blackshades | 9d9119a14307b53c31fa217e17139c761b27d45694a154dc7b4bf6eacd058466

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-01-2025 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
Size

200KB
MD5

64e4580da28c25452a79e455f34f9f15
SHA1

68e5aec49ed2d8e8cbc98eb01bff04d2592ae934
SHA256

9d9119a14307b53c31fa217e17139c761b27d45694a154dc7b4bf6eacd058466
SHA512

317f212da0258265715985c5197bc0fc61683fec42b54078b44bd1d1cf5ee64f5a5c9e77e1a6eda0e7d52e76e33bcaf9d3d8b72283c22ce80e4dd677b46ed6c0
SSDEEP

3072:zT4HhLP12rkIbgfebWDuNR1vnexA+5sbr+7WHG1Zxhc+tSxqkm78i:zUB7oBgfHD6R1Pexn5s27d5Sxjmo

Score

10^/10

blackshades defense_evasion discovery rat upx

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 16 IoCs

resource	yara_rule
behavioral1/memory/3060-31-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3060-30-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3060-62-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3060-63-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3060-65-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3060-66-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3060-67-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3060-69-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3060-70-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3060-71-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3060-73-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3060-74-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3060-75-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3060-77-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3060-78-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3060-79-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Rename Server.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Rename Server.exe:*:Enabled:Windows Messanger"	reg.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3040 set thread context of 3060	3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	33

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3060-20-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3060-31-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3060-30-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3060-29-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3060-28-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3060-24-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3060-21-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3060-62-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3060-63-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3060-65-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3060-66-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3060-67-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3060-69-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3060-70-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3060-71-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3060-73-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3060-74-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3060-75-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3060-77-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3060-78-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3060-79-0x0000000000400000-0x000000000045D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2844	reg.exe
2856	reg.exe
2836	reg.exe
2828	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
Token: 1	3060	vbc.exe
Token: SeCreateTokenPrivilege	3060	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	3060	vbc.exe
Token: SeLockMemoryPrivilege	3060	vbc.exe
Token: SeIncreaseQuotaPrivilege	3060	vbc.exe
Token: SeMachineAccountPrivilege	3060	vbc.exe
Token: SeTcbPrivilege	3060	vbc.exe
Token: SeSecurityPrivilege	3060	vbc.exe
Token: SeTakeOwnershipPrivilege	3060	vbc.exe
Token: SeLoadDriverPrivilege	3060	vbc.exe
Token: SeSystemProfilePrivilege	3060	vbc.exe
Token: SeSystemtimePrivilege	3060	vbc.exe
Token: SeProfSingleProcessPrivilege	3060	vbc.exe
Token: SeIncBasePriorityPrivilege	3060	vbc.exe
Token: SeCreatePagefilePrivilege	3060	vbc.exe
Token: SeCreatePermanentPrivilege	3060	vbc.exe
Token: SeBackupPrivilege	3060	vbc.exe
Token: SeRestorePrivilege	3060	vbc.exe
Token: SeShutdownPrivilege	3060	vbc.exe
Token: SeDebugPrivilege	3060	vbc.exe
Token: SeAuditPrivilege	3060	vbc.exe
Token: SeSystemEnvironmentPrivilege	3060	vbc.exe
Token: SeChangeNotifyPrivilege	3060	vbc.exe
Token: SeRemoteShutdownPrivilege	3060	vbc.exe
Token: SeUndockPrivilege	3060	vbc.exe
Token: SeSyncAgentPrivilege	3060	vbc.exe
Token: SeEnableDelegationPrivilege	3060	vbc.exe
Token: SeManageVolumePrivilege	3060	vbc.exe
Token: SeImpersonatePrivilege	3060	vbc.exe
Token: SeCreateGlobalPrivilege	3060	vbc.exe
Token: 31	3060	vbc.exe
Token: 32	3060	vbc.exe
Token: 33	3060	vbc.exe
Token: 34	3060	vbc.exe
Token: 35	3060	vbc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3060	vbc.exe
3060	vbc.exe
3060	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2664	3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	30
PID 3040 wrote to memory of 2664	3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	30
PID 3040 wrote to memory of 2664	3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	30
PID 3040 wrote to memory of 2664	3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	30
PID 2664 wrote to memory of 2660	2664	csc.exe	32
PID 2664 wrote to memory of 2660	2664	csc.exe	32
PID 2664 wrote to memory of 2660	2664	csc.exe	32
PID 2664 wrote to memory of 2660	2664	csc.exe	32
PID 3040 wrote to memory of 3060	3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	33
PID 3040 wrote to memory of 3060	3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	33
PID 3040 wrote to memory of 3060	3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	33
PID 3040 wrote to memory of 3060	3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	33
PID 3040 wrote to memory of 3060	3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	33
PID 3040 wrote to memory of 3060	3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	33
PID 3040 wrote to memory of 3060	3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	33
PID 3040 wrote to memory of 3060	3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	33
PID 3040 wrote to memory of 2532	3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	34
PID 3040 wrote to memory of 2532	3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	34
PID 3040 wrote to memory of 2532	3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	34
PID 3040 wrote to memory of 2532	3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	34
PID 3060 wrote to memory of 2512	3060	vbc.exe	36
PID 3060 wrote to memory of 2512	3060	vbc.exe	36
PID 3060 wrote to memory of 2512	3060	vbc.exe	36
PID 3060 wrote to memory of 2512	3060	vbc.exe	36
PID 2532 wrote to memory of 2540	2532	csc.exe	37
PID 2532 wrote to memory of 2540	2532	csc.exe	37
PID 2532 wrote to memory of 2540	2532	csc.exe	37
PID 2532 wrote to memory of 2540	2532	csc.exe	37
PID 3060 wrote to memory of 2572	3060	vbc.exe	38
PID 3060 wrote to memory of 2572	3060	vbc.exe	38
PID 3060 wrote to memory of 2572	3060	vbc.exe	38
PID 3060 wrote to memory of 2572	3060	vbc.exe	38
PID 3060 wrote to memory of 2584	3060	vbc.exe	39
PID 3060 wrote to memory of 2584	3060	vbc.exe	39
PID 3060 wrote to memory of 2584	3060	vbc.exe	39
PID 3060 wrote to memory of 2584	3060	vbc.exe	39
PID 3060 wrote to memory of 2968	3060	vbc.exe	42
PID 3060 wrote to memory of 2968	3060	vbc.exe	42
PID 3060 wrote to memory of 2968	3060	vbc.exe	42
PID 3060 wrote to memory of 2968	3060	vbc.exe	42
PID 2512 wrote to memory of 2828	2512	cmd.exe	46
PID 2512 wrote to memory of 2828	2512	cmd.exe	46
PID 2512 wrote to memory of 2828	2512	cmd.exe	46
PID 2512 wrote to memory of 2828	2512	cmd.exe	46
PID 2968 wrote to memory of 2836	2968	cmd.exe	47
PID 2968 wrote to memory of 2836	2968	cmd.exe	47
PID 2968 wrote to memory of 2836	2968	cmd.exe	47
PID 2968 wrote to memory of 2836	2968	cmd.exe	47
PID 3040 wrote to memory of 2752	3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	45
PID 3040 wrote to memory of 2752	3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	45
PID 3040 wrote to memory of 2752	3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	45
PID 3040 wrote to memory of 2752	3040	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	45
PID 2572 wrote to memory of 2844	2572	cmd.exe	48
PID 2572 wrote to memory of 2844	2572	cmd.exe	48
PID 2572 wrote to memory of 2844	2572	cmd.exe	48
PID 2572 wrote to memory of 2844	2572	cmd.exe	48
PID 2584 wrote to memory of 2856	2584	cmd.exe	49
PID 2584 wrote to memory of 2856	2584	cmd.exe	49
PID 2584 wrote to memory of 2856	2584	cmd.exe	49
PID 2584 wrote to memory of 2856	2584	cmd.exe	49
PID 2752 wrote to memory of 268	2752	csc.exe	51
PID 2752 wrote to memory of 268	2752	csc.exe	51
PID 2752 wrote to memory of 268	2752	csc.exe	51
PID 2752 wrote to memory of 268	2752	csc.exe	51

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\th3nylqn.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF8E1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF8E0.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2660
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Rename Server.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Rename Server.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Rename Server.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Rename Server.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2836
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\th3nylqn.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA95.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFA94.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2540
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\th3nylqn.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB51.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFB50.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF8E1.tmp

Filesize
1KB

MD5
92e32849be68e7f82efa556f535a19b0

SHA1
3c66ffae1e6fc0a47eae96ca1130761190c901bb

SHA256
70d272f89ae976332a1f6c27f8376a6d12dffad3d7eb0f8a35e41e9a0a647100

SHA512
de8eefe9d373eff28fe3e358743b09100d50029b26a74b8bea33d969107f7b809bab834b9c58489151fe7b6c4e92953185ed8e21a64a9c0c0f4b3b5b4439b988

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFA95.tmp

Filesize
1KB

MD5
4ccf576d345b17de6548077589547315

SHA1
01077f7a4848fc5dc4087a8eb4b98c7c79d2384f

SHA256
cbd335673d7bc3d701aa317df007949ea9d91954979d49b3bc9e0602259e4c2d

SHA512
d0a8717bf518e4503896aa43829729b35228e675c169791467e259d2d0298b2af27a2692e6c88596394a31f85e028aa94d34c9f0279dcda5aa4cc4f7f492cb2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFB51.tmp

Filesize
1KB

MD5
d0653d525a02ac9c9a95f4e8498855a7

SHA1
41bd913de9510f7e8d971baf085edbbbe05f984c

SHA256
c0787ffcc4bc48e775e28fefcbcf3ac92cc3d44cca9623088a2ee34d5a5a8acf

SHA512
678aba225a3b3985055f09fe4af4b515a8a92e562a73cc62c69564a8cf5ab73014358c0550f09214e4e3f9036f4ca76444267167a5f7467c4da0c81b4259840e

Download Submit
C:\Users\Admin\AppData\Local\Temp\th3nylqn.dll

Filesize
3KB

MD5
3c56633a39ecee5cf87486b402e5a66a

SHA1
6867e4588cd1ccc729fdf405b734f4f842382149

SHA256
8785b93bf5a0167f92068843ff5626a0bc0693c184a95888ea7bf29d80529ac6

SHA512
03f618212f4654a4956ca1b3455f70d0735e1af4a3c1fd7703bcc10c9707bb4f9d750f2dfd315e86db845043394986b5d34105caaedda9c425514ff836049202

Download Submit
C:\Users\Admin\AppData\Local\Temp\th3nylqn.dll

Filesize
5KB

MD5
4b2c2ffaf528281b8b3a41b598c031ee

SHA1
735af9fc92032b003b2f22a52cfb16259e04338f

SHA256
dcff2fa61ebb8895b964bf84e97ea4ac851328d8a0a8764f0dd0b2ae7d5ea65b

SHA512
17796ce12e62a71e4dfadeb9c4af10bee28ad6ea3a384355eccc5eb67982915e0e829b2a7b58bd0a88131fb61b4798494f54c30d21537d8e4fe3915d1ef2de84

Download Submit
C:\Users\Admin\AppData\Local\Temp\th3nylqn.dll

Filesize
9KB

MD5
38bb1cf8b89acddfee83c987b523afde

SHA1
62abab20746d25bfc9bc0c012810aceb60a26059

SHA256
a6f8c456e285db7847bc2f61fa4abda79a0149269d9af2224c7939165dc20c3f

SHA512
daea13f6c928411e06d6083adcb01f36e04e6b1d5f6231012bc2f490e166e0e5db7beba9c2a74177a75364ac0ff6a3a39d04f332eefabe136a938a496cb37c85

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF8E0.tmp

Filesize
652B

MD5
6ec421ae2b9a6a92627384f879cbba07

SHA1
235dda47d5ac52213590734543380a8311f249c6

SHA256
bf6ab0d3c96e0c5473c66542ceb9f3e33cb4ffc419af5a1cbe74bcdff9a8cfdf

SHA512
498e81f2003295c7d4f9c8f4a2f6494da44d305ed6d955d4cdd099483bfcebb2a0e24d47ad896f51d2ab5156d308d4cbce73a179764e52f6ff47687bc6c59922

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\th3nylqn.0.cs

Filesize
106B

MD5
7b2710d3c14f50327d82682f1788ac9c

SHA1
db6323843b42649f002accea370f951ad10452bd

SHA256
cf3742c2d19768ac180864c89a57abffca72120fa2fa3d2872ddc5fb9901704f

SHA512
7f0c429790ac2a29c37fa802e150ec6cb96f906c6b33d6b61bda74690a06a68be016e062d141a1499d5bf521ef379f6531e7274e270bbf20aac8af49710d6479

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\th3nylqn.0.cs

Filesize
7KB

MD5
c79c02b8be614ba0ad11b9a2deac9067

SHA1
5338181abf8d8436df240ec8bfe8699ed40eac83

SHA256
aeb41fe4117e42c32d7c61fe9caa02f2ec937418a3ffb6ee64b5a8309e0d7b78

SHA512
4b0efe655b237185454a41c79c1b5cd9b8e80cfa36f7abb8a5d63629f400bb73d58f196584ec5421a8b2e6608b9c00d44514ada9651bcf19aea8ba4cce5b4a4e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\th3nylqn.0.cs

Filesize
3KB

MD5
412e1c803f61cea207aa4b53c9b4a3bb

SHA1
79b56c2016e0eb4e0de20ef8085dd8caa2b0a810

SHA256
03928f10904ba363d8e763f42883e9c9e6a54f5514b323c48fca4ace6f8d2b71

SHA512
9cb9f92cee9e2b22424c8c0f60b53143ff7799a61a06a02291102912208311fb41ea95e16a175f46fbf0cce41b2f18f4eacaa5ae60625aa0e89beec5ac299b3b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\th3nylqn.cmdline

Filesize
187B

MD5
1a492b8696bf5ab0e343eb40cb7018cb

SHA1
9b76be5468f631bc8e986e6bca2426f2e17c4059

SHA256
7377b96720e85d10878e603f9ea47f2388a4eeadecd51369ec1b2685dd7e3450

SHA512
fef3bd8acb83a80a6769de8d04148798c8dd76a6cda8a116a229771d0b67a69758b4671eca5237dbfed6dca4262a02439328b2315cf9b86c034469d76e00d19d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\th3nylqn.cmdline

Filesize
203B

MD5
f32f14e4c1df0b7a26fa9da055ff2c31

SHA1
4f93f1a8784e420e9254e41804c0f93c2dd7819c

SHA256
5ad23318e0f56c23c926fbc60798cd866e0a0376ac63875514fafa2117b16c01

SHA512
ac9cca0e7eb4d268b2201ce2afa311df3fb127001e05ed61404d9a0ebcf5698b3df39a913e2c8624e1ba8ccf9c33ddbe9ab9387f8e79e11b109b810d78c18477

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\th3nylqn.cmdline

Filesize
219B

MD5
d2daa8bf1fbb0265f3ab80912c773339

SHA1
58b21c350ff004c16d83b8ff7cb3b78e94553883

SHA256
759706a92dd21bc1da1b80d9a648d75b47a075cb54ff69ab83d78d6656c6ed23

SHA512
b6ccf51c9c8e8b49214d6694547b25d43640127542780628587a3e289b7c63d29859700107e4b827c49a49d808f76c5a7bffed43208897dbab06329ce3d4cf2f

Download Submit
memory/2664-15-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2664-8-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/3040-61-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/3040-0-0x0000000074051000-0x0000000074052000-memory.dmp

Filesize
4KB

Download
memory/3040-2-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/3040-1-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/3060-20-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3060-65-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3060-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3060-24-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3060-28-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3060-29-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3060-30-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3060-18-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3060-31-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3060-62-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3060-63-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3060-21-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3060-66-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3060-67-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3060-69-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3060-70-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3060-71-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3060-73-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3060-74-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3060-75-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3060-77-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3060-78-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3060-79-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download