xpertrat | 683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4

General

Target

683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
Size

638KB
MD5

043bbfccd9e9deebe4559e291dbebda1
SHA1

0e6da4ccaed482767eb94a61679b5f24375f24d3
SHA256

683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4
SHA512

41e4ea16800ddc0078eca1260f6ef07cd33a1c849802437a2c5868a4bf2fc4ee8b4f480f63e30f88d6e63eab733916fe5f6ec8fd2d3ce91a8bd6bfa4c98a4cc5

Score

10^/10

xpertrat evasion persistence rat trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Y1E5W2H0-W6U4-R5S1-S8J1-I3T1C6W3P336 = "C:\\Users\\Admin\\AppData\\Roaming\\Y1E5W2H0-W6U4-R5S1-S8J1-I3T1C6W3P336\\Y1E5W2H0-W6U4-R5S1-S8J1-I3T1C6W3P336.exe"	iexplore.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1084 notepad.exe

pid	process
1084	notepad.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Y1E5W2H0-W6U4-R5S1-S8J1-I3T1C6W3P336 = "C:\\Users\\Admin\\AppData\\Roaming\\Y1E5W2H0-W6U4-R5S1-S8J1-I3T1C6W3P336\\Y1E5W2H0-W6U4-R5S1-S8J1-I3T1C6W3P336.exe"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Y1E5W2H0-W6U4-R5S1-S8J1-I3T1C6W3P336 = "C:\\Users\\Admin\\AppData\\Roaming\\Y1E5W2H0-W6U4-R5S1-S8J1-I3T1C6W3P336\\Y1E5W2H0-W6U4-R5S1-S8J1-I3T1C6W3P336.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe

description	pid	process	target process
PID 1676 set thread context of 1396	1676	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
PID 1396 set thread context of 820	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 set thread context of 2016	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 set thread context of 1360	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 set thread context of 1336	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 set thread context of 1268	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe

pid	process
2040	powershell.exe
1676	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exe683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exeiexplore.exe

description	pid	process
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	1676	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
Token: SeDebugPrivilege	1268	iexplore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exeiexplore.exe

pid process

1396 683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
1268 iexplore.exe

pid	process
1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
1268	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exeiexplore.exe

description	pid	process	target process
PID 1676 wrote to memory of 2040	1676	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	powershell.exe
PID 1676 wrote to memory of 2040	1676	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	powershell.exe
PID 1676 wrote to memory of 2040	1676	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	powershell.exe
PID 1676 wrote to memory of 2040	1676	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	powershell.exe
PID 1676 wrote to memory of 812	1676	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
PID 1676 wrote to memory of 812	1676	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
PID 1676 wrote to memory of 812	1676	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
PID 1676 wrote to memory of 812	1676	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
PID 1676 wrote to memory of 1396	1676	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
PID 1676 wrote to memory of 1396	1676	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
PID 1676 wrote to memory of 1396	1676	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
PID 1676 wrote to memory of 1396	1676	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
PID 1676 wrote to memory of 1396	1676	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
PID 1676 wrote to memory of 1396	1676	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
PID 1676 wrote to memory of 1396	1676	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
PID 1676 wrote to memory of 1396	1676	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
PID 1396 wrote to memory of 820	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 820	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 820	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 820	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 820	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 820	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 820	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 820	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 820	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 2016	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 2016	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 2016	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 2016	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 2016	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 2016	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 2016	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 2016	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 2016	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1360	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1360	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1360	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1360	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1360	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1360	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1360	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1360	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1360	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1336	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1336	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1336	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1336	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1336	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1336	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1336	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1336	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1336	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1268	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1268	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1268	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1268	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1268	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1268	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1268	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1268	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1396 wrote to memory of 1268	1396	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe	iexplore.exe
PID 1268 wrote to memory of 1084	1268	iexplore.exe	notepad.exe
PID 1268 wrote to memory of 1084	1268	iexplore.exe	notepad.exe
PID 1268 wrote to memory of 1084	1268	iexplore.exe	notepad.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe

C:\Users\Admin\AppData\Local\Temp\683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
"C:\Users\Admin\AppData\Local\Temp\683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe"
1⤵
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Users\Admin\AppData\Local\Temp\683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
  "C:\Users\Admin\AppData\Local\Temp\683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe"
  2⤵
  PID:812
- C:\Users\Admin\AppData\Local\Temp\683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
  "C:\Users\Admin\AppData\Local\Temp\683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe"
  2⤵
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1396
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
    3⤵
    PID:820
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
    3⤵
    PID:2016
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
    3⤵
    PID:1360
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
    3⤵
    PID:1336
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\683a36a87b827244db7f998e92ab4702563dd3075bb4fea97ee7ec239f81fed4.exe
    3⤵
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\Windows\SysWOW64\notepad.exe
      notepad.exe
      4⤵
      Deletes itself
      PID:1084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1084-74-0x0000000000000000-mapping.dmp

Download
memory/1396-63-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1396-73-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1396-68-0x00000000004010B8-mapping.dmp

Download
memory/1396-67-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1396-65-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1396-62-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1676-57-0x0000000004AD0000-0x0000000004B24000-memory.dmp

Filesize
336KB

Download
memory/1676-58-0x00000000006E0000-0x0000000000714000-memory.dmp

Filesize
208KB

Download
memory/1676-54-0x0000000000190000-0x0000000000234000-memory.dmp

Filesize
656KB

Download
memory/1676-56-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/1676-55-0x0000000075361000-0x0000000075363000-memory.dmp

Filesize
8KB

Download
memory/2040-61-0x000000006F1A0000-0x000000006F74B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads