blackshades | 01e3fb379387c569f03bb90fe3369ef98261a3fa9185edf9af73f26d72ba80bb

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-02-2025 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe
Size

672KB
MD5

bcafc79e3bff707f85b81c371243e101
SHA1

e6458c00ce9c743cfa3ecd7aa65fd133da27d136
SHA256

01e3fb379387c569f03bb90fe3369ef98261a3fa9185edf9af73f26d72ba80bb
SHA512

108ce9bd8049931fa71c93524b7514233718cb7cfb728c1e9820a5070fdc761536af9645bce23b8ee4f3b05cd1774ed40c7180b3536b8593eb919935abd67f99
SSDEEP

12288:7I7TyVli2X4DeSMhjp2kRn3fNvmqPIj81P9gbJraFH/g5rxiQt7k:WTei2oaPhHZ5mqS81P9ghay5dn

Score

10^/10

blackshades defense_evasion discovery persistence rat upx

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 16 IoCs

resource	yara_rule
behavioral1/memory/2664-55-0x0000000000400000-0x00000000005AC000-memory.dmp	family_blackshades
behavioral1/memory/2664-63-0x0000000000400000-0x00000000005AC000-memory.dmp	family_blackshades
behavioral1/memory/2664-64-0x0000000000400000-0x00000000005AC000-memory.dmp	family_blackshades
behavioral1/memory/2664-65-0x0000000000400000-0x00000000005AC000-memory.dmp	family_blackshades
behavioral1/memory/2664-67-0x0000000000400000-0x00000000005AC000-memory.dmp	family_blackshades
behavioral1/memory/2664-68-0x0000000000400000-0x00000000005AC000-memory.dmp	family_blackshades
behavioral1/memory/2664-69-0x0000000000400000-0x00000000005AC000-memory.dmp	family_blackshades
behavioral1/memory/2664-71-0x0000000000400000-0x00000000005AC000-memory.dmp	family_blackshades
behavioral1/memory/2664-72-0x0000000000400000-0x00000000005AC000-memory.dmp	family_blackshades
behavioral1/memory/2664-73-0x0000000000400000-0x00000000005AC000-memory.dmp	family_blackshades
behavioral1/memory/2664-75-0x0000000000400000-0x00000000005AC000-memory.dmp	family_blackshades
behavioral1/memory/2664-76-0x0000000000400000-0x00000000005AC000-memory.dmp	family_blackshades
behavioral1/memory/2664-77-0x0000000000400000-0x00000000005AC000-memory.dmp	family_blackshades
behavioral1/memory/2664-79-0x0000000000400000-0x00000000005AC000-memory.dmp	family_blackshades
behavioral1/memory/2664-80-0x0000000000400000-0x00000000005AC000-memory.dmp	family_blackshades
behavioral1/memory/2664-81-0x0000000000400000-0x00000000005AC000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\I56XO8J9R6.exe = "C:\\Users\\Admin\\AppData\\Roaming\\I56XO8J9R6.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\[INJECT-INTO].exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[INJECT-INTO].exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
2748	B0ey5D.exe
2640	nHnJSyhR.exe
2664	[INJECT-INTO].exe

Loads dropped DLL 5 IoCs

pid	Process
3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe
3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe
3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe
3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe
3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CSRSS.exe"	B0ey5D.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3032 set thread context of 2664	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe	38

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2664-48-0x0000000000400000-0x00000000005AC000-memory.dmp	upx
behavioral1/memory/2664-55-0x0000000000400000-0x00000000005AC000-memory.dmp	upx
behavioral1/memory/2664-63-0x0000000000400000-0x00000000005AC000-memory.dmp	upx
behavioral1/memory/2664-54-0x0000000000400000-0x00000000005AC000-memory.dmp	upx
behavioral1/memory/2664-51-0x0000000000400000-0x00000000005AC000-memory.dmp	upx
behavioral1/memory/2664-46-0x0000000000400000-0x00000000005AC000-memory.dmp	upx
behavioral1/memory/2664-64-0x0000000000400000-0x00000000005AC000-memory.dmp	upx
behavioral1/memory/2664-65-0x0000000000400000-0x00000000005AC000-memory.dmp	upx
behavioral1/memory/2664-67-0x0000000000400000-0x00000000005AC000-memory.dmp	upx
behavioral1/memory/2664-68-0x0000000000400000-0x00000000005AC000-memory.dmp	upx
behavioral1/memory/2664-69-0x0000000000400000-0x00000000005AC000-memory.dmp	upx
behavioral1/memory/2664-71-0x0000000000400000-0x00000000005AC000-memory.dmp	upx
behavioral1/memory/2664-72-0x0000000000400000-0x00000000005AC000-memory.dmp	upx
behavioral1/memory/2664-73-0x0000000000400000-0x00000000005AC000-memory.dmp	upx
behavioral1/memory/2664-75-0x0000000000400000-0x00000000005AC000-memory.dmp	upx
behavioral1/memory/2664-76-0x0000000000400000-0x00000000005AC000-memory.dmp	upx
behavioral1/memory/2664-77-0x0000000000400000-0x00000000005AC000-memory.dmp	upx
behavioral1/memory/2664-79-0x0000000000400000-0x00000000005AC000-memory.dmp	upx
behavioral1/memory/2664-80-0x0000000000400000-0x00000000005AC000-memory.dmp	upx
behavioral1/memory/2664-81-0x0000000000400000-0x00000000005AC000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B0ey5D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[INJECT-INTO].exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nHnJSyhR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
296	reg.exe
304	reg.exe
1868	reg.exe
1124	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe
2640	nHnJSyhR.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe
Token: 1	2664	[INJECT-INTO].exe
Token: SeCreateTokenPrivilege	2664	[INJECT-INTO].exe
Token: SeAssignPrimaryTokenPrivilege	2664	[INJECT-INTO].exe
Token: SeLockMemoryPrivilege	2664	[INJECT-INTO].exe
Token: SeIncreaseQuotaPrivilege	2664	[INJECT-INTO].exe
Token: SeMachineAccountPrivilege	2664	[INJECT-INTO].exe
Token: SeTcbPrivilege	2664	[INJECT-INTO].exe
Token: SeSecurityPrivilege	2664	[INJECT-INTO].exe
Token: SeTakeOwnershipPrivilege	2664	[INJECT-INTO].exe
Token: SeLoadDriverPrivilege	2664	[INJECT-INTO].exe
Token: SeSystemProfilePrivilege	2664	[INJECT-INTO].exe
Token: SeSystemtimePrivilege	2664	[INJECT-INTO].exe
Token: SeProfSingleProcessPrivilege	2664	[INJECT-INTO].exe
Token: SeIncBasePriorityPrivilege	2664	[INJECT-INTO].exe
Token: SeCreatePagefilePrivilege	2664	[INJECT-INTO].exe
Token: SeCreatePermanentPrivilege	2664	[INJECT-INTO].exe
Token: SeBackupPrivilege	2664	[INJECT-INTO].exe
Token: SeRestorePrivilege	2664	[INJECT-INTO].exe
Token: SeShutdownPrivilege	2664	[INJECT-INTO].exe
Token: SeDebugPrivilege	2664	[INJECT-INTO].exe
Token: SeAuditPrivilege	2664	[INJECT-INTO].exe
Token: SeSystemEnvironmentPrivilege	2664	[INJECT-INTO].exe
Token: SeChangeNotifyPrivilege	2664	[INJECT-INTO].exe
Token: SeRemoteShutdownPrivilege	2664	[INJECT-INTO].exe
Token: SeUndockPrivilege	2664	[INJECT-INTO].exe
Token: SeSyncAgentPrivilege	2664	[INJECT-INTO].exe
Token: SeEnableDelegationPrivilege	2664	[INJECT-INTO].exe
Token: SeManageVolumePrivilege	2664	[INJECT-INTO].exe
Token: SeImpersonatePrivilege	2664	[INJECT-INTO].exe
Token: SeCreateGlobalPrivilege	2664	[INJECT-INTO].exe
Token: 31	2664	[INJECT-INTO].exe
Token: 32	2664	[INJECT-INTO].exe
Token: 33	2664	[INJECT-INTO].exe
Token: 34	2664	[INJECT-INTO].exe
Token: 35	2664	[INJECT-INTO].exe
Token: SeDebugPrivilege	2640	nHnJSyhR.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2664	[INJECT-INTO].exe
2664	[INJECT-INTO].exe
2664	[INJECT-INTO].exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2368	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe	30
PID 3032 wrote to memory of 2368	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe	30
PID 3032 wrote to memory of 2368	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe	30
PID 3032 wrote to memory of 2368	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe	30
PID 2368 wrote to memory of 2108	2368	csc.exe	32
PID 2368 wrote to memory of 2108	2368	csc.exe	32
PID 2368 wrote to memory of 2108	2368	csc.exe	32
PID 2368 wrote to memory of 2108	2368	csc.exe	32
PID 3032 wrote to memory of 2748	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe	33
PID 3032 wrote to memory of 2748	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe	33
PID 3032 wrote to memory of 2748	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe	33
PID 3032 wrote to memory of 2748	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe	33
PID 3032 wrote to memory of 2908	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe	34
PID 3032 wrote to memory of 2908	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe	34
PID 3032 wrote to memory of 2908	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe	34
PID 3032 wrote to memory of 2908	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe	34
PID 2908 wrote to memory of 2880	2908	csc.exe	36
PID 2908 wrote to memory of 2880	2908	csc.exe	36
PID 2908 wrote to memory of 2880	2908	csc.exe	36
PID 2908 wrote to memory of 2880	2908	csc.exe	36
PID 3032 wrote to memory of 2640	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe	37
PID 3032 wrote to memory of 2640	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe	37
PID 3032 wrote to memory of 2640	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe	37
PID 3032 wrote to memory of 2640	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe	37
PID 3032 wrote to memory of 2664	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe	38
PID 3032 wrote to memory of 2664	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe	38
PID 3032 wrote to memory of 2664	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe	38
PID 3032 wrote to memory of 2664	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe	38
PID 3032 wrote to memory of 2664	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe	38
PID 3032 wrote to memory of 2664	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe	38
PID 3032 wrote to memory of 2664	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe	38
PID 3032 wrote to memory of 2664	3032	JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe	38
PID 2664 wrote to memory of 3052	2664	[INJECT-INTO].exe	39
PID 2664 wrote to memory of 3052	2664	[INJECT-INTO].exe	39
PID 2664 wrote to memory of 3052	2664	[INJECT-INTO].exe	39
PID 2664 wrote to memory of 3052	2664	[INJECT-INTO].exe	39
PID 2664 wrote to memory of 2472	2664	[INJECT-INTO].exe	40
PID 2664 wrote to memory of 2472	2664	[INJECT-INTO].exe	40
PID 2664 wrote to memory of 2472	2664	[INJECT-INTO].exe	40
PID 2664 wrote to memory of 2472	2664	[INJECT-INTO].exe	40
PID 2664 wrote to memory of 2660	2664	[INJECT-INTO].exe	42
PID 2664 wrote to memory of 2660	2664	[INJECT-INTO].exe	42
PID 2664 wrote to memory of 2660	2664	[INJECT-INTO].exe	42
PID 2664 wrote to memory of 2660	2664	[INJECT-INTO].exe	42
PID 2664 wrote to memory of 760	2664	[INJECT-INTO].exe	43
PID 2664 wrote to memory of 760	2664	[INJECT-INTO].exe	43
PID 2664 wrote to memory of 760	2664	[INJECT-INTO].exe	43
PID 2664 wrote to memory of 760	2664	[INJECT-INTO].exe	43
PID 3052 wrote to memory of 296	3052	cmd.exe	48
PID 3052 wrote to memory of 296	3052	cmd.exe	48
PID 3052 wrote to memory of 296	3052	cmd.exe	48
PID 3052 wrote to memory of 296	3052	cmd.exe	48
PID 760 wrote to memory of 304	760	cmd.exe	47
PID 760 wrote to memory of 304	760	cmd.exe	47
PID 760 wrote to memory of 304	760	cmd.exe	47
PID 760 wrote to memory of 304	760	cmd.exe	47
PID 2472 wrote to memory of 1868	2472	cmd.exe	49
PID 2472 wrote to memory of 1868	2472	cmd.exe	49
PID 2472 wrote to memory of 1868	2472	cmd.exe	49
PID 2472 wrote to memory of 1868	2472	cmd.exe	49
PID 2660 wrote to memory of 1124	2660	cmd.exe	50
PID 2660 wrote to memory of 1124	2660	cmd.exe	50
PID 2660 wrote to memory of 1124	2660	cmd.exe	50
PID 2660 wrote to memory of 1124	2660	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bcafc79e3bff707f85b81c371243e101.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gdgfn4v2.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3FE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA3FD.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2108
- C:\Users\Admin\AppData\Local\Temp\B0ey5D.exe
  "C:\Users\Admin\AppData\Local\Temp\B0ey5D.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2748
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\knu05efh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5D2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA5D1.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
- C:\Users\Admin\AppData\Local\Temp\nHnJSyhR.exe
  "C:\Users\Admin\AppData\Local\Temp\nHnJSyhR.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Users\Admin\AppData\Local\Temp\[INJECT-INTO].exe
  C:\Users\Admin\AppData\Local\Temp\[INJECT-INTO].exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:296
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\[INJECT-INTO].exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\[INJECT-INTO].exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\[INJECT-INTO].exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\[INJECT-INTO].exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1868
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\I56XO8J9R6.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\I56XO8J9R6.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\I56XO8J9R6.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\I56XO8J9R6.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B0ey5D.exe

Filesize
4KB

MD5
d1aa491ee5ca56dffca06911f95c6b70

SHA1
13253a1b804dfe4b0923674ff640f27048c5079e

SHA256
08ed34901c5d584b41f78087277a3f613b7fe1124af01f7543eaf5109ac24d39

SHA512
9452af41f668c97093055ac534dcca08bafc2c27deb3e86477235ed8a5b27110eb86d91e6dd567df37e5f68cd30339c9cddbccf9356d07d84733047f931ccaa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA3FE.tmp

Filesize
1KB

MD5
da9ab87337f4cd319d91580d807124ba

SHA1
53c93bdfe0d0e05d421baaa8d9e9f4ffa469164c

SHA256
f8559019790dffe7cc89bb3886e0ba349a9ee26390897f3f454210bb35cef0f6

SHA512
e829d8b9067226229419dbfd38d9be20b65928952e76fd7771bf79ffec683ccb1e3281755a8ef09487e3afc64d1a715159337b4c3b40e3b733da0c9f22867168

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA5D2.tmp

Filesize
1KB

MD5
a18237561ed208ea46febc30f7e4e9f6

SHA1
f630bb74205ea0885359c5f0f9094c9c7f91c38b

SHA256
083389d1cac86b0166b49ec4c255104c35ad3de784d686b6f354f98c33853b71

SHA512
acb3aeadd5f9f27b2c187b847809fe92eb4716e4429cf552eb41c95665bf4608eaf76f5b0c4d86a0cc45b0a49709a00fb138d957939626f60e62c31d00827a5e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA3FD.tmp

Filesize
644B

MD5
6a839250f168a7421004a2b77ee5c3d2

SHA1
81ba3f3b5bc6864b95d187f2751307fc1e7842ec

SHA256
9cf0ca48aedb822be6530fdc7f6c2c9ac78c16605c72e3e6937c7d9f23eb4be5

SHA512
228d3a34513060b9e81e3211ba74b7685446d6a4c315ce28bac94ce22eb89533c2f48e9277e8637401874c8ad9e0a0ecc3a0d2495764cf3b03a928372768914c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA5D1.tmp

Filesize
652B

MD5
a17e574b28c6118845076a1a664f22c5

SHA1
79878857662edfb249b8692f7f71442dbfdaac61

SHA256
f67c8d779fa2faceeb935efd4ef3dea187e86d009e5623c35ea5b8d7a2426d12

SHA512
e00865e4686c4cfd7065007ad6ff593e4de9518079f68a6ef9d5496a9673fdd46d5afc509d5016b7e67dc3a0296253277085e00e3cfc525278108bf57f0de86c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gdgfn4v2.0.cs

Filesize
1KB

MD5
0d8bfefc47cbaa18cb21568fb4c67dda

SHA1
2d579fc297c776c0a93b206b68a2a404cfc70864

SHA256
24eba0abffc6f8f47f713c1fd77a0a0e88fcd9443e9afd87efb4a4d685300d7c

SHA512
33469a80cdb9d8607fc87ed96f8db61a42a836f80193994ceea8f751748f54979e35112b51065330597c44121a673430886beb9ae2e45389cd664944ec2415fe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gdgfn4v2.cmdline

Filesize
259B

MD5
7dab8bc3f1cea4af096297cfe1635fce

SHA1
133434bf14e57ec531647bd1914d7271fa236a41

SHA256
01bb398a37869031a25b31da20ca714e352d2ab21aa671a8e37468913c08e811

SHA512
6484f5790bc5e693c99baf8ee443111f5c74c043010c3291d50ef88519cb03bf76536cdc588e5998793b48b90796ef49e09640c40f4fd6007e010edc11f94815

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\knu05efh.0.cs

Filesize
4KB

MD5
34791a83c8db5f32bb651460d2dd491c

SHA1
031985062e04245d69d9b2bdbdb923e05b766b86

SHA256
a663c8f9dd71901e3d986fa326c0d60696376745744bc9c98ed843b867b4e563

SHA512
9d8fda7e09b62058dbf0928ebddecc06e883d045d66fd2bad9866bf86ad871836d1e48890d48c0729f025abc9d12c65b26632f9b600331654bf629f0851809d0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\knu05efh.cmdline

Filesize
321B

MD5
06e6da4a55d56fe136db583e6af2c191

SHA1
dab03faa7f6e358a4a6ca8879b1fb4d70d6a4817

SHA256
d08a11b42dbd6f74d86d1f138ecb80362ad636b8e1b92e45b1130ff975b46260

SHA512
69ab08fddd0156f0955e94f0f80f2d87caf92f3324f5a86c345d601db6686ccd5778e579a48a79aed9929a6ae13e1b281c63e10338b3d3ad93197b24847a6859

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\resource.resources

Filesize
15KB

MD5
196a66c70d6f8e93bae469e38702a548

SHA1
9c05f66c6eaee5fc0469fd13e38095d43af3ce06

SHA256
f95dae2b0cf123fc4a5f9ae2cdc7bf8ba2702e4570002153f09fa2e6494d9633

SHA512
2c7301a9657557a7767d1a2ba821a2c9a876c6d9d162b6d76af2769b7cb30cfc5bb38b20eb6550b5a9783a73f31e53e8af2bef6bb4576591c7b6b34412f7028c

Download Submit
\Users\Admin\AppData\Local\Temp\[INJECT-INTO].exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
\Users\Admin\AppData\Local\Temp\nHnJSyhR.exe

Filesize
20KB

MD5
eea6e32902e5c7ac79a2a4abca05e4b2

SHA1
5d3a8cb1e0f2f98d57a6cf3e5c1c0c83dea78dd5

SHA256
f49281b64585ba5cd883a1f0dd2bbb18650887c81fdb7c3c5b0af81566aa10b4

SHA512
b700415fb0592730c9eee7fc5bc7e76b1c2ab456cb6ed2b230d5ae66194ff2d1acc060f81a2920fa6a1c8d1db2325424402afd81a87bb14714627c57bc970ccc

Download Submit
memory/2368-8-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/2368-15-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/2664-68-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2664-64-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2664-81-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2664-48-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2664-55-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2664-63-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2664-80-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2664-54-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2664-79-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2664-51-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2664-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2664-46-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2664-44-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2664-77-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2664-65-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2664-67-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2664-76-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2664-69-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2664-71-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2664-72-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2664-73-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2664-75-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/3032-0-0x0000000074771000-0x0000000074772000-memory.dmp

Filesize
4KB

Download
memory/3032-2-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/3032-53-0x00000000009A0000-0x0000000000AA0000-memory.dmp

Filesize
1024KB

Download
memory/3032-57-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/3032-1-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download