blackshades | c869dd2b514484854bf9882cd94e42e3d2eeaba2a1e4e2dcf12bc57646fe6332

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
08-02-2025 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe
Size

1.5MB
MD5

c68fbd3796547448fe7c3694651df968
SHA1

e3708aed0a21bea3c69478c020b9082f092f8cdb
SHA256

c869dd2b514484854bf9882cd94e42e3d2eeaba2a1e4e2dcf12bc57646fe6332
SHA512

ab6934092886850878b0e82384b00c7fb80c72a799c9859ebcdea51257b3f6e0a98b2183c9b1551dbaf7fac31f66ebde491a41803320905812444b22b079c7cd
SSDEEP

24576:8L63Ig+BDyG0PRRMHlzoJE6JYYO7m9KN2ZpscdF5F6JOdYue:80PsFzp6iRm9tZCcdF5+OdYue

Score

10^/10

blackshades defense_evasion discovery persistence rat upx

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 18 IoCs

resource	yara_rule
behavioral2/memory/1756-13-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral2/memory/1756-21-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral2/memory/1756-22-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral2/memory/3864-38-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral2/memory/1756-52-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral2/memory/1756-59-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral2/memory/1756-67-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral2/memory/1756-70-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral2/memory/1756-73-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral2/memory/1756-77-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral2/memory/1756-81-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral2/memory/1756-84-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral2/memory/1756-88-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral2/memory/1756-91-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral2/memory/1756-94-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral2/memory/1756-98-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral2/memory/1756-101-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades
behavioral2/memory/1756-104-0x0000000000400000-0x000000000047C000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\52DQ0TVU6G.exe = "C:\\Users\\Admin\\AppData\\Roaming\\52DQ0TVU6G.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\RES.exe = "C:\\Users\\Admin\\AppData\\Roaming\\RES.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	RES.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\52DQ0TVU6G.exe"	RES.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7022BFD4-AEB8-A2C8-34CF-7EECEBD8AF11}	RES.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7022BFD4-AEB8-A2C8-34CF-7EECEBD8AF11}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\52DQ0TVU6G.exe"	RES.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{7022BFD4-AEB8-A2C8-34CF-7EECEBD8AF11}	RES.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{7022BFD4-AEB8-A2C8-34CF-7EECEBD8AF11}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\52DQ0TVU6G.exe"	RES.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
39	4272	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	556301.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	556301.exe

Executes dropped EXE 3 IoCs

pid	Process
1756	RES.exe
3864	Copy of 52DQ0TVU6G.exe
5100	556301.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\52DQ0TVU6G.exe"	RES.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\52DQ0TVU6G.exe"	RES.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2324 set thread context of 1756	2324	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	89

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1756-7-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/1756-12-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/1756-13-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/1756-21-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/1756-22-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/files/0x0007000000023def-26.dat	upx
behavioral2/memory/3864-30-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/3864-38-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/1756-52-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/1756-59-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/1756-67-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/1756-70-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/1756-73-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/1756-77-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/1756-81-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/1756-84-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/1756-88-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/1756-91-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/1756-94-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/1756-98-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/1756-101-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral2/memory/1756-104-0x0000000000400000-0x000000000047C000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe
File created	C:\Windows\assembly\Desktop.ini	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RES.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	556301.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Copy of 52DQ0TVU6G.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
392	MicrosoftEdgeUpdate.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2736	reg.exe
544	reg.exe
3996	reg.exe
3960	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	1756	RES.exe
Token: SeCreateTokenPrivilege	1756	RES.exe
Token: SeAssignPrimaryTokenPrivilege	1756	RES.exe
Token: SeLockMemoryPrivilege	1756	RES.exe
Token: SeIncreaseQuotaPrivilege	1756	RES.exe
Token: SeMachineAccountPrivilege	1756	RES.exe
Token: SeTcbPrivilege	1756	RES.exe
Token: SeSecurityPrivilege	1756	RES.exe
Token: SeTakeOwnershipPrivilege	1756	RES.exe
Token: SeLoadDriverPrivilege	1756	RES.exe
Token: SeSystemProfilePrivilege	1756	RES.exe
Token: SeSystemtimePrivilege	1756	RES.exe
Token: SeProfSingleProcessPrivilege	1756	RES.exe
Token: SeIncBasePriorityPrivilege	1756	RES.exe
Token: SeCreatePagefilePrivilege	1756	RES.exe
Token: SeCreatePermanentPrivilege	1756	RES.exe
Token: SeBackupPrivilege	1756	RES.exe
Token: SeRestorePrivilege	1756	RES.exe
Token: SeShutdownPrivilege	1756	RES.exe
Token: SeDebugPrivilege	1756	RES.exe
Token: SeAuditPrivilege	1756	RES.exe
Token: SeSystemEnvironmentPrivilege	1756	RES.exe
Token: SeChangeNotifyPrivilege	1756	RES.exe
Token: SeRemoteShutdownPrivilege	1756	RES.exe
Token: SeUndockPrivilege	1756	RES.exe
Token: SeSyncAgentPrivilege	1756	RES.exe
Token: SeEnableDelegationPrivilege	1756	RES.exe
Token: SeManageVolumePrivilege	1756	RES.exe
Token: SeImpersonatePrivilege	1756	RES.exe
Token: SeCreateGlobalPrivilege	1756	RES.exe
Token: 31	1756	RES.exe
Token: 32	1756	RES.exe
Token: 33	1756	RES.exe
Token: 34	1756	RES.exe
Token: 35	1756	RES.exe
Token: SeDebugPrivilege	1756	RES.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1756	RES.exe
1756	RES.exe
1756	RES.exe
1756	RES.exe
3864	Copy of 52DQ0TVU6G.exe
3864	Copy of 52DQ0TVU6G.exe
1756	RES.exe
1756	RES.exe
1756	RES.exe
1756	RES.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 1756	2324	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	89
PID 2324 wrote to memory of 1756	2324	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	89
PID 2324 wrote to memory of 1756	2324	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	89
PID 2324 wrote to memory of 1756	2324	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	89
PID 2324 wrote to memory of 1756	2324	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	89
PID 2324 wrote to memory of 1756	2324	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	89
PID 2324 wrote to memory of 1756	2324	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	89
PID 2324 wrote to memory of 1756	2324	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	89
PID 1756 wrote to memory of 4124	1756	RES.exe	91
PID 1756 wrote to memory of 4124	1756	RES.exe	91
PID 1756 wrote to memory of 4124	1756	RES.exe	91
PID 1756 wrote to memory of 3124	1756	RES.exe	92
PID 1756 wrote to memory of 3124	1756	RES.exe	92
PID 1756 wrote to memory of 3124	1756	RES.exe	92
PID 1756 wrote to memory of 4608	1756	RES.exe	94
PID 1756 wrote to memory of 4608	1756	RES.exe	94
PID 1756 wrote to memory of 4608	1756	RES.exe	94
PID 1756 wrote to memory of 2160	1756	RES.exe	95
PID 1756 wrote to memory of 2160	1756	RES.exe	95
PID 1756 wrote to memory of 2160	1756	RES.exe	95
PID 4124 wrote to memory of 2736	4124	cmd.exe	99
PID 4124 wrote to memory of 2736	4124	cmd.exe	99
PID 4124 wrote to memory of 2736	4124	cmd.exe	99
PID 2160 wrote to memory of 544	2160	cmd.exe	100
PID 2160 wrote to memory of 544	2160	cmd.exe	100
PID 2160 wrote to memory of 544	2160	cmd.exe	100
PID 3124 wrote to memory of 3960	3124	cmd.exe	101
PID 3124 wrote to memory of 3960	3124	cmd.exe	101
PID 3124 wrote to memory of 3960	3124	cmd.exe	101
PID 4608 wrote to memory of 3996	4608	cmd.exe	102
PID 4608 wrote to memory of 3996	4608	cmd.exe	102
PID 4608 wrote to memory of 3996	4608	cmd.exe	102
PID 2324 wrote to memory of 3864	2324	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	103
PID 2324 wrote to memory of 3864	2324	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	103
PID 2324 wrote to memory of 3864	2324	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	103
PID 2324 wrote to memory of 1740	2324	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	104
PID 2324 wrote to memory of 1740	2324	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	104
PID 2324 wrote to memory of 1740	2324	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	104
PID 1740 wrote to memory of 2640	1740	vbc.exe	107
PID 1740 wrote to memory of 2640	1740	vbc.exe	107
PID 1740 wrote to memory of 2640	1740	vbc.exe	107
PID 2324 wrote to memory of 5100	2324	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	108
PID 2324 wrote to memory of 5100	2324	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	108
PID 2324 wrote to memory of 5100	2324	JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe	108

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c68fbd3796547448fe7c3694651df968.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Roaming\RES.exe
  C:\Users\Admin\AppData\Roaming\RES.exe
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4124
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RES.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RES.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RES.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RES.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3960
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3996
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\52DQ0TVU6G.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\52DQ0TVU6G.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\52DQ0TVU6G.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\52DQ0TVU6G.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:544
- C:\Users\Admin\AppData\Roaming\Copy of 52DQ0TVU6G.exe
  "C:\Users\Admin\AppData\Roaming\Copy of 52DQ0TVU6G.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3864
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xvlplghr.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD6D8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8C9A53CA2AEA45F5BC7AA11123DE4D14.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2640
- C:\Users\Admin\AppData\Roaming\556301.exe
  "C:\Users\Admin\AppData\Roaming\556301.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5100

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QUE5MDA2NzQtRTc3MS00NTJFLUFDMTQtNkY2NEVEMEVEMkE3fSIgdXNlcmlkPSJ7QUU0RDZGQjgtQzJGQy00QTdELUIzNUQtNzVBNEI1MTI4RUU2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MTY1OTY2N0MtNTIyNC00Q0JCLUE0RTYtRUNDNjg2NUM5MUIxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTIwODgzNTQzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD6D8.tmp

Filesize
1KB

MD5
61ec8b5362963d3eb50948b7c64b584f

SHA1
4b2829b6f68541e428f26d3b9846df76f505aab3

SHA256
41e6d1546feb2387fda2975880e4a0bd8b961c600af008dc39b927507e21d3f8

SHA512
ec16353b3b4c74b8966b91431671af6880874e21508be5dc5522ea59a19da2c72b30fda4fed9cca529451aab419b20c068a337562ff16dccc1cddc5536a15e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8C9A53CA2AEA45F5BC7AA11123DE4D14.TMP

Filesize
880B

MD5
d09994611037eb80b7e0b3ac94e4dcd3

SHA1
6558ee7fa98bb5351a9f5ca56acc65bb34b43a67

SHA256
52001fdd86705d7b7d3d3e4c575b90123d2282800d6a7d5cc5537448e4566f5c

SHA512
77ec89e408bad70f4629c9178c1224c64f26e413e51a30e3a5385fc9fd5ff7b65f0ce2500413cf0d98c9d1d3624a3dd765a21d7d17c423c86f2e99d1fb86631f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvlplghr.0.vb

Filesize
1KB

MD5
8db6b2a9d6495aa564a22100b05d7678

SHA1
b0906af058da86658fca3cb27e26f654a3a8716c

SHA256
af0e4ed8deb44f16a54d5819169aecf626820c31c8416d451d640b02e3cf94be

SHA512
d2a639c10270d616a8e8cf65a8af41e528989aba56eb6caf335391e8a121cbb53f20c01c9800f9aca0eefc9634035bd4ff781f408587311004e8caa0dc9bb0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvlplghr.cmdline

Filesize
234B

MD5
20a97da43a578ec5ddb6a18cc42a710c

SHA1
ade055f16b6f54d25355194986844860ac64e358

SHA256
87e0918c38c187ec13d2a3b2ea5d7d5692c28626a38d4ddaefde9e09401fe643

SHA512
05d6ad9560ca73bea051d2400d64f2723ab73ca6ff2e1b8ceceb69b703e0bbc1134e337a3b470185ad746081e199f54edeecc50aa0a1ac29dd5eca90c1041d58

Download Submit
C:\Users\Admin\AppData\Roaming\556301.exe

Filesize
7KB

MD5
40cdd4dd7b53a247a803c18e39aa3aa4

SHA1
f7699152d104019d1de13ee5fc98ed025b301144

SHA256
b50d60e425d095565bc172e9cbd51b315eadbbd3d2f888cc47f434ed6b33d5e9

SHA512
63c6adf3f91a4b67d9d885ea949c63ec38df1e57d598085123674577e5936e836de61151428d8045d9d428d61e3b11a3331159c8046a99667655df07ab36ed53

Download Submit
C:\Users\Admin\AppData\Roaming\Copy of 52DQ0TVU6G.exe

Filesize
178KB

MD5
56d0bcceb3cf007422e1b3c5d29649a1

SHA1
7be6e074527f5b6d31869e9ac96855ba37260df7

SHA256
9bda696ae0d62c10debc268eb1ce0ddebd98f4c0a57a31834e9ce3c1b294915b

SHA512
9c75acfa9cfab1a8460876f3662a5d827f54e3a9775890fabc1ff6d8deab8b6e647b56684bfc3b918568716a40ee00c5afc37e5c0d3195484dc34a5700263ad2

Download Submit
C:\Users\Admin\AppData\Roaming\RES.exe

Filesize
1KB

MD5
f54b30f21b7b118bfeda2b1ed3482f84

SHA1
bde084ea60646dadabfed4eafe5bafceb4c11b99

SHA256
62bf121e7c7d3a221718d90de673ab23b9759765bb4aaed747883c7c7d08c2c5

SHA512
8431f8c37b0fbc1077eb0aef78ad2e10c11bb10e16ddbde833f568cbd69551e23c85aadcce4ddc71994a9fede59eca52bc99d595131c2264e4e9917abe87e44d

Download Submit
memory/1756-70-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1756-77-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1756-21-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1756-104-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1756-101-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1756-13-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1756-12-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1756-7-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1756-98-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1756-94-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1756-91-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1756-88-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1756-52-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1756-84-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1756-81-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1756-59-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1756-67-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1756-22-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1756-73-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2324-0-0x0000000074512000-0x0000000074513000-memory.dmp

Filesize
4KB

Download
memory/2324-56-0x0000000074510000-0x0000000074AC1000-memory.dmp

Filesize
5.7MB

Download
memory/2324-1-0x0000000074510000-0x0000000074AC1000-memory.dmp

Filesize
5.7MB

Download
memory/2324-51-0x0000000074510000-0x0000000074AC1000-memory.dmp

Filesize
5.7MB

Download
memory/2324-50-0x0000000074512000-0x0000000074513000-memory.dmp

Filesize
4KB

Download
memory/2324-49-0x0000000074510000-0x0000000074AC1000-memory.dmp

Filesize
5.7MB

Download
memory/2324-2-0x0000000074510000-0x0000000074AC1000-memory.dmp

Filesize
5.7MB

Download
memory/3864-38-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3864-30-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads