blackshades | e5db0bf82c2b0247f420ab75c8f67783b9a49528a5160ae8a5a6deffd931c475

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-02-2025 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe
Size

1.9MB
MD5

74d0a7f3410117d31bf03a98a2396a8a
SHA1

c9a38204c45c1891ee1811ede9cb23c5e4328245
SHA256

e5db0bf82c2b0247f420ab75c8f67783b9a49528a5160ae8a5a6deffd931c475
SHA512

6553244a96fb97b859d6dd7375c7d15af23e337101378d1cd194c9019a83c2991e1c851c4e576bbf782d7b66f74447152dd37a642ed1e099332997848c3f676f
SSDEEP

49152:UtYhJa7Gq5iCpxy/n6XWhMkqn5Fq9ulrHTIZmH:s2U9ECpmZMB5Fq9grMZmH

Score

10^/10

blackshades bootkit defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 2 IoCs

resource	yara_rule
behavioral1/memory/1028-62-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/1028-59-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\lwss.exe = "C:\\Users\\Admin\\AppData\\Roaming\\lwss.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\jMiC3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jMiC3.exe:*:Enabled:Windows Messanger"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	jMiC3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\lwss.exe"	jMiC3.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Active Setup\Installed Components\{B2EBFDFF-1FD4-FCF7-FDCC-DC1CBFA10AEC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\lwss.exe"	jMiC3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2EBFDFF-1FD4-FCF7-FDCC-DC1CBFA10AEC}	jMiC3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2EBFDFF-1FD4-FCF7-FDCC-DC1CBFA10AEC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\lwss.exe"	jMiC3.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{B2EBFDFF-1FD4-FCF7-FDCC-DC1CBFA10AEC}	jMiC3.exe

Executes dropped EXE 3 IoCs

pid	Process
580	jMiC3.exe
2692	jMiC3.exe
1028	jMiC3.exe

Loads dropped DLL 4 IoCs

pid	Process
1944	JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe
1944	JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe
580	jMiC3.exe
2692	jMiC3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\lwss.exe"	jMiC3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\lwss.exe"	jMiC3.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe
File opened for modification	\??\PhysicalDrive0	jMiC3.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2448 set thread context of 1944	2448	JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe	31
PID 580 set thread context of 2692	580	jMiC3.exe	34
PID 2692 set thread context of 1028	2692	jMiC3.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jMiC3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jMiC3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jMiC3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2248	reg.exe
2496	reg.exe
2104	reg.exe
1204	reg.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1044	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1044	vlc.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: 33	1044	vlc.exe
Token: SeIncBasePriorityPrivilege	1044	vlc.exe
Token: 1	1028	jMiC3.exe
Token: SeCreateTokenPrivilege	1028	jMiC3.exe
Token: SeAssignPrimaryTokenPrivilege	1028	jMiC3.exe
Token: SeLockMemoryPrivilege	1028	jMiC3.exe
Token: SeIncreaseQuotaPrivilege	1028	jMiC3.exe
Token: SeMachineAccountPrivilege	1028	jMiC3.exe
Token: SeTcbPrivilege	1028	jMiC3.exe
Token: SeSecurityPrivilege	1028	jMiC3.exe
Token: SeTakeOwnershipPrivilege	1028	jMiC3.exe
Token: SeLoadDriverPrivilege	1028	jMiC3.exe
Token: SeSystemProfilePrivilege	1028	jMiC3.exe
Token: SeSystemtimePrivilege	1028	jMiC3.exe
Token: SeProfSingleProcessPrivilege	1028	jMiC3.exe
Token: SeIncBasePriorityPrivilege	1028	jMiC3.exe
Token: SeCreatePagefilePrivilege	1028	jMiC3.exe
Token: SeCreatePermanentPrivilege	1028	jMiC3.exe
Token: SeBackupPrivilege	1028	jMiC3.exe
Token: SeRestorePrivilege	1028	jMiC3.exe
Token: SeShutdownPrivilege	1028	jMiC3.exe
Token: SeDebugPrivilege	1028	jMiC3.exe
Token: SeAuditPrivilege	1028	jMiC3.exe
Token: SeSystemEnvironmentPrivilege	1028	jMiC3.exe
Token: SeChangeNotifyPrivilege	1028	jMiC3.exe
Token: SeRemoteShutdownPrivilege	1028	jMiC3.exe
Token: SeUndockPrivilege	1028	jMiC3.exe
Token: SeSyncAgentPrivilege	1028	jMiC3.exe
Token: SeEnableDelegationPrivilege	1028	jMiC3.exe
Token: SeManageVolumePrivilege	1028	jMiC3.exe
Token: SeImpersonatePrivilege	1028	jMiC3.exe
Token: SeCreateGlobalPrivilege	1028	jMiC3.exe
Token: 31	1028	jMiC3.exe
Token: 32	1028	jMiC3.exe
Token: 33	1028	jMiC3.exe
Token: 34	1028	jMiC3.exe
Token: 35	1028	jMiC3.exe
Token: SeDebugPrivilege	1028	jMiC3.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
1044	vlc.exe
1044	vlc.exe
1044	vlc.exe
1044	vlc.exe
1044	vlc.exe
1044	vlc.exe
1044	vlc.exe
1044	vlc.exe
1044	vlc.exe
1044	vlc.exe
1044	vlc.exe
1044	vlc.exe
1044	vlc.exe
1044	vlc.exe
1044	vlc.exe
1044	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1044	vlc.exe
1044	vlc.exe
1044	vlc.exe
1044	vlc.exe
1044	vlc.exe
1044	vlc.exe
1044	vlc.exe
1044	vlc.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2448	JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe
1944	JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe
580	jMiC3.exe
1044	vlc.exe
2692	jMiC3.exe
1028	jMiC3.exe
1028	jMiC3.exe
1028	jMiC3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 1944	2448	JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe	31
PID 2448 wrote to memory of 1944	2448	JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe	31
PID 2448 wrote to memory of 1944	2448	JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe	31
PID 2448 wrote to memory of 1944	2448	JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe	31
PID 2448 wrote to memory of 1944	2448	JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe	31
PID 2448 wrote to memory of 1944	2448	JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe	31
PID 2448 wrote to memory of 1944	2448	JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe	31
PID 2448 wrote to memory of 1944	2448	JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe	31
PID 2448 wrote to memory of 1944	2448	JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe	31
PID 1944 wrote to memory of 1044	1944	JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe	32
PID 1944 wrote to memory of 1044	1944	JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe	32
PID 1944 wrote to memory of 1044	1944	JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe	32
PID 1944 wrote to memory of 1044	1944	JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe	32
PID 1944 wrote to memory of 580	1944	JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe	33
PID 1944 wrote to memory of 580	1944	JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe	33
PID 1944 wrote to memory of 580	1944	JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe	33
PID 1944 wrote to memory of 580	1944	JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe	33
PID 580 wrote to memory of 2692	580	jMiC3.exe	34
PID 580 wrote to memory of 2692	580	jMiC3.exe	34
PID 580 wrote to memory of 2692	580	jMiC3.exe	34
PID 580 wrote to memory of 2692	580	jMiC3.exe	34
PID 580 wrote to memory of 2692	580	jMiC3.exe	34
PID 580 wrote to memory of 2692	580	jMiC3.exe	34
PID 580 wrote to memory of 2692	580	jMiC3.exe	34
PID 580 wrote to memory of 2692	580	jMiC3.exe	34
PID 580 wrote to memory of 2692	580	jMiC3.exe	34
PID 2692 wrote to memory of 1028	2692	jMiC3.exe	35
PID 2692 wrote to memory of 1028	2692	jMiC3.exe	35
PID 2692 wrote to memory of 1028	2692	jMiC3.exe	35
PID 2692 wrote to memory of 1028	2692	jMiC3.exe	35
PID 2692 wrote to memory of 1028	2692	jMiC3.exe	35
PID 2692 wrote to memory of 1028	2692	jMiC3.exe	35
PID 2692 wrote to memory of 1028	2692	jMiC3.exe	35
PID 2692 wrote to memory of 1028	2692	jMiC3.exe	35
PID 1028 wrote to memory of 2200	1028	jMiC3.exe	36
PID 1028 wrote to memory of 2200	1028	jMiC3.exe	36
PID 1028 wrote to memory of 2200	1028	jMiC3.exe	36
PID 1028 wrote to memory of 2200	1028	jMiC3.exe	36
PID 1028 wrote to memory of 2188	1028	jMiC3.exe	37
PID 1028 wrote to memory of 2188	1028	jMiC3.exe	37
PID 1028 wrote to memory of 2188	1028	jMiC3.exe	37
PID 1028 wrote to memory of 2188	1028	jMiC3.exe	37
PID 1028 wrote to memory of 1940	1028	jMiC3.exe	39
PID 1028 wrote to memory of 1940	1028	jMiC3.exe	39
PID 1028 wrote to memory of 1940	1028	jMiC3.exe	39
PID 1028 wrote to memory of 1940	1028	jMiC3.exe	39
PID 1028 wrote to memory of 2716	1028	jMiC3.exe	40
PID 1028 wrote to memory of 2716	1028	jMiC3.exe	40
PID 1028 wrote to memory of 2716	1028	jMiC3.exe	40
PID 1028 wrote to memory of 2716	1028	jMiC3.exe	40
PID 2200 wrote to memory of 2104	2200	cmd.exe	44
PID 2200 wrote to memory of 2104	2200	cmd.exe	44
PID 2200 wrote to memory of 2104	2200	cmd.exe	44
PID 2200 wrote to memory of 2104	2200	cmd.exe	44
PID 2716 wrote to memory of 1204	2716	cmd.exe	45
PID 2716 wrote to memory of 1204	2716	cmd.exe	45
PID 2716 wrote to memory of 1204	2716	cmd.exe	45
PID 2716 wrote to memory of 1204	2716	cmd.exe	45
PID 2188 wrote to memory of 2248	2188	cmd.exe	46
PID 2188 wrote to memory of 2248	2188	cmd.exe	46
PID 2188 wrote to memory of 2248	2188	cmd.exe	46
PID 2188 wrote to memory of 2248	2188	cmd.exe	46
PID 1940 wrote to memory of 2496	1940	cmd.exe	47
PID 1940 wrote to memory of 2496	1940	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_74d0a7f3410117d31bf03a98a2396a8a.exe"
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\04.wmv"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1044
- - C:\Users\Admin\AppData\Local\Temp\jMiC3.exe
    "C:\Users\Admin\AppData\Local\Temp\jMiC3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Users\Admin\AppData\Local\Temp\jMiC3.exe
      "C:\Users\Admin\AppData\Local\Temp\jMiC3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Users\Admin\AppData\Local\Temp\jMiC3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jMiC3.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1028
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        7⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2104
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\jMiC3.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\jMiC3.exe:*:Enabled:Windows Messanger" /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\jMiC3.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\jMiC3.exe:*:Enabled:Windows Messanger" /f
        7⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2248
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        7⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2496
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lwss.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lwss.exe:*:Enabled:Windows Messanger" /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lwss.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lwss.exe:*:Enabled:Windows Messanger" /f
        7⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\04.wmv

Filesize
1.2MB

MD5
b05a1087990c0811ba805b486ef182ad

SHA1
54353d739ca493510a6e65365d0931031bc1cb6a

SHA256
717406e58bf6b0f6ef914102263c0f5b7096aa004e985774f01b132f60f8d0c9

SHA512
b0e1756cad4def64d4f521f9885f11f6a16eafc45cdffeede1523d7a912133c61fb92aa1d9eff6aede5dd8f447a0f0e5acddc8557183ce48913c3ee332649faf

Download Submit
\Users\Admin\AppData\Local\Temp\jMiC3.exe

Filesize
600KB

MD5
830e5e77ca8c49c9becc1524619c5155

SHA1
1704939c3fa88280406ee574b5deb1b4115e9cc6

SHA256
5f2c6fe763b1b800a9b77ec42f48ec4e16b4ae8c276bbdb9f78f79ad39b2e048

SHA512
3b454283ca544cb4d57964f519a8d76427f7878bcd61502f2da557ee8c04a428e1b4fbd86ec324f2901313065f28178a817768b65b08345a4531d4b09797b72c

Download Submit
memory/1028-55-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1028-57-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1028-59-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1028-62-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1044-90-0x000007FEF48C0000-0x000007FEF48DB000-memory.dmp

Filesize
108KB

Download
memory/1044-89-0x000007FEF48E0000-0x000007FEF48F1000-memory.dmp

Filesize
68KB

Download
memory/1044-84-0x000007FEF64C0000-0x000007FEF6501000-memory.dmp

Filesize
260KB

Download
memory/1044-85-0x000007FEF70A0000-0x000007FEF70C1000-memory.dmp

Filesize
132KB

Download
memory/1044-86-0x000007FEF64A0000-0x000007FEF64B8000-memory.dmp

Filesize
96KB

Download
memory/1044-87-0x000007FEF6480000-0x000007FEF6491000-memory.dmp

Filesize
68KB

Download
memory/1044-94-0x000007FEF47E0000-0x000007FEF4847000-memory.dmp

Filesize
412KB

Download
memory/1044-97-0x000007FEF46E0000-0x000007FEF4737000-memory.dmp

Filesize
348KB

Download
memory/1044-98-0x000007FEF46B0000-0x000007FEF46D8000-memory.dmp

Filesize
160KB

Download
memory/1044-99-0x000007FEF4680000-0x000007FEF46A4000-memory.dmp

Filesize
144KB

Download
memory/1044-95-0x000007FEF4760000-0x000007FEF47DC000-memory.dmp

Filesize
496KB

Download
memory/1044-96-0x000007FEF4740000-0x000007FEF4751000-memory.dmp

Filesize
68KB

Download
memory/1044-88-0x000007FEF60D0000-0x000007FEF60E1000-memory.dmp

Filesize
68KB

Download
memory/1044-73-0x000007FEFA480000-0x000007FEFA4B4000-memory.dmp

Filesize
208KB

Download
memory/1044-72-0x000000013FE60000-0x000000013FF58000-memory.dmp

Filesize
992KB

Download
memory/1044-81-0x000007FEF70D0000-0x000007FEF70E1000-memory.dmp

Filesize
68KB

Download
memory/1044-80-0x000007FEF70F0000-0x000007FEF710D000-memory.dmp

Filesize
116KB

Download
memory/1044-79-0x000007FEFA440000-0x000007FEFA451000-memory.dmp

Filesize
68KB

Download
memory/1044-78-0x000007FEFA460000-0x000007FEFA477000-memory.dmp

Filesize
92KB

Download
memory/1044-77-0x000007FEFA790000-0x000007FEFA7A1000-memory.dmp

Filesize
68KB

Download
memory/1044-76-0x000007FEFA920000-0x000007FEFA937000-memory.dmp

Filesize
92KB

Download
memory/1044-75-0x000007FEFAF90000-0x000007FEFAFA8000-memory.dmp

Filesize
96KB

Download
memory/1044-74-0x000007FEF5BC0000-0x000007FEF5E76000-memory.dmp

Filesize
2.7MB

Download
memory/1044-82-0x000007FEF59B0000-0x000007FEF5BBB000-memory.dmp

Filesize
2.0MB

Download
memory/1044-93-0x000007FEF4850000-0x000007FEF4880000-memory.dmp

Filesize
192KB

Download
memory/1044-92-0x000007FEF4880000-0x000007FEF4898000-memory.dmp

Filesize
96KB

Download
memory/1044-91-0x000007FEF48A0000-0x000007FEF48B1000-memory.dmp

Filesize
68KB

Download
memory/1944-12-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1944-28-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1944-16-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1944-2-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1944-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1944-6-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1944-4-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2692-42-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2692-49-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2692-65-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2692-51-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2692-44-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2692-40-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads