xtremerat | c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7

General

Target

c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe
Size

526KB
MD5

5109339d6fbcf467a9d50cd9e092c480
SHA1

819f1177d29584624eb9b1b9c219f550b068125b
SHA256

c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7
SHA512

0ff6c31444662eb8e8322f676f735f5a3a288c9c8b587592d2f9d40ab2cba0c3ac7c4379d84c7a24565ca588f85b5b6302bf5896cc19d3bf4033504486d16129
SSDEEP

12288:Feo9tmBXojQaRK+nm7tqpVCm257KzQWFUrZAf05pVMSr:0h4jQaR5nmheg57XCULLVM

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Signatures

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Executes dropped EXE 2 IoCs

Processes:

appinit.exeappinit.exe

pid process

1520 appinit.exe
1368 appinit.exe

pid	process
1520	appinit.exe
1368	appinit.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1600-97-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral1/memory/1600-100-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral1/memory/1600-103-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral1/memory/1600-106-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral1/memory/1600-108-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral1/memory/1600-109-0x0000000001610000-0x0000000001720000-memory.dmp	upx
behavioral1/memory/1600-110-0x0000000001610000-0x0000000001720000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe

pid process

1364 c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe

pid	process
1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

appinit.exec844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	appinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\{90783-8547-9081-90}\\appinit.exe"	appinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	appinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\{90783-8547-9081-90}\\appinit.exe"	appinit.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\{90783-8547-9081-90}\\appinit.exe"	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\{90783-8547-9081-90}\\appinit.exe"	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exeappinit.exeappinit.exe

description	pid	process	target process
PID 1488 set thread context of 1364	1488	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe
PID 1520 set thread context of 1368	1520	appinit.exe	appinit.exe
PID 1368 set thread context of 1600	1368	appinit.exe	explorer.exe

Drops file in Windows directory 5 IoCs

Processes:

c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exeappinit.exe

description	ioc	process
File opened for modification	C:\Windows\{90783-8547-9081-90}\appinit.exe	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe
File created	C:\Windows\{90783-8547-9081-90}\appinit.exe	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe
File opened for modification	C:\Windows\{90783-8547-9081-90}\	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe
File opened for modification	C:\Windows\{90783-8547-9081-90}\appinit.exe	appinit.exe
File opened for modification	C:\Windows\{90783-8547-9081-90}\	appinit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

explorer.exe

pid process

1600 explorer.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe

pid process

1364 c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe

pid	process
1600	explorer.exe

pid	process
1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exec844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe

description	pid	process	target process
PID 1488 wrote to memory of 1364	1488	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe
PID 1488 wrote to memory of 1364	1488	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe
PID 1488 wrote to memory of 1364	1488	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe
PID 1488 wrote to memory of 1364	1488	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe
PID 1488 wrote to memory of 1364	1488	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe
PID 1488 wrote to memory of 1364	1488	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe
PID 1488 wrote to memory of 1364	1488	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe
PID 1488 wrote to memory of 1364	1488	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe
PID 1488 wrote to memory of 1364	1488	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe
PID 1488 wrote to memory of 1364	1488	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe
PID 1488 wrote to memory of 1364	1488	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe
PID 1488 wrote to memory of 1364	1488	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe
PID 1364 wrote to memory of 1292	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 1292	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 1292	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 1292	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 1736	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	explorer.exe
PID 1364 wrote to memory of 1736	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	explorer.exe
PID 1364 wrote to memory of 1736	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	explorer.exe
PID 1364 wrote to memory of 1736	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	explorer.exe
PID 1364 wrote to memory of 1548	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 1548	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 1548	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 1548	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 1028	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	explorer.exe
PID 1364 wrote to memory of 1028	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	explorer.exe
PID 1364 wrote to memory of 1028	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	explorer.exe
PID 1364 wrote to memory of 1028	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	explorer.exe
PID 1364 wrote to memory of 1752	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 1752	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 1752	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 1752	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 1056	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	explorer.exe
PID 1364 wrote to memory of 1056	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	explorer.exe
PID 1364 wrote to memory of 1056	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	explorer.exe
PID 1364 wrote to memory of 1056	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	explorer.exe
PID 1364 wrote to memory of 1776	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 1776	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 1776	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 1776	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 808	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	explorer.exe
PID 1364 wrote to memory of 808	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	explorer.exe
PID 1364 wrote to memory of 808	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	explorer.exe
PID 1364 wrote to memory of 808	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	explorer.exe
PID 1364 wrote to memory of 1800	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 1800	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 1800	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 1800	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 528	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	explorer.exe
PID 1364 wrote to memory of 528	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	explorer.exe
PID 1364 wrote to memory of 528	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	explorer.exe
PID 1364 wrote to memory of 528	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	explorer.exe
PID 1364 wrote to memory of 300	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 300	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 300	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 300	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 1972	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	explorer.exe
PID 1364 wrote to memory of 1972	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	explorer.exe
PID 1364 wrote to memory of 1972	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	explorer.exe
PID 1364 wrote to memory of 1972	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	explorer.exe
PID 1364 wrote to memory of 284	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 284	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 284	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe
PID 1364 wrote to memory of 284	1364	c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe
"C:\Users\Admin\AppData\Local\Temp\c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\AppData\Local\Temp\c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe
"C:\Users\Admin\AppData\Local\Temp\c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1292

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:1736

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1548

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:1028

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1752

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:1056

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1776

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:808

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1800

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:528

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:300

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:1972

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:284

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:1464

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1696

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:804

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:920

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:1072

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:1432

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1204

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1996

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:1528

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1572

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:908

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:1988

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2004

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1952

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:1756

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2044

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:1664

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:980

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:1148

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1088

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:1948

C:\Windows\{90783-8547-9081-90}\appinit.exe
"C:\Windows\{90783-8547-9081-90}\appinit.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1520

C:\Windows\{90783-8547-9081-90}\appinit.exe
"C:\Windows\{90783-8547-9081-90}\appinit.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1368

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:556

C:\Windows\SysWOW64\explorer.exe
explorer.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1600

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\G5lZfyWn78ljg6\G5lZfyWn78ljg6.nfo
Filesize
3KB

MD5
f7fae5c69b6ae78f297542f1c1405dcf

SHA1
e275446b5bff321022e3833f67f63d1d0cca3883

SHA256
c13949237267afdf33459d743748646af80dd77f291f0a0644b9edb7953a0d94

SHA512
953f4f55494e58273a0d371db6cfcc10a18e9374d411eb8ae5e469c7a80bf706940ad1569a475a8c52d5e43ab7127c2206831d7aec97f6a3bc8defa67e8c65f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\G5lZfyWn78ljg6\G5lZfyWn78ljg6.svr
Filesize
358KB

MD5
ad69242f4bf9548496051bd95ac05e1e

SHA1
913292f6b83adf41337fd50201ad341500abc8b0

SHA256
2663fdfe0fe4c37532f919282d035579bf84a895be5971982437cffbd41bdb1b

SHA512
09bed3adc8427e4aeec4e32dfd0640da71d2839b62973e4bae94f0965c5836028511295d99be878af388789fc020117972c3cf51d5a2ef1899aeb9d43c2fd94e

Download Submit
C:\Windows\{90783-8547-9081-90}\appinit.exe
Filesize
526KB

MD5
5109339d6fbcf467a9d50cd9e092c480

SHA1
819f1177d29584624eb9b1b9c219f550b068125b

SHA256
c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7

SHA512
0ff6c31444662eb8e8322f676f735f5a3a288c9c8b587592d2f9d40ab2cba0c3ac7c4379d84c7a24565ca588f85b5b6302bf5896cc19d3bf4033504486d16129

Download Submit
C:\Windows\{90783-8547-9081-90}\appinit.exe
Filesize
526KB

MD5
5109339d6fbcf467a9d50cd9e092c480

SHA1
819f1177d29584624eb9b1b9c219f550b068125b

SHA256
c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7

SHA512
0ff6c31444662eb8e8322f676f735f5a3a288c9c8b587592d2f9d40ab2cba0c3ac7c4379d84c7a24565ca588f85b5b6302bf5896cc19d3bf4033504486d16129

Download Submit
C:\Windows\{90783-8547-9081-90}\appinit.exe
Filesize
526KB

MD5
5109339d6fbcf467a9d50cd9e092c480

SHA1
819f1177d29584624eb9b1b9c219f550b068125b

SHA256
c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7

SHA512
0ff6c31444662eb8e8322f676f735f5a3a288c9c8b587592d2f9d40ab2cba0c3ac7c4379d84c7a24565ca588f85b5b6302bf5896cc19d3bf4033504486d16129

Download Submit
\Windows\{90783-8547-9081-90}\appinit.exe
Filesize
526KB

MD5
5109339d6fbcf467a9d50cd9e092c480

SHA1
819f1177d29584624eb9b1b9c219f550b068125b

SHA256
c844b326d9151ac6606ef20410e1bcdcc26d1d0bbaeccfb97002199b19777ee7

SHA512
0ff6c31444662eb8e8322f676f735f5a3a288c9c8b587592d2f9d40ab2cba0c3ac7c4379d84c7a24565ca588f85b5b6302bf5896cc19d3bf4033504486d16129

Download Submit
memory/1364-64-0x00000000009E4E0E-mapping.dmp

Download
memory/1364-62-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1364-61-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1364-65-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1364-67-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1364-60-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1364-69-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1364-70-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1364-93-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1364-59-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1364-58-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1364-56-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1364-55-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1368-85-0x0000000000ED4E0E-mapping.dmp

Download
memory/1368-91-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1368-94-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1368-111-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1488-54-0x0000000076771000-0x0000000076773000-memory.dmp

Filesize
8KB

Download
memory/1488-68-0x0000000074A90000-0x000000007503B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-90-0x00000000737D0000-0x0000000073D7B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-72-0x0000000000000000-mapping.dmp

Download
memory/1600-100-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/1600-96-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/1600-105-0x000000000171D0D0-mapping.dmp

Download
memory/1600-103-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/1600-106-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/1600-108-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/1600-109-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/1600-110-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/1600-97-0x0000000001610000-0x0000000001720000-memory.dmp

Filesize
1.1MB

Download
memory/1600-112-0x00000000016C5000-0x000000000171E000-memory.dmp

Filesize
356KB

Download
memory/1600-113-0x0000000001611000-0x00000000016C5000-memory.dmp

Filesize
720KB

Download
memory/1600-114-0x00000000016C5000-0x000000000171E000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads