Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
01/02/2025, 12:00
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe
Resource
win10v2004-20250129-en
General
-
Target
JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe
-
Size
902KB
-
MD5
7182e7c37759126da58b5fb29296de8e
-
SHA1
c6f4fa352e3c1e47a0e146bce1c6fa2574152b77
-
SHA256
10e3833de2ebf0dc6e16a94dae301b03d1079d2b94295eb941661ec731812ebb
-
SHA512
040fd58614bcc1c81487a3a0b98d8e6c8bd94f4a07b652bece474fde15316945b5ed12439210c9553f8dfce53d4bc923565372b644dae58d6b2d7af1cc759a2c
-
SSDEEP
12288:hg3aYMKqek4IxBKB8kWlyWdY3fNzEpGP/zLyQrnpEKlljPiZashMycuyUsKzeW1+:JyCBKB8Blo1zk8LyQ7aZcTKqW5p
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 17 IoCs
resource yara_rule behavioral2/memory/4184-22-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4184-17-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4184-38-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4184-44-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/764-54-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4184-56-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4184-59-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4184-60-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4184-64-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4412-74-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4184-75-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4184-76-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4184-79-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/3992-89-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4184-93-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/4184-94-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/3772-104-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Temp\sidebar.exe = "C:\\Windows\\Temp\\sidebar.exe:*:Enabled:Windows Messanger" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\acer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\acer.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe Key value queried \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sidebar .exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sidebar .exe cmd.exe -
Executes dropped EXE 9 IoCs
pid Process 4184 sidebar.exe 3724 sidebar .exe 764 sidebar.exe 2664 sidebar .exe 4412 sidebar.exe 2824 sidebar .exe 3992 sidebar.exe 2776 sidebar .exe 3772 sidebar.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogIe = "C:\\Users\\Admin\\AppData\\Roaming\\sidebar .exe" JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2196 set thread context of 4184 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 89 PID 3724 set thread context of 764 3724 sidebar .exe 112 PID 2664 set thread context of 4412 2664 sidebar .exe 121 PID 2824 set thread context of 3992 2824 sidebar .exe 127 PID 2776 set thread context of 3772 2776 sidebar .exe 133 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sidebar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sidebar .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sidebar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sidebar .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sidebar .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sidebar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sidebar .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sidebar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sidebar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3948 PING.EXE 4232 PING.EXE 384 PING.EXE 4332 PING.EXE -
Modifies registry key 1 TTPs 4 IoCs
pid Process 544 reg.exe 3704 reg.exe 4824 reg.exe 4464 reg.exe -
Runs ping.exe 1 TTPs 4 IoCs
pid Process 3948 PING.EXE 4232 PING.EXE 384 PING.EXE 4332 PING.EXE -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 3724 sidebar .exe 3724 sidebar .exe 3724 sidebar .exe 3724 sidebar .exe 3724 sidebar .exe 3724 sidebar .exe 2664 sidebar .exe 2664 sidebar .exe 2664 sidebar .exe 2664 sidebar .exe 2664 sidebar .exe 2664 sidebar .exe 2824 sidebar .exe 2824 sidebar .exe 2824 sidebar .exe 2824 sidebar .exe 2824 sidebar .exe 2824 sidebar .exe 2776 sidebar .exe 2776 sidebar .exe 2776 sidebar .exe 2776 sidebar .exe 2776 sidebar .exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeDebugPrivilege 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe Token: 1 4184 sidebar.exe Token: SeCreateTokenPrivilege 4184 sidebar.exe Token: SeAssignPrimaryTokenPrivilege 4184 sidebar.exe Token: SeLockMemoryPrivilege 4184 sidebar.exe Token: SeIncreaseQuotaPrivilege 4184 sidebar.exe Token: SeMachineAccountPrivilege 4184 sidebar.exe Token: SeTcbPrivilege 4184 sidebar.exe Token: SeSecurityPrivilege 4184 sidebar.exe Token: SeTakeOwnershipPrivilege 4184 sidebar.exe Token: SeLoadDriverPrivilege 4184 sidebar.exe Token: SeSystemProfilePrivilege 4184 sidebar.exe Token: SeSystemtimePrivilege 4184 sidebar.exe Token: SeProfSingleProcessPrivilege 4184 sidebar.exe Token: SeIncBasePriorityPrivilege 4184 sidebar.exe Token: SeCreatePagefilePrivilege 4184 sidebar.exe Token: SeCreatePermanentPrivilege 4184 sidebar.exe Token: SeBackupPrivilege 4184 sidebar.exe Token: SeRestorePrivilege 4184 sidebar.exe Token: SeShutdownPrivilege 4184 sidebar.exe Token: SeDebugPrivilege 4184 sidebar.exe Token: SeAuditPrivilege 4184 sidebar.exe Token: SeSystemEnvironmentPrivilege 4184 sidebar.exe Token: SeChangeNotifyPrivilege 4184 sidebar.exe Token: SeRemoteShutdownPrivilege 4184 sidebar.exe Token: SeUndockPrivilege 4184 sidebar.exe Token: SeSyncAgentPrivilege 4184 sidebar.exe Token: SeEnableDelegationPrivilege 4184 sidebar.exe Token: SeManageVolumePrivilege 4184 sidebar.exe Token: SeImpersonatePrivilege 4184 sidebar.exe Token: SeCreateGlobalPrivilege 4184 sidebar.exe Token: 31 4184 sidebar.exe Token: 32 4184 sidebar.exe Token: 33 4184 sidebar.exe Token: 34 4184 sidebar.exe Token: 35 4184 sidebar.exe Token: SeDebugPrivilege 3724 sidebar .exe Token: SeDebugPrivilege 2664 sidebar .exe Token: SeDebugPrivilege 2824 sidebar .exe Token: SeDebugPrivilege 2776 sidebar .exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 4184 sidebar.exe 4184 sidebar.exe 4184 sidebar.exe 764 sidebar.exe 764 sidebar.exe 4412 sidebar.exe 4412 sidebar.exe 3992 sidebar.exe 3992 sidebar.exe 3772 sidebar.exe 3772 sidebar.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2196 wrote to memory of 4336 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 86 PID 2196 wrote to memory of 4336 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 86 PID 2196 wrote to memory of 4336 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 86 PID 2196 wrote to memory of 2684 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 88 PID 2196 wrote to memory of 2684 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 88 PID 2196 wrote to memory of 2684 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 88 PID 2196 wrote to memory of 4184 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 89 PID 2196 wrote to memory of 4184 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 89 PID 2196 wrote to memory of 4184 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 89 PID 2196 wrote to memory of 4184 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 89 PID 4336 wrote to memory of 2260 4336 cmd.exe 90 PID 4336 wrote to memory of 2260 4336 cmd.exe 90 PID 4336 wrote to memory of 2260 4336 cmd.exe 90 PID 2196 wrote to memory of 4184 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 89 PID 2196 wrote to memory of 4184 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 89 PID 2196 wrote to memory of 4184 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 89 PID 2196 wrote to memory of 4184 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 89 PID 2196 wrote to memory of 3792 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 91 PID 2196 wrote to memory of 3792 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 91 PID 2196 wrote to memory of 3792 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 91 PID 2196 wrote to memory of 3688 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 92 PID 2196 wrote to memory of 3688 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 92 PID 2196 wrote to memory of 3688 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 92 PID 4184 wrote to memory of 5100 4184 sidebar.exe 93 PID 4184 wrote to memory of 5100 4184 sidebar.exe 93 PID 4184 wrote to memory of 5100 4184 sidebar.exe 93 PID 4184 wrote to memory of 1912 4184 sidebar.exe 94 PID 4184 wrote to memory of 1912 4184 sidebar.exe 94 PID 4184 wrote to memory of 1912 4184 sidebar.exe 94 PID 4184 wrote to memory of 5104 4184 sidebar.exe 95 PID 4184 wrote to memory of 5104 4184 sidebar.exe 95 PID 4184 wrote to memory of 5104 4184 sidebar.exe 95 PID 4184 wrote to memory of 5108 4184 sidebar.exe 96 PID 4184 wrote to memory of 5108 4184 sidebar.exe 96 PID 4184 wrote to memory of 5108 4184 sidebar.exe 96 PID 2260 wrote to memory of 3992 2260 wscript.exe 101 PID 2260 wrote to memory of 3992 2260 wscript.exe 101 PID 2260 wrote to memory of 3992 2260 wscript.exe 101 PID 1912 wrote to memory of 3704 1912 cmd.exe 103 PID 1912 wrote to memory of 3704 1912 cmd.exe 103 PID 1912 wrote to memory of 3704 1912 cmd.exe 103 PID 5108 wrote to memory of 4464 5108 cmd.exe 104 PID 5108 wrote to memory of 4464 5108 cmd.exe 104 PID 5108 wrote to memory of 4464 5108 cmd.exe 104 PID 5104 wrote to memory of 4824 5104 cmd.exe 105 PID 5104 wrote to memory of 4824 5104 cmd.exe 105 PID 5104 wrote to memory of 4824 5104 cmd.exe 105 PID 5100 wrote to memory of 544 5100 cmd.exe 106 PID 5100 wrote to memory of 544 5100 cmd.exe 106 PID 5100 wrote to memory of 544 5100 cmd.exe 106 PID 2196 wrote to memory of 4264 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 107 PID 2196 wrote to memory of 4264 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 107 PID 2196 wrote to memory of 4264 2196 JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe 107 PID 4264 wrote to memory of 3948 4264 cmd.exe 109 PID 4264 wrote to memory of 3948 4264 cmd.exe 109 PID 4264 wrote to memory of 3948 4264 cmd.exe 109 PID 4264 wrote to memory of 3724 4264 cmd.exe 110 PID 4264 wrote to memory of 3724 4264 cmd.exe 110 PID 4264 wrote to memory of 3724 4264 cmd.exe 110 PID 3724 wrote to memory of 460 3724 sidebar .exe 111 PID 3724 wrote to memory of 460 3724 sidebar .exe 111 PID 3724 wrote to memory of 460 3724 sidebar .exe 111 PID 3724 wrote to memory of 764 3724 sidebar .exe 112 PID 3724 wrote to memory of 764 3724 sidebar .exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7182e7c37759126da58b5fb29296de8e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\lala.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Roaming\invs.vbs" "C:\Users\Admin\AppData\Roaming\lala2.bat3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\lala2.bat" "4⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:3992
-
-
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe2⤵PID:2684
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:544
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\sidebar.exe" /t REG_SZ /d "C:\Windows\Temp\sidebar.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\sidebar.exe" /t REG_SZ /d "C:\Windows\Temp\sidebar.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3704
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4824
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\acer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\acer.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\acer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\acer.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4464
-
-
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe2⤵PID:3792
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe2⤵PID:3688
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\per.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3948
-
-
C:\Users\Admin\AppData\Roaming\sidebar .exe"C:\Users\Admin\AppData\Roaming\sidebar .exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵PID:460
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:764
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵PID:4872
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵PID:2164
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4232
-
-
C:\Users\Admin\AppData\Roaming\sidebar .exe"C:\Users\Admin\AppData\Roaming\sidebar .exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664 -
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵PID:1940
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4412
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵PID:4572
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵PID:2240
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:384
-
-
C:\Users\Admin\AppData\Roaming\sidebar .exe"C:\Users\Admin\AppData\Roaming\sidebar .exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵PID:1012
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3992
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵PID:1788
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵PID:1204
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4332
-
-
C:\Users\Admin\AppData\Roaming\sidebar .exe"C:\Users\Admin\AppData\Roaming\sidebar .exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776 -
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵PID:3924
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3772
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵PID:4736
-
-
C:\Windows\Temp\sidebar.exeC:\Windows\Temp\sidebar.exe4⤵PID:1104
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
588B
MD5bbc3cfe1a58732a0477f72ea3d36c7bf
SHA1fb801263330aa243f63270138ab467a627dffc2e
SHA2569269d4383b8effa928b7b4a7b38ffa07587b23851f9430fbfe8e7284f845e722
SHA5125bfdc6520a7a0884e3ccdf26ab0fe536327c9f3330f7f78bed2ed4c89fc31b04ad0c4b4bd6f8f1bca08ef04e46b833b798726dca7f40ccc27c871847ec041be4
-
Filesize
78B
MD5c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
Filesize
53B
MD5da2f62b3f68d61e7ff27df1155637ae1
SHA1326f9ab4df92d730d0f22d0ee5e0faf661c7ac59
SHA256547013d5a8e3c6f94e61a6e9d0a052451e4a73e54b11b8dd4d1ff357f96cad41
SHA512f2e24b25add6479f5cc6746392be03f2d6a1ed3afd6b279aefa5614b81279d45c572344e24e3daf849974bc5fae3c0451ddf2c66e338268d22589aeb2b41c34d
-
Filesize
158B
MD58cfac7da0aee569085574419450d5bf8
SHA11847e99f86c011aabf610c2f08561d5ad84c7fbc
SHA256b9318322b53fb957554e9f876b997f04bf24cab45fcd8c3a70d9432485205ff7
SHA512545c4a1e045230b3fe933e951ece02b90388fe4d839705f0a948952ea254e2ee4859afc951581a7af93e2cab1a6bfa0800a99406faa535681c1a1c7d3b614136
-
Filesize
107B
MD54a27d520d3b75c616febcfdb51050e93
SHA17ca1a6fe3dffd7069847cbc39eeaf414ff2e6320
SHA256b03c8cebc68fc2f77101bebfcf99f97ff399398251abb4ddd257f21eba4edf8d
SHA5126657a3e9dc893e94830b7612da7d6efed4d689de48b72774a9be1df865186b9bffd14d80ca42b100482c8366f6ad395712fe0840aecea72201332745ed2cef6b
-
Filesize
902KB
MD57182e7c37759126da58b5fb29296de8e
SHA1c6f4fa352e3c1e47a0e146bce1c6fa2574152b77
SHA25610e3833de2ebf0dc6e16a94dae301b03d1079d2b94295eb941661ec731812ebb
SHA512040fd58614bcc1c81487a3a0b98d8e6c8bd94f4a07b652bece474fde15316945b5ed12439210c9553f8dfce53d4bc923565372b644dae58d6b2d7af1cc759a2c
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34