blackshades | c869dd2b514484854bf9882cd94e42e3d2eeaba2a1e4e2dcf12bc57646fe6332

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
08-02-2025 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe
Size

1.5MB
MD5

c68fbd3796547448fe7c3694651df968
SHA1

e3708aed0a21bea3c69478c020b9082f092f8cdb
SHA256

c869dd2b514484854bf9882cd94e42e3d2eeaba2a1e4e2dcf12bc57646fe6332
SHA512

ab6934092886850878b0e82384b00c7fb80c72a799c9859ebcdea51257b3f6e0a98b2183c9b1551dbaf7fac31f66ebde491a41803320905812444b22b079c7cd
SSDEEP

24576:8L63Ig+BDyG0PRRMHlzoJE6JYYO7m9KN2ZpscdF5F6JOdYue:80PsFzp6iRm9tZCcdF5+OdYue

Score

10^/10

blackshades defense_evasion discovery persistence rat upx

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 18 IoCs

resource	yara_rule
behavioral1/memory/1216-21-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral1/memory/1216-24-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral1/memory/3036-43-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral1/memory/1216-44-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral1/memory/3036-52-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral1/memory/1216-70-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral1/memory/1216-71-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral1/memory/1216-75-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral1/memory/1216-76-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral1/memory/1216-77-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral1/memory/1216-80-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral1/memory/1216-81-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral1/memory/1216-83-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral1/memory/1216-84-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral1/memory/1216-85-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral1/memory/1216-86-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral1/memory/1216-88-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral1/memory/1216-89-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\RES.exe = "C:\\Users\\Admin\\AppData\\Roaming\\RES.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\52DQ0TVU6G.exe = "C:\\Users\\Admin\\AppData\\Roaming\\52DQ0TVU6G.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	RES.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\52DQ0TVU6G.exe"	RES.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7022BFD4-AEB8-A2C8-34CF-7EECEBD8AF11}	RES.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7022BFD4-AEB8-A2C8-34CF-7EECEBD8AF11}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\52DQ0TVU6G.exe"	RES.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{7022BFD4-AEB8-A2C8-34CF-7EECEBD8AF11}	RES.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Active Setup\Installed Components\{7022BFD4-AEB8-A2C8-34CF-7EECEBD8AF11}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\52DQ0TVU6G.exe"	RES.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	835879.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	835879.exe

Executes dropped EXE 3 IoCs

pid	Process
1216	RES.exe
3036	Copy of 52DQ0TVU6G.exe
1056	835879.exe

Loads dropped DLL 6 IoCs

pid	Process
1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe
1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe
1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe
1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe
1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe
1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\52DQ0TVU6G.exe"	RES.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\52DQ0TVU6G.exe"	RES.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1756 set thread context of 1216	1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	29

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1216-13-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/1216-17-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/1216-12-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/1216-21-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/1216-24-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/1216-23-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/files/0x00070000000186ca-29.dat	upx
behavioral1/memory/3036-43-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/1216-44-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/3036-52-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/1216-70-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/1216-71-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/1216-75-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/1216-76-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/1216-77-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/1216-80-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/1216-81-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/1216-83-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/1216-84-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/1216-85-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/1216-86-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/1216-88-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/1216-89-0x0000000000400000-0x000000000047C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	835879.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Copy of 52DQ0TVU6G.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RES.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2684	reg.exe
784	reg.exe
568	reg.exe
380	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	1216	RES.exe
Token: SeCreateTokenPrivilege	1216	RES.exe
Token: SeAssignPrimaryTokenPrivilege	1216	RES.exe
Token: SeLockMemoryPrivilege	1216	RES.exe
Token: SeIncreaseQuotaPrivilege	1216	RES.exe
Token: SeMachineAccountPrivilege	1216	RES.exe
Token: SeTcbPrivilege	1216	RES.exe
Token: SeSecurityPrivilege	1216	RES.exe
Token: SeTakeOwnershipPrivilege	1216	RES.exe
Token: SeLoadDriverPrivilege	1216	RES.exe
Token: SeSystemProfilePrivilege	1216	RES.exe
Token: SeSystemtimePrivilege	1216	RES.exe
Token: SeProfSingleProcessPrivilege	1216	RES.exe
Token: SeIncBasePriorityPrivilege	1216	RES.exe
Token: SeCreatePagefilePrivilege	1216	RES.exe
Token: SeCreatePermanentPrivilege	1216	RES.exe
Token: SeBackupPrivilege	1216	RES.exe
Token: SeRestorePrivilege	1216	RES.exe
Token: SeShutdownPrivilege	1216	RES.exe
Token: SeDebugPrivilege	1216	RES.exe
Token: SeAuditPrivilege	1216	RES.exe
Token: SeSystemEnvironmentPrivilege	1216	RES.exe
Token: SeChangeNotifyPrivilege	1216	RES.exe
Token: SeRemoteShutdownPrivilege	1216	RES.exe
Token: SeUndockPrivilege	1216	RES.exe
Token: SeSyncAgentPrivilege	1216	RES.exe
Token: SeEnableDelegationPrivilege	1216	RES.exe
Token: SeManageVolumePrivilege	1216	RES.exe
Token: SeImpersonatePrivilege	1216	RES.exe
Token: SeCreateGlobalPrivilege	1216	RES.exe
Token: 31	1216	RES.exe
Token: 32	1216	RES.exe
Token: 33	1216	RES.exe
Token: 34	1216	RES.exe
Token: 35	1216	RES.exe
Token: SeDebugPrivilege	1216	RES.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1216	RES.exe
1216	RES.exe
3036	Copy of 52DQ0TVU6G.exe
3036	Copy of 52DQ0TVU6G.exe
1216	RES.exe
1216	RES.exe
1216	RES.exe
1216	RES.exe
1216	RES.exe
1216	RES.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 1216	1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	29
PID 1756 wrote to memory of 1216	1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	29
PID 1756 wrote to memory of 1216	1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	29
PID 1756 wrote to memory of 1216	1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	29
PID 1756 wrote to memory of 1216	1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	29
PID 1756 wrote to memory of 1216	1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	29
PID 1756 wrote to memory of 1216	1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	29
PID 1756 wrote to memory of 1216	1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	29
PID 1756 wrote to memory of 3036	1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	30
PID 1756 wrote to memory of 3036	1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	30
PID 1756 wrote to memory of 3036	1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	30
PID 1756 wrote to memory of 3036	1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	30
PID 1216 wrote to memory of 2756	1216	RES.exe	31
PID 1216 wrote to memory of 2756	1216	RES.exe	31
PID 1216 wrote to memory of 2756	1216	RES.exe	31
PID 1216 wrote to memory of 2756	1216	RES.exe	31
PID 1216 wrote to memory of 2928	1216	RES.exe	32
PID 1216 wrote to memory of 2928	1216	RES.exe	32
PID 1216 wrote to memory of 2928	1216	RES.exe	32
PID 1216 wrote to memory of 2928	1216	RES.exe	32
PID 1756 wrote to memory of 2668	1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	34
PID 1756 wrote to memory of 2668	1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	34
PID 1756 wrote to memory of 2668	1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	34
PID 1756 wrote to memory of 2668	1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	34
PID 1216 wrote to memory of 2828	1216	RES.exe	33
PID 1216 wrote to memory of 2828	1216	RES.exe	33
PID 1216 wrote to memory of 2828	1216	RES.exe	33
PID 1216 wrote to memory of 2828	1216	RES.exe	33
PID 1216 wrote to memory of 2688	1216	RES.exe	38
PID 1216 wrote to memory of 2688	1216	RES.exe	38
PID 1216 wrote to memory of 2688	1216	RES.exe	38
PID 1216 wrote to memory of 2688	1216	RES.exe	38
PID 2756 wrote to memory of 2684	2756	cmd.exe	42
PID 2756 wrote to memory of 2684	2756	cmd.exe	42
PID 2756 wrote to memory of 2684	2756	cmd.exe	42
PID 2756 wrote to memory of 2684	2756	cmd.exe	42
PID 2688 wrote to memory of 784	2688	cmd.exe	41
PID 2688 wrote to memory of 784	2688	cmd.exe	41
PID 2688 wrote to memory of 784	2688	cmd.exe	41
PID 2688 wrote to memory of 784	2688	cmd.exe	41
PID 2928 wrote to memory of 568	2928	cmd.exe	43
PID 2928 wrote to memory of 568	2928	cmd.exe	43
PID 2928 wrote to memory of 568	2928	cmd.exe	43
PID 2928 wrote to memory of 568	2928	cmd.exe	43
PID 2828 wrote to memory of 380	2828	cmd.exe	44
PID 2828 wrote to memory of 380	2828	cmd.exe	44
PID 2828 wrote to memory of 380	2828	cmd.exe	44
PID 2828 wrote to memory of 380	2828	cmd.exe	44
PID 2668 wrote to memory of 1956	2668	vbc.exe	45
PID 2668 wrote to memory of 1956	2668	vbc.exe	45
PID 2668 wrote to memory of 1956	2668	vbc.exe	45
PID 2668 wrote to memory of 1956	2668	vbc.exe	45
PID 1756 wrote to memory of 1056	1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	46
PID 1756 wrote to memory of 1056	1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	46
PID 1756 wrote to memory of 1056	1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	46
PID 1756 wrote to memory of 1056	1756	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	46

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Roaming\RES.exe
  C:\Users\Admin\AppData\Roaming\RES.exe
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RES.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RES.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RES.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RES.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:568
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:380
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\52DQ0TVU6G.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\52DQ0TVU6G.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\52DQ0TVU6G.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\52DQ0TVU6G.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:784
- C:\Users\Admin\AppData\Roaming\Copy of 52DQ0TVU6G.exe
  "C:\Users\Admin\AppData\Roaming\Copy of 52DQ0TVU6G.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3036
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mcdtliqr.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDD9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEDD8.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1956
- C:\Users\Admin\AppData\Roaming\835879.exe
  "C:\Users\Admin\AppData\Roaming\835879.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEDD9.tmp

Filesize
1KB

MD5
f5bc7bbcaf3b4f4f5a8bb9377a6477b0

SHA1
862e61ce451dcaa306220e19ab43ab15b2a473ba

SHA256
ca911a513a60358d9a3d3ca7a967ee8a49bf966e0957045ed222f454f2cf6f98

SHA512
53a2c2c813aff4c9ceebc41abf264150747f3c81d06f7200648351d3d327d5e73a84e308411b37061de9f70eb8f202771a770ad1a6003cd3ad18a4af2ee5dd2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcdtliqr.0.vb

Filesize
1KB

MD5
a26acb7b136e66ffb38ab8dfa2d4732c

SHA1
213f3618d11ea83a04f7e6db1339ed65091e09d4

SHA256
ad451add8947de490a36aa5a046cf35b4cf1fdefe5bf4b8b78f81e4d77ba89fa

SHA512
aa7366c26e471f18d6eff84a9c62d1f238507b70066e80fd6d4f68a4110f2a740fe015e63963cc325d70955aee9b6bc2f04485262a01c1f3fe76c7e72e6cc514

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcdtliqr.cmdline

Filesize
234B

MD5
32ebfe5779b7aec2c53597fb5da82eb9

SHA1
5769b55f8d7c6a13ed7a92300a464d60a55461ae

SHA256
ecbd9d9ebd9fad7c1e6f5f4f015e7ad524e338f9f3302578fc13e3030fcd483b

SHA512
2a07eba8cc8285d8f79b27d152fd2a396c4e05f6f010ce4237f370888d8e578bd48f507310daf9d5b444b4366e43b340183cf02c20da8dd1e4e23e9f3b5eb4e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEDD8.tmp

Filesize
880B

MD5
52ad47a28f2438a37ac70a563605ac17

SHA1
379cfb9e76ab1765ec25f64b2a63b280bf841927

SHA256
a17f1133558cb9f0f1316c7d24e72b8a130ebf59fea8b16ec2b75fd77ee9470d

SHA512
1b4c6a8cd810e8e2800b1d68d4f420bae7bedae4df1e081292358c2ad22de9402ffa9a9c121b031b232043c7c4d40242ed7abdae252ab42352e934de7faef643

Download Submit
C:\Users\Admin\AppData\Roaming\RES.exe

Filesize
1KB

MD5
f54b30f21b7b118bfeda2b1ed3482f84

SHA1
bde084ea60646dadabfed4eafe5bafceb4c11b99

SHA256
62bf121e7c7d3a221718d90de673ab23b9759765bb4aaed747883c7c7d08c2c5

SHA512
8431f8c37b0fbc1077eb0aef78ad2e10c11bb10e16ddbde833f568cbd69551e23c85aadcce4ddc71994a9fede59eca52bc99d595131c2264e4e9917abe87e44d

Download Submit
\Users\Admin\AppData\Roaming\835879.exe

Filesize
7KB

MD5
b077f823b485dd8d066f68cccb5dab1e

SHA1
1223a46d3eb2d3b32ad6811008548cc6e50509f7

SHA256
4c7c0f8f10b66d4e88700afbe95a3665031e6224253035ee16cbb445f4016d2a

SHA512
ba16decd0a82c4bb144b08236f18a4e3d67fe381fdc2168f2aafdebe5e29f21cdb75162c344831e0a62254959a1d1a2dddd04a7b57af5c916ce8fc7e8ebcff2e

Download Submit
\Users\Admin\AppData\Roaming\Copy of 52DQ0TVU6G.exe

Filesize
178KB

MD5
56d0bcceb3cf007422e1b3c5d29649a1

SHA1
7be6e074527f5b6d31869e9ac96855ba37260df7

SHA256
9bda696ae0d62c10debc268eb1ce0ddebd98f4c0a57a31834e9ce3c1b294915b

SHA512
9c75acfa9cfab1a8460876f3662a5d827f54e3a9775890fabc1ff6d8deab8b6e647b56684bfc3b918568716a40ee00c5afc37e5c0d3195484dc34a5700263ad2

Download Submit
memory/1216-21-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1216-17-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1216-89-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1216-24-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1216-23-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1216-12-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1216-88-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1216-86-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1216-10-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1216-44-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1216-85-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1216-77-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1216-13-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1216-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1216-84-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1216-83-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1216-81-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1216-80-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1216-70-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1216-71-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1216-75-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1216-76-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1756-42-0x0000000004DB0000-0x0000000004E2C000-memory.dmp

Filesize
496KB

Download
memory/1756-69-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download
memory/1756-1-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download
memory/1756-63-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download
memory/1756-2-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download
memory/1756-37-0x0000000004DB0000-0x0000000004E2C000-memory.dmp

Filesize
496KB

Download
memory/1756-0-0x0000000074DD1000-0x0000000074DD2000-memory.dmp

Filesize
4KB

Download
memory/3036-52-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3036-43-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads