc.exe
"C:\Users\Admin\AppData\Local\Temp\4ef7b35bd9151fc5538c06ae79a0e2fc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitter.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitter.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitter.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2796

C:\Users\Admin\AppData\Local\Temp\4ef7b35bd9151fc5538c06ae79a0e2fc.exe
C:\Users\Admin\AppData\Local\Temp\4ef7b35bd9151fc5538c06ae79a0e2fc.exe
2⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\4ef7b35bd9151fc5538c06ae79a0e2fc.exe
C:\Users\Admin\AppData\Local\Temp\4ef7b35bd9151fc5538c06ae79a0e2fc.exe
2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2248

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\4ef7b35bd9151fc5538c06ae79a0e2fc.exe
3⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 92
4⤵
- Program crash
PID:2356

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\4ef7b35bd9151fc5538c06ae79a0e2fc.exe
3⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 92
4⤵
- Program crash
PID:2100

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\4ef7b35bd9151fc5538c06ae79a0e2fc.exe
3⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 92
4⤵
- Program crash
PID:1608

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\4ef7b35bd9151fc5538c06ae79a0e2fc.exe
3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\notepad.exe
notepad.exe
4⤵
- Deletes itself
PID:1060

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\hvmggfrsb0.txt"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1308

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\hvmggfrsb1.txt"
4⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 92
5⤵
- Program crash
PID:2236

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\hvmggfrsb1.txt"
4⤵
PID:368

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\hvmggfrsb2.txt"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2144

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\hvmggfrsb3.txt"
4⤵
PID:2536

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\hvmggfrsb4.txt"
4⤵
PID:2308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Modify Registry

6

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1712dab0a1bf4e9e3ff666b9c431550d

SHA1
34d1dec8fa95f62c72cb3f92a22c13ad9eece10f

SHA256
7184a35390c8d6549ef4ddf2909c8fc3446572229bb1788fe178332d80ebfa97

SHA512
6ae29c37c11c851ed337afee3c3ad654593063e76df88a6974933e449ac8d86bfa005b9bf2e0ee29aad4647b8f8f32ac753587077fd745424be7f9765688e7b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
1c33ff599b382b705675229c91fc2f99

SHA1
c20086746c14c5d57be9a3df47bd75fa77abe7e0

SHA256
d46b6790776328125154bb8231deafcc7786911bea48fbcd2742c05fa1c4da0a

SHA512
5b975f6b0d5407d8d43975c0fd0c26ecb155f6ee9b7416e39478f84e97deea590d1eb0cf2a972adcf96eba6745fdef472f6fcf51d85cd53c2da9b4c550ee413c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ffbbd29210916d2cbd65cec2b8d6f876

SHA1
108820c1e1f48c5f298ffcab0db9250c20367d43

SHA256
957db90aa5a343d8b8c6d1881943b067663a69e712b9f7cea8d1e718140e0c3d

SHA512
c90366e998dd49992c3c7656e9f2c97a20ca39aa18079e811bd6617ef5e79645af8051a7c1e6c88abacd5f71d60fee5150482e891f19f6143f2605f0207da6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2d8c1492696e18b90e37877e059bb531

SHA1
0a754251c58658345fee6c9913d31485c958591a

SHA256
977d30f568dfea4a0273b20f3534a702ec88923d029c890f31e24c3dfb10206d

SHA512
ff4489e525361b3e1165bf64d995bb78a7896d5e6820fed968fe4fb189054e9b0a05b2ea3a459758b6b4072e58be1f4a73b532c32c00782275fa5caa35f9e223

Download Submit
C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\hvmggfrsb2.txt
MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\hvmggfrsb4.txt
MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/368-1658-0x0000000000411654-mapping.dmp

Download
memory/656-114-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/656-1632-0x0000000001700000-0x0000000001701000-memory.dmp

Filesize
4KB

Download
memory/768-676-0x0000000000000000-mapping.dmp

Download
memory/768-1038-0x0000000000946000-0x0000000000947000-memory.dmp

Filesize
4KB

Download
memory/768-749-0x0000000000944000-0x0000000000946000-memory.dmp

Filesize
8KB

Download
memory/768-747-0x0000000000943000-0x0000000000944000-memory.dmp

Filesize
4KB

Download
memory/768-691-0x0000000000942000-0x0000000000943000-memory.dmp

Filesize
4KB

Download
memory/768-690-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/1060-1650-0x0000000000000000-mapping.dmp

Download
memory/1308-1652-0x0000000000423BC0-mapping.dmp

Download
memory/1544-1639-0x0000000000401364-mapping.dmp

Download
memory/1592-1643-0x0000000000401364-mapping.dmp

Download
memory/2144-1662-0x0000000000442F04-mapping.dmp

Download
memory/2248-1631-0x00000000004010B8-mapping.dmp

Download
memory/2248-1637-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2308-1671-0x000000000040C2A8-mapping.dmp

Download
memory/2524-1656-0x0000000000411654-mapping.dmp

Download
memory/2536-1667-0x0000000000413750-mapping.dmp

Download
memory/2796-1153-0x0000000000000000-mapping.dmp

Download
memory/2796-1513-0x0000000000CD6000-0x0000000000CD7000-memory.dmp

Filesize
4KB

Download
memory/2796-1226-0x0000000000CD4000-0x0000000000CD6000-memory.dmp

Filesize
8KB

Download
memory/2796-1225-0x0000000000CD3000-0x0000000000CD4000-memory.dmp

Filesize
4KB

Download
memory/2796-1160-0x0000000000CD2000-0x0000000000CD3000-memory.dmp

Filesize
4KB

Download
memory/2796-1158-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/3008-1641-0x0000000000401364-mapping.dmp

Download
memory/3460-1636-0x0000000000401364-mapping.dmp

Download
memory/4012-150-0x0000000009970000-0x0000000009971000-memory.dmp

Filesize
4KB

Download
memory/4012-125-0x0000000007F00000-0x0000000007F01000-memory.dmp

Filesize
4KB

Download
memory/4012-137-0x0000000009840000-0x0000000009873000-memory.dmp

Filesize
204KB

Download
memory/4012-144-0x0000000008AF0000-0x0000000008AF1000-memory.dmp

Filesize
4KB

Download
memory/4012-149-0x000000007E490000-0x000000007E491000-memory.dmp

Filesize
4KB

Download
memory/4012-128-0x0000000008A80000-0x0000000008A81000-memory.dmp

Filesize
4KB

Download
memory/4012-392-0x0000000009BF0000-0x0000000009BF1000-memory.dmp

Filesize
4KB

Download
memory/4012-151-0x0000000004E63000-0x0000000004E64000-memory.dmp

Filesize
4KB

Download
memory/4012-152-0x0000000009B00000-0x0000000009B01000-memory.dmp

Filesize
4KB

Download
memory/4012-127-0x0000000007FB0000-0x0000000007FB1000-memory.dmp

Filesize
4KB

Download
memory/4012-126-0x0000000008150000-0x0000000008151000-memory.dmp

Filesize
4KB

Download
memory/4012-380-0x000000000B2A0000-0x000000000B2A1000-memory.dmp

Filesize
4KB

Download
memory/4012-381-0x000000000AC40000-0x000000000AC41000-memory.dmp

Filesize
4KB

Download
memory/4012-129-0x0000000008790000-0x0000000008791000-memory.dmp

Filesize
4KB

Download
memory/4012-570-0x0000000009BD0000-0x0000000009BD1000-memory.dmp

Filesize
4KB

Download
memory/4012-124-0x0000000007720000-0x0000000007721000-memory.dmp

Filesize
4KB

Download
memory/4012-123-0x0000000007580000-0x0000000007581000-memory.dmp

Filesize
4KB

Download
memory/4012-121-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/4012-561-0x0000000004E66000-0x0000000004E68000-memory.dmp

Filesize
8KB

Download
memory/4012-122-0x0000000004E62000-0x0000000004E63000-memory.dmp

Filesize
4KB

Download
memory/4012-120-0x0000000007860000-0x0000000007861000-memory.dmp

Filesize
4KB

Download
memory/4012-119-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/4012-551-0x000000000AE10000-0x000000000AE11000-memory.dmp

Filesize
4KB

Download
memory/4012-468-0x000000000ACC0000-0x000000000ACC1000-memory.dmp

Filesize
4KB

Download
memory/4012-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads