blackshades | a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e

Analysis

max time kernel
89s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe
Size

1.1MB
MD5

cac0e59df2c5fd04d7de312823fa7b30
SHA1

62aeaeab4f4dfe81e14108c0c0f47bb54d05e09c
SHA256

a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e
SHA512

68e03b8018e38938f527f797a1a19e4c36b8fb435d28110c920d49f762e9bc465a8b1df92deebdb2197ea1a87303adecf07642a63af72ad91960bf86a148a4da
SSDEEP

3072:jRRHyoBg8zJRAxuU+N6ET/d9ArfCS3VT62FQwiDefNbaSBVpMQRQ8imgCQIqi/c9:jRhoxrn/vmrqaTh2uMnuPea4g/Gc7

Score

10^/10

blackshades defense_evasion discovery persistence rat upx

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 9 IoCs

resource	yara_rule
behavioral2/memory/2408-63-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral2/memory/2408-76-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral2/memory/2408-78-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral2/memory/2408-81-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral2/memory/2408-83-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral2/memory/2408-85-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral2/memory/2408-90-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral2/memory/2408-92-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral2/memory/2408-97-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\winprocess.exe = "C:\\Users\\Admin\\AppData\\Roaming\\winprocess.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\javaruntime.exe = "C:\\Windows\\javaruntime.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe

Executes dropped EXE 3 IoCs

pid	Process
5108	javaruntime.exe
3456	javaruntime.exe
2408	javaruntime.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaruntime = "C:\\Windows\\javaruntime.exe"	reg.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4180 set thread context of 2416	4180	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe	84
PID 4180 set thread context of 2368	4180	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe	89
PID 5108 set thread context of 3756	5108	javaruntime.exe	96
PID 5108 set thread context of 3456	5108	javaruntime.exe	97
PID 5108 set thread context of 2408	5108	javaruntime.exe	98

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2368-10-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2368-14-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2368-12-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2368-49-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2408-63-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2408-61-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2408-59-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2368-68-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3456-73-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2408-76-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2408-78-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2408-81-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2408-83-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2408-85-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2408-90-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2408-92-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2408-97-0x0000000000400000-0x000000000047B000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\javaruntime.exe	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe
File opened for modification	C:\Windows\javaruntime.exe	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3484	2416	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaruntime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaruntime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaruntime.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4620	reg.exe
1852	reg.exe
3908	reg.exe
2944	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe
3756	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 1	2408	javaruntime.exe
Token: SeCreateTokenPrivilege	2408	javaruntime.exe
Token: SeAssignPrimaryTokenPrivilege	2408	javaruntime.exe
Token: SeLockMemoryPrivilege	2408	javaruntime.exe
Token: SeIncreaseQuotaPrivilege	2408	javaruntime.exe
Token: SeMachineAccountPrivilege	2408	javaruntime.exe
Token: SeTcbPrivilege	2408	javaruntime.exe
Token: SeSecurityPrivilege	2408	javaruntime.exe
Token: SeTakeOwnershipPrivilege	2408	javaruntime.exe
Token: SeLoadDriverPrivilege	2408	javaruntime.exe
Token: SeSystemProfilePrivilege	2408	javaruntime.exe
Token: SeSystemtimePrivilege	2408	javaruntime.exe
Token: SeProfSingleProcessPrivilege	2408	javaruntime.exe
Token: SeIncBasePriorityPrivilege	2408	javaruntime.exe
Token: SeCreatePagefilePrivilege	2408	javaruntime.exe
Token: SeCreatePermanentPrivilege	2408	javaruntime.exe
Token: SeBackupPrivilege	2408	javaruntime.exe
Token: SeRestorePrivilege	2408	javaruntime.exe
Token: SeShutdownPrivilege	2408	javaruntime.exe
Token: SeDebugPrivilege	2408	javaruntime.exe
Token: SeAuditPrivilege	2408	javaruntime.exe
Token: SeSystemEnvironmentPrivilege	2408	javaruntime.exe
Token: SeChangeNotifyPrivilege	2408	javaruntime.exe
Token: SeRemoteShutdownPrivilege	2408	javaruntime.exe
Token: SeUndockPrivilege	2408	javaruntime.exe
Token: SeSyncAgentPrivilege	2408	javaruntime.exe
Token: SeEnableDelegationPrivilege	2408	javaruntime.exe
Token: SeManageVolumePrivilege	2408	javaruntime.exe
Token: SeImpersonatePrivilege	2408	javaruntime.exe
Token: SeCreateGlobalPrivilege	2408	javaruntime.exe
Token: 31	2408	javaruntime.exe
Token: 32	2408	javaruntime.exe
Token: 33	2408	javaruntime.exe
Token: 34	2408	javaruntime.exe
Token: 35	2408	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe
Token: SeDebugPrivilege	3456	javaruntime.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4180	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe
2368	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe
5108	javaruntime.exe
5108	javaruntime.exe
3756	svchost.exe
3456	javaruntime.exe
2408	javaruntime.exe
2408	javaruntime.exe
2408	javaruntime.exe
2408	javaruntime.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 2416	4180	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe	84
PID 4180 wrote to memory of 2416	4180	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe	84
PID 4180 wrote to memory of 2416	4180	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe	84
PID 4180 wrote to memory of 2416	4180	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe	84
PID 4180 wrote to memory of 2368	4180	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe	89
PID 4180 wrote to memory of 2368	4180	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe	89
PID 4180 wrote to memory of 2368	4180	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe	89
PID 4180 wrote to memory of 2368	4180	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe	89
PID 4180 wrote to memory of 2368	4180	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe	89
PID 4180 wrote to memory of 2368	4180	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe	89
PID 4180 wrote to memory of 2368	4180	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe	89
PID 4180 wrote to memory of 2368	4180	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe	89
PID 2368 wrote to memory of 4808	2368	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe	90
PID 2368 wrote to memory of 4808	2368	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe	90
PID 2368 wrote to memory of 4808	2368	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe	90
PID 4808 wrote to memory of 1080	4808	cmd.exe	94
PID 4808 wrote to memory of 1080	4808	cmd.exe	94
PID 4808 wrote to memory of 1080	4808	cmd.exe	94
PID 2368 wrote to memory of 5108	2368	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe	95
PID 2368 wrote to memory of 5108	2368	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe	95
PID 2368 wrote to memory of 5108	2368	a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe	95
PID 5108 wrote to memory of 3756	5108	javaruntime.exe	96
PID 5108 wrote to memory of 3756	5108	javaruntime.exe	96
PID 5108 wrote to memory of 3756	5108	javaruntime.exe	96
PID 5108 wrote to memory of 3756	5108	javaruntime.exe	96
PID 5108 wrote to memory of 3756	5108	javaruntime.exe	96
PID 5108 wrote to memory of 3756	5108	javaruntime.exe	96
PID 5108 wrote to memory of 3756	5108	javaruntime.exe	96
PID 5108 wrote to memory of 3756	5108	javaruntime.exe	96
PID 5108 wrote to memory of 3756	5108	javaruntime.exe	96
PID 5108 wrote to memory of 3456	5108	javaruntime.exe	97
PID 5108 wrote to memory of 3456	5108	javaruntime.exe	97
PID 5108 wrote to memory of 3456	5108	javaruntime.exe	97
PID 5108 wrote to memory of 3456	5108	javaruntime.exe	97
PID 5108 wrote to memory of 3456	5108	javaruntime.exe	97
PID 5108 wrote to memory of 3456	5108	javaruntime.exe	97
PID 5108 wrote to memory of 3456	5108	javaruntime.exe	97
PID 5108 wrote to memory of 3456	5108	javaruntime.exe	97
PID 5108 wrote to memory of 2408	5108	javaruntime.exe	98
PID 5108 wrote to memory of 2408	5108	javaruntime.exe	98
PID 5108 wrote to memory of 2408	5108	javaruntime.exe	98
PID 5108 wrote to memory of 2408	5108	javaruntime.exe	98
PID 5108 wrote to memory of 2408	5108	javaruntime.exe	98
PID 5108 wrote to memory of 2408	5108	javaruntime.exe	98
PID 5108 wrote to memory of 2408	5108	javaruntime.exe	98
PID 5108 wrote to memory of 2408	5108	javaruntime.exe	98
PID 2408 wrote to memory of 4888	2408	javaruntime.exe	99
PID 2408 wrote to memory of 4888	2408	javaruntime.exe	99
PID 2408 wrote to memory of 4888	2408	javaruntime.exe	99
PID 2408 wrote to memory of 4900	2408	javaruntime.exe	100
PID 2408 wrote to memory of 4900	2408	javaruntime.exe	100
PID 2408 wrote to memory of 4900	2408	javaruntime.exe	100
PID 2408 wrote to memory of 1676	2408	javaruntime.exe	101
PID 2408 wrote to memory of 1676	2408	javaruntime.exe	101
PID 2408 wrote to memory of 1676	2408	javaruntime.exe	101
PID 2408 wrote to memory of 2352	2408	javaruntime.exe	102
PID 2408 wrote to memory of 2352	2408	javaruntime.exe	102
PID 2408 wrote to memory of 2352	2408	javaruntime.exe	102
PID 1676 wrote to memory of 4620	1676	cmd.exe	108
PID 1676 wrote to memory of 4620	1676	cmd.exe	108
PID 1676 wrote to memory of 4620	1676	cmd.exe	108
PID 4888 wrote to memory of 2944	4888	cmd.exe	109
PID 4888 wrote to memory of 2944	4888	cmd.exe	109
PID 4888 wrote to memory of 2944	4888	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe
"C:\Users\Admin\AppData\Local\Temp\a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  PID:2416
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 84
    3⤵
    - Program crash
    PID:3484
- C:\Users\Admin\AppData\Local\Temp\a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe
  "C:\Users\Admin\AppData\Local\Temp\a042d6710ea04758b4bbc9de33cad641794efc7b9e7ba39ccba948f51e4aa07e.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGYPM.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaruntime" /t REG_SZ /d "C:\Windows\javaruntime.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1080
- - C:\Windows\javaruntime.exe
    "C:\Windows\javaruntime.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3756
  - - C:\Windows\javaruntime.exe
      "C:\Windows\javaruntime.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3456
  - - C:\Windows\javaruntime.exe
      "C:\Windows\javaruntime.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4888
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2944
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\javaruntime.exe" /t REG_SZ /d "C:\Windows\javaruntime.exe:*:Enabled:Windows Messanger" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4900
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\javaruntime.exe" /t REG_SZ /d "C:\Windows\javaruntime.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1852
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1676
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4620
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winprocess.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winprocess.exe:*:Enabled:Windows Messanger" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winprocess.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winprocess.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2416 -ip 2416
1⤵
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OGYPM.txt

Filesize
124B

MD5
163f8e838efe1d166ffff7408b814e28

SHA1
52fa0ccba649587e7d24d21d182657078fa6d028

SHA256
dc60287c419225759aa9e1ea0423be4106337dad71aaa0cdc9d55d2b1af3edb7

SHA512
b6685390029555f7d812f0d1a9f138c619555712add3e79c1c90a1a5a0c544e4a86768a626d25c6af3cec09afc0bbaf7f398114e849831bdc5666fc443a1f68d

Download Submit
C:\Windows\javaruntime.exe

Filesize
1.1MB

MD5
f2406a5c026b1ebffb353f0271ba30c4

SHA1
3dfc876570bfbff566edc7ccbd5e33f5f6860de8

SHA256
344f4552128e00344f6e52342f2e251a4a7e30750b0859cf8944c814de6b1acf

SHA512
dc1a5287a6df75373fc19ba86c22fc6983ee852cc702b83dd9a3f9bbc53c39ec0f9bd5a0276bb9a36492628c6395ea4f784600e0bd1e95b3e1d451d18de08f7c

Download Submit
memory/2368-68-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2368-10-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2368-12-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2368-49-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2368-14-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2408-76-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2408-61-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2408-97-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2408-92-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2408-90-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2408-85-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2408-83-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2408-81-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2408-63-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2408-78-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2408-59-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3456-73-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3756-45-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3756-72-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3756-43-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3756-50-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3756-46-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4180-7-0x0000000002CE0000-0x0000000002CE2000-memory.dmp

Filesize
8KB

Download
memory/4180-0-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/4180-5-0x0000000002420000-0x0000000002422000-memory.dmp

Filesize
8KB

Download
memory/4180-8-0x0000000002CF0000-0x0000000002CF2000-memory.dmp

Filesize
8KB

Download
memory/4180-9-0x0000000002E10000-0x0000000002E12000-memory.dmp

Filesize
8KB

Download
memory/4180-3-0x00000000023C0000-0x00000000023C2000-memory.dmp

Filesize
8KB

Download
memory/4180-4-0x00000000023E0000-0x00000000023E2000-memory.dmp

Filesize
8KB

Download
memory/5108-51-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/5108-42-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/5108-41-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/5108-64-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download