xtremerat | 121cf6c76608b2554ad1566c64ec8c0350d123b156cb8bd61fd7c35574958066

General

Target

f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe
Size

93KB
MD5

f64a83456bc601bb3aeebfdc6094057a
SHA1

dd117d3c5b1051c12abe3e521ac2c0e28caaa646
SHA256

121cf6c76608b2554ad1566c64ec8c0350d123b156cb8bd61fd7c35574958066
SHA512

42e791a94a22402ea428962888926cb086704d3c6888e9e12bd8f5ad2781bf9632cae1a6fd351795123c8d8bba83d8c8a4fab6c91a73508ba7927394d391789a
SSDEEP

1536:dOCc/KRA9EMj3IBAgVfiSTfSA8ZrggRK2AhFn+okzhF5mG4ffabCbn6cdsIlU7K+:dOCcCRjMkAgVfLTfx6rgeq8L5F0fpnjO

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

C2

turkoteste.no-ip.org

Signatures

Detect XtremeRAT payload 24 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1776-24-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/1776-25-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/2612-26-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/2612-27-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/4700-36-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/4700-37-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/2524-47-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/2524-48-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/3408-57-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/3408-58-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/3224-66-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/3224-67-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/3280-74-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/3280-75-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/1496-76-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/1496-77-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/2864-86-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/2864-87-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/4696-96-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/4696-98-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/856-107-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/856-109-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/4844-118-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/4844-120-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\hKrPKybp.exe"	reg.exe

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1776-18-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/1776-19-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/1776-20-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/1776-22-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/1776-24-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/1776-25-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/2612-26-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/2612-27-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/4700-36-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/4700-37-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/2524-47-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/2524-48-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/3408-57-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/3408-58-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/3224-66-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/3224-67-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/3280-73-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/3280-74-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/3280-75-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/1496-76-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/1496-77-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/2864-86-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/2864-87-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/4696-96-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/4696-98-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/856-107-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/856-109-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/4844-118-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/4844-120-0x0000000010000000-0x000000001004D000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hKrPKybp.exe"	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe

Suspicious use of SetThreadContext 10 IoCs

Processes:

f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe

description	pid	process	target process
PID 1228 set thread context of 1776	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 set thread context of 5004	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 set thread context of 3508	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 set thread context of 2992	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 set thread context of 1884	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 set thread context of 3280	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 set thread context of 628	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 set thread context of 3628	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 set thread context of 4328	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 set thread context of 3616	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe

Program crash 20 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3060	2612	WerFault.exe	svchost.exe
3192	2612	WerFault.exe	svchost.exe
2140	4700	WerFault.exe	svchost.exe
4348	4700	WerFault.exe	svchost.exe
2468	2524	WerFault.exe	svchost.exe
3404	2524	WerFault.exe	svchost.exe
4656	3408	WerFault.exe	svchost.exe
716	3408	WerFault.exe	svchost.exe
1984	3224	WerFault.exe	svchost.exe
3912	3224	WerFault.exe	svchost.exe
1780	1496	WerFault.exe	svchost.exe
4024	1496	WerFault.exe	svchost.exe
552	2864	WerFault.exe	svchost.exe
3092	2864	WerFault.exe	svchost.exe
2980	4696	WerFault.exe	svchost.exe
4948	4696	WerFault.exe	svchost.exe
3248	856	WerFault.exe	svchost.exe
1620	856	WerFault.exe	svchost.exe
1432	4844	WerFault.exe	svchost.exe
2356	4844	WerFault.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe

pid	process
1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe
1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe
1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe
1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe
1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe
1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe
1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe
1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe
1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe
1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 1228 f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.execsc.execmd.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 1228 wrote to memory of 2992	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	csc.exe
PID 1228 wrote to memory of 2992	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	csc.exe
PID 1228 wrote to memory of 2992	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	csc.exe
PID 2992 wrote to memory of 4768	2992	csc.exe	cvtres.exe
PID 2992 wrote to memory of 4768	2992	csc.exe	cvtres.exe
PID 2992 wrote to memory of 4768	2992	csc.exe	cvtres.exe
PID 1228 wrote to memory of 1776	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 1776	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 1776	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 1776	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 1776	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 1776	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 1776	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 1776	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 4956	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	cmd.exe
PID 1228 wrote to memory of 4956	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	cmd.exe
PID 1228 wrote to memory of 4956	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	cmd.exe
PID 4956 wrote to memory of 4248	4956	cmd.exe	reg.exe
PID 4956 wrote to memory of 4248	4956	cmd.exe	reg.exe
PID 4956 wrote to memory of 4248	4956	cmd.exe	reg.exe
PID 1776 wrote to memory of 2612	1776	vbc.exe	svchost.exe
PID 1776 wrote to memory of 2612	1776	vbc.exe	svchost.exe
PID 1776 wrote to memory of 2612	1776	vbc.exe	svchost.exe
PID 1776 wrote to memory of 2612	1776	vbc.exe	svchost.exe
PID 1776 wrote to memory of 3304	1776	vbc.exe	msedge.exe
PID 1776 wrote to memory of 3304	1776	vbc.exe	msedge.exe
PID 1776 wrote to memory of 3304	1776	vbc.exe	msedge.exe
PID 1228 wrote to memory of 5004	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 5004	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 5004	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 5004	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 5004	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 5004	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 5004	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 5004	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 5004 wrote to memory of 4700	5004	vbc.exe	svchost.exe
PID 5004 wrote to memory of 4700	5004	vbc.exe	svchost.exe
PID 5004 wrote to memory of 4700	5004	vbc.exe	svchost.exe
PID 5004 wrote to memory of 4700	5004	vbc.exe	svchost.exe
PID 5004 wrote to memory of 1724	5004	vbc.exe	msedge.exe
PID 5004 wrote to memory of 1724	5004	vbc.exe	msedge.exe
PID 5004 wrote to memory of 1724	5004	vbc.exe	msedge.exe
PID 1228 wrote to memory of 3508	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 3508	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 3508	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 3508	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 3508	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 3508	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 3508	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 3508	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 3508 wrote to memory of 2524	3508	vbc.exe	svchost.exe
PID 3508 wrote to memory of 2524	3508	vbc.exe	svchost.exe
PID 3508 wrote to memory of 2524	3508	vbc.exe	svchost.exe
PID 3508 wrote to memory of 2524	3508	vbc.exe	svchost.exe
PID 3508 wrote to memory of 1568	3508	vbc.exe	msedge.exe
PID 3508 wrote to memory of 1568	3508	vbc.exe	msedge.exe
PID 3508 wrote to memory of 1568	3508	vbc.exe	msedge.exe
PID 1228 wrote to memory of 2992	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 2992	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 2992	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 2992	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 2992	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 2992	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe
PID 1228 wrote to memory of 2992	1228	f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0d9byk1i.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES320D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC320C.tmp"
3⤵
PID:4768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 480
4⤵
- Program crash
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 488
4⤵
- Program crash
PID:3192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3304

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\hKrPKybp.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\hKrPKybp.exe"
3⤵
- Modifies WinLogon for persistence
PID:4248

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 480
4⤵
- Program crash
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 500
4⤵
- Program crash
PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:1724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 480
4⤵
- Program crash
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 504
4⤵
- Program crash
PID:3404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:1568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:2992

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 432
4⤵
- Program crash
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 500
4⤵
- Program crash
PID:716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3064

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:1884

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 480
4⤵
- Program crash
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 504
4⤵
- Program crash
PID:3912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:1656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:3280

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 480
4⤵
- Program crash
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 504
4⤵
- Program crash
PID:4024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:2812

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:628

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 480
4⤵
- Program crash
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 504
4⤵
- Program crash
PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3884

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:3628

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 480
4⤵
- Program crash
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 504
4⤵
- Program crash
PID:4948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:2524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:4328

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 496
4⤵
- Program crash
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 516
4⤵
- Program crash
PID:1620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:396

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:3616

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 480
4⤵
- Program crash
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 504
4⤵
- Program crash
PID:2356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2612 -ip 2612
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2612 -ip 2612
1⤵
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4700 -ip 4700
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4700 -ip 4700
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2524 -ip 2524
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2524 -ip 2524
1⤵
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3408 -ip 3408
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3408 -ip 3408
1⤵
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3224 -ip 3224
1⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3224 -ip 3224
1⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1496 -ip 1496
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 1496 -ip 1496
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2864 -ip 2864
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2864 -ip 2864
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4696 -ip 4696
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4696 -ip 4696
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 856 -ip 856
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 856 -ip 856
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4844 -ip 4844
1⤵
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4844 -ip 4844
1⤵
PID:2504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0d9byk1i.dll
Filesize
180KB

MD5
3441d0c023ba0a42bb8b7d17cc3a2e37

SHA1
4f29e55787305a48636e12fdff839b571e2367f3

SHA256
c1f4248cde000b3a15dbc1c0cd457a950a813089e72d6926a0d4a3ccb584d14e

SHA512
8d35b20fa3ece88382899d2fd2e7549b164cd7a4bea9531e17bc6569d50ee12507b190df6856a7de67715b3a7e635617fc87642fb7e495d132c755cb386da9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES320D.tmp
Filesize
1KB

MD5
6605f941480b80967dab3eb1475976bc

SHA1
8206a451c1b76a249065b496b970117dc25eb4b7

SHA256
5d25d9063ae75cacbd247b8eda51f1ddc2d803e6f90b1e3ed46e5578d7ab6955

SHA512
3f554a8eb14113307283517e00422b4573a70fe81737e62e1d95d8828a4cdac843d285045aa46313f8b60ae436e2d57bb916aa964f53eb4595f153d901a8ec72

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0d9byk1i.cmdline
Filesize
196B

MD5
c0255f0e763d21096d96cfb1587df13a

SHA1
9d5cf9e5e3972fc3f54f231914012e668ab51ed5

SHA256
f43edb2ce32b48ac5b6ef4344fb62503c6244c7a223c9a3b6759476713334af4

SHA512
7522202c8da416554ac90ecb3b2178c1ea3068447a015b508ae8de964a1cc38fe3beb34048ca463a1fe4bbbd1f5f12b225a06062abc933cf0d9d3a324b174f1c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC320C.tmp
Filesize
652B

MD5
4220bd672f12242707b33419392957c4

SHA1
6df18eeb80ff43b7e93c086a07c06068da83c18e

SHA256
56c367dcf1bfd8f433943f40b9b817519f0285064e4b56a82944b1a7c74d4d6c

SHA512
01ecbee30ee93cecb2bee043887410554d3fce6d025134f1d8f412aae5eda3b82ebaff55f864a3b26862046e38aced980e77326cbc8fb7933301f9f41b177457

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmp30F3.tmp.txt
Filesize
82KB

MD5
ad9c893a0c6c4d7e294fd49128b800b1

SHA1
53f9fb024d7aee77abf25f7a5e45ab7e3f4b740c

SHA256
09698cf156fe094e7344b3d782fb76cccc023ae90c8a809cd209f762131198c5

SHA512
03641922120114044d63a312dc309de67351de631e0cba396100781e8a009fb7ac309c5bdcbcb3a38fdfe4a8a413c9912e5b40b9b9ef7d12a3caadbdb9fd07be

Download Submit
memory/856-109-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/856-107-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1228-28-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/1228-1-0x00000000013E0000-0x00000000013F0000-memory.dmp

Filesize
64KB

Download
memory/1228-2-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/1228-0-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/1228-39-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/1496-76-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1496-77-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1776-20-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1776-25-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1776-24-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1776-22-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1776-19-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1776-18-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2524-48-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2524-47-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2612-27-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2612-26-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2864-87-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2864-86-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2992-9-0x0000000000620000-0x0000000000630000-memory.dmp

Filesize
64KB

Download
memory/3224-66-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3224-67-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3280-74-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3280-75-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3280-73-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3408-58-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3408-57-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4696-96-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4696-98-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4700-37-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4700-36-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4844-118-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4844-120-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads