Analysis
-
max time kernel
148s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/02/2025, 12:00
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe
Resource
win10v2004-20250129-en
General
-
Target
JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe
-
Size
902KB
-
MD5
7182e7c37759126da58b5fb29296de8e
-
SHA1
c6f4fa352e3c1e47a0e146bce1c6fa2574152b77
-
SHA256
10e3833de2ebf0dc6e16a94dae301b03d1079d2b94295eb941661ec731812ebb
-
SHA512
040fd58614bcc1c81487a3a0b98d8e6c8bd94f4a07b652bece474fde15316945b5ed12439210c9553f8dfce53d4bc923565372b644dae58d6b2d7af1cc759a2c
-
SSDEEP
12288:hg3aYMKqek4IxBKB8kWlyWdY3fNzEpGP/zLyQrnpEKlljPiZashMycuyUsKzeW1+:JyCBKB8Blo1zk8LyQ7aZcTKqW5p
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 15 IoCs
resource yara_rule behavioral1/memory/2524-37-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2524-29-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2524-60-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2156-88-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2524-89-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2524-90-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2524-93-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2524-94-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2524-95-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/912-113-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2524-115-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2524-118-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2576-132-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2524-137-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2420-155-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\acer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\acer.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Temp\sidebar.exe = "C:\\Windows\\Temp\\sidebar.exe:*:Enabled:Windows Messanger" reg.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sidebar .exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sidebar .exe cmd.exe -
Executes dropped EXE 24 IoCs
pid Process 2524 sidebar.exe 3048 sidebar.exe 2584 sidebar.exe 2544 sidebar.exe 2216 sidebar .exe 2156 sidebar.exe 1360 sidebar.exe 2056 sidebar.exe 1616 sidebar.exe 1956 sidebar .exe 912 sidebar.exe 2384 sidebar.exe 1584 sidebar.exe 904 sidebar.exe 2872 sidebar .exe 2576 sidebar.exe 2992 sidebar.exe 2560 sidebar.exe 480 sidebar.exe 1836 sidebar .exe 2420 sidebar.exe 2800 sidebar.exe 2380 sidebar.exe 2732 sidebar.exe -
Loads dropped DLL 9 IoCs
pid Process 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 1932 cmd.exe 1932 cmd.exe 1932 cmd.exe 1932 cmd.exe 1932 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogIe = "C:\\Users\\Admin\\AppData\\Roaming\\sidebar .exe" JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2916 set thread context of 2524 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 33 PID 2216 set thread context of 2156 2216 sidebar .exe 56 PID 1956 set thread context of 912 1956 sidebar .exe 63 PID 2872 set thread context of 2576 2872 sidebar .exe 69 PID 1836 set thread context of 2420 1836 sidebar .exe 75 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sidebar .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sidebar .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sidebar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sidebar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sidebar .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sidebar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sidebar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sidebar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sidebar .exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2208 PING.EXE 1576 PING.EXE 2832 PING.EXE 1236 PING.EXE -
Modifies registry key 1 TTPs 4 IoCs
pid Process 1232 reg.exe 1496 reg.exe 1364 reg.exe 2316 reg.exe -
Runs ping.exe 1 TTPs 4 IoCs
pid Process 2208 PING.EXE 1576 PING.EXE 2832 PING.EXE 1236 PING.EXE -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 2216 sidebar .exe 2216 sidebar .exe 2216 sidebar .exe 2216 sidebar .exe 2216 sidebar .exe 2216 sidebar .exe 1956 sidebar .exe 1956 sidebar .exe 1956 sidebar .exe 1956 sidebar .exe 1956 sidebar .exe 1956 sidebar .exe 2872 sidebar .exe 2872 sidebar .exe 2872 sidebar .exe 2872 sidebar .exe 2872 sidebar .exe 2872 sidebar .exe 1836 sidebar .exe 1836 sidebar .exe 1836 sidebar .exe 1836 sidebar .exe 1836 sidebar .exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeDebugPrivilege 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe Token: 1 2524 sidebar.exe Token: SeCreateTokenPrivilege 2524 sidebar.exe Token: SeAssignPrimaryTokenPrivilege 2524 sidebar.exe Token: SeLockMemoryPrivilege 2524 sidebar.exe Token: SeIncreaseQuotaPrivilege 2524 sidebar.exe Token: SeMachineAccountPrivilege 2524 sidebar.exe Token: SeTcbPrivilege 2524 sidebar.exe Token: SeSecurityPrivilege 2524 sidebar.exe Token: SeTakeOwnershipPrivilege 2524 sidebar.exe Token: SeLoadDriverPrivilege 2524 sidebar.exe Token: SeSystemProfilePrivilege 2524 sidebar.exe Token: SeSystemtimePrivilege 2524 sidebar.exe Token: SeProfSingleProcessPrivilege 2524 sidebar.exe Token: SeIncBasePriorityPrivilege 2524 sidebar.exe Token: SeCreatePagefilePrivilege 2524 sidebar.exe Token: SeCreatePermanentPrivilege 2524 sidebar.exe Token: SeBackupPrivilege 2524 sidebar.exe Token: SeRestorePrivilege 2524 sidebar.exe Token: SeShutdownPrivilege 2524 sidebar.exe Token: SeDebugPrivilege 2524 sidebar.exe Token: SeAuditPrivilege 2524 sidebar.exe Token: SeSystemEnvironmentPrivilege 2524 sidebar.exe Token: SeChangeNotifyPrivilege 2524 sidebar.exe Token: SeRemoteShutdownPrivilege 2524 sidebar.exe Token: SeUndockPrivilege 2524 sidebar.exe Token: SeSyncAgentPrivilege 2524 sidebar.exe Token: SeEnableDelegationPrivilege 2524 sidebar.exe Token: SeManageVolumePrivilege 2524 sidebar.exe Token: SeImpersonatePrivilege 2524 sidebar.exe Token: SeCreateGlobalPrivilege 2524 sidebar.exe Token: 31 2524 sidebar.exe Token: 32 2524 sidebar.exe Token: 33 2524 sidebar.exe Token: 34 2524 sidebar.exe Token: 35 2524 sidebar.exe Token: SeDebugPrivilege 2216 sidebar .exe Token: SeDebugPrivilege 1956 sidebar .exe Token: SeDebugPrivilege 2872 sidebar .exe Token: SeDebugPrivilege 1836 sidebar .exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 2524 sidebar.exe 2524 sidebar.exe 2524 sidebar.exe 2156 sidebar.exe 2156 sidebar.exe 912 sidebar.exe 912 sidebar.exe 2576 sidebar.exe 2576 sidebar.exe 2420 sidebar.exe 2420 sidebar.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2916 wrote to memory of 1640 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 30 PID 2916 wrote to memory of 1640 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 30 PID 2916 wrote to memory of 1640 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 30 PID 2916 wrote to memory of 1640 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 30 PID 2916 wrote to memory of 2584 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 32 PID 2916 wrote to memory of 2584 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 32 PID 2916 wrote to memory of 2584 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 32 PID 2916 wrote to memory of 2584 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 32 PID 1640 wrote to memory of 2592 1640 cmd.exe 34 PID 1640 wrote to memory of 2592 1640 cmd.exe 34 PID 1640 wrote to memory of 2592 1640 cmd.exe 34 PID 1640 wrote to memory of 2592 1640 cmd.exe 34 PID 2916 wrote to memory of 2524 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 33 PID 2916 wrote to memory of 2524 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 33 PID 2916 wrote to memory of 2524 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 33 PID 2916 wrote to memory of 2524 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 33 PID 2916 wrote to memory of 2524 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 33 PID 2916 wrote to memory of 2524 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 33 PID 2916 wrote to memory of 2524 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 33 PID 2916 wrote to memory of 2524 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 33 PID 2916 wrote to memory of 3048 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 35 PID 2916 wrote to memory of 3048 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 35 PID 2916 wrote to memory of 3048 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 35 PID 2916 wrote to memory of 3048 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 35 PID 2916 wrote to memory of 2544 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 36 PID 2916 wrote to memory of 2544 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 36 PID 2916 wrote to memory of 2544 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 36 PID 2916 wrote to memory of 2544 2916 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 36 PID 2592 wrote to memory of 1568 2592 wscript.exe 37 PID 2592 wrote to memory of 1568 2592 wscript.exe 37 PID 2592 wrote to memory of 1568 2592 wscript.exe 37 PID 2592 wrote to memory of 1568 2592 wscript.exe 37 PID 2524 wrote to memory of 2276 2524 sidebar.exe 39 PID 2524 wrote to memory of 2276 2524 sidebar.exe 39 PID 2524 wrote to memory of 2276 2524 sidebar.exe 39 PID 2524 wrote to memory of 2276 2524 sidebar.exe 39 PID 2524 wrote to memory of 1852 2524 sidebar.exe 40 PID 2524 wrote to memory of 1852 2524 sidebar.exe 40 PID 2524 wrote to memory of 1852 2524 sidebar.exe 40 PID 2524 wrote to memory of 1852 2524 sidebar.exe 40 PID 2524 wrote to memory of 2388 2524 sidebar.exe 41 PID 2524 wrote to memory of 2388 2524 sidebar.exe 41 PID 2524 wrote to memory of 2388 2524 sidebar.exe 41 PID 2524 wrote to memory of 2388 2524 sidebar.exe 41 PID 2524 wrote to memory of 2396 2524 sidebar.exe 42 PID 2524 wrote to memory of 2396 2524 sidebar.exe 42 PID 2524 wrote to memory of 2396 2524 sidebar.exe 42 PID 2524 wrote to memory of 2396 2524 sidebar.exe 42 PID 1852 wrote to memory of 2316 1852 cmd.exe 47 PID 1852 wrote to memory of 2316 1852 cmd.exe 47 PID 1852 wrote to memory of 2316 1852 cmd.exe 47 PID 1852 wrote to memory of 2316 1852 cmd.exe 47 PID 2276 wrote to memory of 1232 2276 cmd.exe 48 PID 2276 wrote to memory of 1232 2276 cmd.exe 48 PID 2276 wrote to memory of 1232 2276 cmd.exe 48 PID 2276 wrote to memory of 1232 2276 cmd.exe 48 PID 2396 wrote to memory of 1364 2396 cmd.exe 49 PID 2396 wrote to memory of 1364 2396 cmd.exe 49 PID 2396 wrote to memory of 1364 2396 cmd.exe 49 PID 2396 wrote to memory of 1364 2396 cmd.exe 49 PID 2388 wrote to memory of 1496 2388 cmd.exe 50 PID 2388 wrote to memory of 1496 2388 cmd.exe 50 PID 2388 wrote to memory of 1496 2388 cmd.exe 50 PID 2388 wrote to memory of 1496 2388 cmd.exe 50
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\lala.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Roaming\invs.vbs" "C:\Users\Admin\AppData\Roaming\lala2.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\lala2.bat" "4⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:1568
-
-
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe2⤵
- Executes dropped EXE
PID:2584
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1232
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\sidebar.exe" /t REG_SZ /d "C:\Windows\Temp\sidebar.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\sidebar.exe" /t REG_SZ /d "C:\Windows\Temp\sidebar.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2316
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1496
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\acer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\acer.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\acer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\acer.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1364
-
-
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe2⤵
- Executes dropped EXE
PID:3048
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe2⤵
- Executes dropped EXE
PID:2544
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\per.bat" "2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2208
-
-
C:\Users\Admin\AppData\Roaming\sidebar .exe"C:\Users\Admin\AppData\Roaming\sidebar .exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216 -
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵
- Executes dropped EXE
PID:1360
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2156
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵
- Executes dropped EXE
PID:2056
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵
- Executes dropped EXE
PID:1616
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1576
-
-
C:\Users\Admin\AppData\Roaming\sidebar .exe"C:\Users\Admin\AppData\Roaming\sidebar .exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956 -
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵
- Executes dropped EXE
PID:904
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:912
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵
- Executes dropped EXE
PID:2384
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵
- Executes dropped EXE
PID:1584
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2832
-
-
C:\Users\Admin\AppData\Roaming\sidebar .exe"C:\Users\Admin\AppData\Roaming\sidebar .exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872 -
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵
- Executes dropped EXE
PID:2560
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2576
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵
- Executes dropped EXE
PID:480
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵
- Executes dropped EXE
PID:2992
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1236
-
-
C:\Users\Admin\AppData\Roaming\sidebar .exe"C:\Users\Admin\AppData\Roaming\sidebar .exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836 -
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵
- Executes dropped EXE
PID:2380
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2420
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵
- Executes dropped EXE
PID:2732
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵
- Executes dropped EXE
PID:2800
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78B
MD5c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
Filesize
53B
MD5da2f62b3f68d61e7ff27df1155637ae1
SHA1326f9ab4df92d730d0f22d0ee5e0faf661c7ac59
SHA256547013d5a8e3c6f94e61a6e9d0a052451e4a73e54b11b8dd4d1ff357f96cad41
SHA512f2e24b25add6479f5cc6746392be03f2d6a1ed3afd6b279aefa5614b81279d45c572344e24e3daf849974bc5fae3c0451ddf2c66e338268d22589aeb2b41c34d
-
Filesize
158B
MD58cfac7da0aee569085574419450d5bf8
SHA11847e99f86c011aabf610c2f08561d5ad84c7fbc
SHA256b9318322b53fb957554e9f876b997f04bf24cab45fcd8c3a70d9432485205ff7
SHA512545c4a1e045230b3fe933e951ece02b90388fe4d839705f0a948952ea254e2ee4859afc951581a7af93e2cab1a6bfa0800a99406faa535681c1a1c7d3b614136
-
Filesize
107B
MD54a27d520d3b75c616febcfdb51050e93
SHA17ca1a6fe3dffd7069847cbc39eeaf414ff2e6320
SHA256b03c8cebc68fc2f77101bebfcf99f97ff399398251abb4ddd257f21eba4edf8d
SHA5126657a3e9dc893e94830b7612da7d6efed4d689de48b72774a9be1df865186b9bffd14d80ca42b100482c8366f6ad395712fe0840aecea72201332745ed2cef6b
-
Filesize
902KB
MD57182e7c37759126da58b5fb29296de8e
SHA1c6f4fa352e3c1e47a0e146bce1c6fa2574152b77
SHA25610e3833de2ebf0dc6e16a94dae301b03d1079d2b94295eb941661ec731812ebb
SHA512040fd58614bcc1c81487a3a0b98d8e6c8bd94f4a07b652bece474fde15316945b5ed12439210c9553f8dfce53d4bc923565372b644dae58d6b2d7af1cc759a2c
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98