blackshades | a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232

Analysis

max time kernel
84s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2025 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe
Size

405KB
MD5

ba05f63495275d500a036d9cc3fac719
SHA1

c09f64f558278b347500365e391c3bd2e578a251
SHA256

a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232
SHA512

fc0cc951f22565ed035b347a894de4a4907177f4ac78b3b09f54618d20e5149104ba9068d81d8b13c658940aceac84021bbb314ebd6d33ffad709623ac9f16a2
SSDEEP

6144:foYn9sE89XKTK/J6brj3nmHWrt63P5A9GJ6vbmF4ifKyjlKI4r3mzzrLVIo8ZJrB:ZsNDBIrCHWux6iFTJf4r2zPBv8Xi8xSC

Score

10^/10

blackshades defense_evasion discovery persistence rat upx

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 11 IoCs

resource	yara_rule
behavioral2/memory/5084-63-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral2/memory/5084-78-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral2/memory/5084-80-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral2/memory/5084-83-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral2/memory/5084-85-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral2/memory/5084-87-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral2/memory/5084-90-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral2/memory/5084-92-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral2/memory/5084-94-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral2/memory/5084-99-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral2/memory/5084-101-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\winprocess.exe = "C:\\Users\\Admin\\AppData\\Roaming\\winprocess.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\javaruntime.exe = "C:\\Windows\\javaruntime.exe:*:Enabled:Windows Messanger"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe

Executes dropped EXE 3 IoCs

pid	Process
2788	javaruntime.exe
1812	javaruntime.exe
5084	javaruntime.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaruntime = "C:\\Windows\\javaruntime.exe"	reg.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3644 set thread context of 2364	3644	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe	86
PID 3644 set thread context of 4344	3644	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe	90
PID 2788 set thread context of 4052	2788	javaruntime.exe	96
PID 2788 set thread context of 1812	2788	javaruntime.exe	97
PID 2788 set thread context of 5084	2788	javaruntime.exe	98

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3644-0-0x0000000000400000-0x000000000052D000-memory.dmp	upx
behavioral2/memory/4344-9-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4344-14-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3644-12-0x0000000000400000-0x000000000052D000-memory.dmp	upx
behavioral2/memory/4344-11-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3644-18-0x0000000000400000-0x000000000052D000-memory.dmp	upx
behavioral2/files/0x000b000000023c53-32.dat	upx
behavioral2/memory/2788-43-0x0000000000400000-0x000000000052D000-memory.dmp	upx
behavioral2/memory/2788-42-0x0000000000400000-0x000000000052D000-memory.dmp	upx
behavioral2/memory/2788-52-0x0000000000400000-0x000000000052D000-memory.dmp	upx
behavioral2/memory/4344-50-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/5084-60-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/5084-63-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/5084-62-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2788-65-0x0000000000400000-0x000000000052D000-memory.dmp	upx
behavioral2/memory/4344-71-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1812-75-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/5084-78-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/5084-80-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/5084-83-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/5084-85-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/5084-87-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/5084-90-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/5084-92-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/5084-94-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/5084-99-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/5084-101-0x0000000000400000-0x000000000047B000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\javaruntime.exe	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe
File opened for modification	C:\Windows\javaruntime.exe	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2548	2364	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaruntime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaruntime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaruntime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
5032	reg.exe
4640	reg.exe
2760	reg.exe
316	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe
4052	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 1	5084	javaruntime.exe
Token: SeCreateTokenPrivilege	5084	javaruntime.exe
Token: SeAssignPrimaryTokenPrivilege	5084	javaruntime.exe
Token: SeLockMemoryPrivilege	5084	javaruntime.exe
Token: SeIncreaseQuotaPrivilege	5084	javaruntime.exe
Token: SeMachineAccountPrivilege	5084	javaruntime.exe
Token: SeTcbPrivilege	5084	javaruntime.exe
Token: SeSecurityPrivilege	5084	javaruntime.exe
Token: SeTakeOwnershipPrivilege	5084	javaruntime.exe
Token: SeLoadDriverPrivilege	5084	javaruntime.exe
Token: SeSystemProfilePrivilege	5084	javaruntime.exe
Token: SeSystemtimePrivilege	5084	javaruntime.exe
Token: SeProfSingleProcessPrivilege	5084	javaruntime.exe
Token: SeIncBasePriorityPrivilege	5084	javaruntime.exe
Token: SeCreatePagefilePrivilege	5084	javaruntime.exe
Token: SeCreatePermanentPrivilege	5084	javaruntime.exe
Token: SeBackupPrivilege	5084	javaruntime.exe
Token: SeRestorePrivilege	5084	javaruntime.exe
Token: SeShutdownPrivilege	5084	javaruntime.exe
Token: SeDebugPrivilege	5084	javaruntime.exe
Token: SeAuditPrivilege	5084	javaruntime.exe
Token: SeSystemEnvironmentPrivilege	5084	javaruntime.exe
Token: SeChangeNotifyPrivilege	5084	javaruntime.exe
Token: SeRemoteShutdownPrivilege	5084	javaruntime.exe
Token: SeUndockPrivilege	5084	javaruntime.exe
Token: SeSyncAgentPrivilege	5084	javaruntime.exe
Token: SeEnableDelegationPrivilege	5084	javaruntime.exe
Token: SeManageVolumePrivilege	5084	javaruntime.exe
Token: SeImpersonatePrivilege	5084	javaruntime.exe
Token: SeCreateGlobalPrivilege	5084	javaruntime.exe
Token: 31	5084	javaruntime.exe
Token: 32	5084	javaruntime.exe
Token: 33	5084	javaruntime.exe
Token: 34	5084	javaruntime.exe
Token: 35	5084	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe
Token: SeDebugPrivilege	1812	javaruntime.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3644	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe
4344	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe
2788	javaruntime.exe
2788	javaruntime.exe
4052	svchost.exe
1812	javaruntime.exe
5084	javaruntime.exe
5084	javaruntime.exe
5084	javaruntime.exe
5084	javaruntime.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 2364	3644	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe	86
PID 3644 wrote to memory of 2364	3644	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe	86
PID 3644 wrote to memory of 2364	3644	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe	86
PID 3644 wrote to memory of 2364	3644	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe	86
PID 3644 wrote to memory of 4344	3644	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe	90
PID 3644 wrote to memory of 4344	3644	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe	90
PID 3644 wrote to memory of 4344	3644	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe	90
PID 3644 wrote to memory of 4344	3644	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe	90
PID 3644 wrote to memory of 4344	3644	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe	90
PID 3644 wrote to memory of 4344	3644	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe	90
PID 3644 wrote to memory of 4344	3644	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe	90
PID 3644 wrote to memory of 4344	3644	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe	90
PID 4344 wrote to memory of 5000	4344	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe	91
PID 4344 wrote to memory of 5000	4344	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe	91
PID 4344 wrote to memory of 5000	4344	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe	91
PID 5000 wrote to memory of 1092	5000	cmd.exe	94
PID 5000 wrote to memory of 1092	5000	cmd.exe	94
PID 5000 wrote to memory of 1092	5000	cmd.exe	94
PID 4344 wrote to memory of 2788	4344	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe	95
PID 4344 wrote to memory of 2788	4344	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe	95
PID 4344 wrote to memory of 2788	4344	a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe	95
PID 2788 wrote to memory of 4052	2788	javaruntime.exe	96
PID 2788 wrote to memory of 4052	2788	javaruntime.exe	96
PID 2788 wrote to memory of 4052	2788	javaruntime.exe	96
PID 2788 wrote to memory of 4052	2788	javaruntime.exe	96
PID 2788 wrote to memory of 4052	2788	javaruntime.exe	96
PID 2788 wrote to memory of 4052	2788	javaruntime.exe	96
PID 2788 wrote to memory of 4052	2788	javaruntime.exe	96
PID 2788 wrote to memory of 4052	2788	javaruntime.exe	96
PID 2788 wrote to memory of 4052	2788	javaruntime.exe	96
PID 2788 wrote to memory of 1812	2788	javaruntime.exe	97
PID 2788 wrote to memory of 1812	2788	javaruntime.exe	97
PID 2788 wrote to memory of 1812	2788	javaruntime.exe	97
PID 2788 wrote to memory of 1812	2788	javaruntime.exe	97
PID 2788 wrote to memory of 1812	2788	javaruntime.exe	97
PID 2788 wrote to memory of 1812	2788	javaruntime.exe	97
PID 2788 wrote to memory of 1812	2788	javaruntime.exe	97
PID 2788 wrote to memory of 1812	2788	javaruntime.exe	97
PID 2788 wrote to memory of 5084	2788	javaruntime.exe	98
PID 2788 wrote to memory of 5084	2788	javaruntime.exe	98
PID 2788 wrote to memory of 5084	2788	javaruntime.exe	98
PID 2788 wrote to memory of 5084	2788	javaruntime.exe	98
PID 2788 wrote to memory of 5084	2788	javaruntime.exe	98
PID 2788 wrote to memory of 5084	2788	javaruntime.exe	98
PID 2788 wrote to memory of 5084	2788	javaruntime.exe	98
PID 2788 wrote to memory of 5084	2788	javaruntime.exe	98
PID 5084 wrote to memory of 1576	5084	javaruntime.exe	99
PID 5084 wrote to memory of 1576	5084	javaruntime.exe	99
PID 5084 wrote to memory of 1576	5084	javaruntime.exe	99
PID 5084 wrote to memory of 1852	5084	javaruntime.exe	100
PID 5084 wrote to memory of 1852	5084	javaruntime.exe	100
PID 5084 wrote to memory of 1852	5084	javaruntime.exe	100
PID 5084 wrote to memory of 1252	5084	javaruntime.exe	101
PID 5084 wrote to memory of 1252	5084	javaruntime.exe	101
PID 5084 wrote to memory of 1252	5084	javaruntime.exe	101
PID 5084 wrote to memory of 4324	5084	javaruntime.exe	102
PID 5084 wrote to memory of 4324	5084	javaruntime.exe	102
PID 5084 wrote to memory of 4324	5084	javaruntime.exe	102
PID 4324 wrote to memory of 5032	4324	cmd.exe	107
PID 4324 wrote to memory of 5032	4324	cmd.exe	107
PID 4324 wrote to memory of 5032	4324	cmd.exe	107
PID 1852 wrote to memory of 4640	1852	cmd.exe	108
PID 1852 wrote to memory of 4640	1852	cmd.exe	108
PID 1852 wrote to memory of 4640	1852	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe
"C:\Users\Admin\AppData\Local\Temp\a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  PID:2364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 84
    3⤵
    - Program crash
    PID:2548
- C:\Users\Admin\AppData\Local\Temp\a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe
  "C:\Users\Admin\AppData\Local\Temp\a915a001996f2f151520c9690004332595b7497b7e9e9caf5adb41f36af2e232.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEBPY.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaruntime" /t REG_SZ /d "C:\Windows\javaruntime.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1092
- - C:\Windows\javaruntime.exe
    "C:\Windows\javaruntime.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4052
  - - C:\Windows\javaruntime.exe
      "C:\Windows\javaruntime.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1812
  - - C:\Windows\javaruntime.exe
      "C:\Windows\javaruntime.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5084
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1576
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2760
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\javaruntime.exe" /t REG_SZ /d "C:\Windows\javaruntime.exe:*:Enabled:Windows Messanger" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1852
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\javaruntime.exe" /t REG_SZ /d "C:\Windows\javaruntime.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4640
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1252
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:316
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winprocess.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winprocess.exe:*:Enabled:Windows Messanger" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4324
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winprocess.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winprocess.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2364 -ip 2364
1⤵
PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QEBPY.txt

Filesize
124B

MD5
163f8e838efe1d166ffff7408b814e28

SHA1
52fa0ccba649587e7d24d21d182657078fa6d028

SHA256
dc60287c419225759aa9e1ea0423be4106337dad71aaa0cdc9d55d2b1af3edb7

SHA512
b6685390029555f7d812f0d1a9f138c619555712add3e79c1c90a1a5a0c544e4a86768a626d25c6af3cec09afc0bbaf7f398114e849831bdc5666fc443a1f68d

Download Submit
C:\Windows\javaruntime.exe

Filesize
405KB

MD5
fb059c242fc4b469d6045b9d508d3f08

SHA1
f71e5a01db345b769a3069c492e360787bd0f6ec

SHA256
c11494ddb2f66be3c9f67909f58b247c5aff0ba270ce5fbb4d75d4a9a6bb01f1

SHA512
a34475d69c09fb4a3d2d2f56bd35fa03b74605df8afbc9308cf5c2dfdcaaa264c2a885d69b55ab5546c63f420c40f79db9d5f39e415e6ea153452951e3526b59

Download Submit
memory/1812-75-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2788-52-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2788-65-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2788-43-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2788-42-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/3644-0-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/3644-8-0x0000000002D00000-0x0000000002D02000-memory.dmp

Filesize
8KB

Download
memory/3644-12-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/3644-3-0x0000000002C20000-0x0000000002C22000-memory.dmp

Filesize
8KB

Download
memory/3644-7-0x0000000002CE0000-0x0000000002CE2000-memory.dmp

Filesize
8KB

Download
memory/3644-18-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/3644-5-0x0000000002C70000-0x0000000002C72000-memory.dmp

Filesize
8KB

Download
memory/3644-4-0x0000000002C30000-0x0000000002C32000-memory.dmp

Filesize
8KB

Download
memory/4052-74-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4052-47-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4052-46-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4052-44-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4052-51-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4344-9-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4344-71-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4344-50-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4344-14-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4344-11-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5084-80-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5084-60-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5084-62-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5084-78-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5084-99-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5084-83-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5084-85-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5084-87-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5084-90-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5084-92-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5084-94-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5084-63-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5084-101-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download