Analysis
-
max time kernel
18s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20250211-en -
resource tags
arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system -
submitted
12/02/2025, 16:24
Behavioral task
behavioral1
Sample
315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe
Resource
win10v2004-20250211-en
General
-
Target
315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe
-
Size
405KB
-
MD5
e6d662693685c5bfcf88a842d2853cdc
-
SHA1
817f5bb381616bf4279ccbffe884d1e8d87e078a
-
SHA256
315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546
-
SHA512
56720bfa6ea50b38cf53ee27ba43ec868931adf54dc5c069b3a1d0d8055d032844b3dbab5f1d41d223ca821d6f5985a9ae859be97dd58df6bd8a67eacb960a98
-
SSDEEP
6144:foYn9sE89XKTK/J6brj3nmHWrt63P5A9GJ6vbmF4ifKyjlKI4r3mzzrLVIo8ZJr+:ZsNDBIrCHWux6iFTJf4r2zPBv8Xi8xS1
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 11 IoCs
resource yara_rule behavioral2/memory/456-68-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades behavioral2/memory/456-83-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades behavioral2/memory/456-85-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades behavioral2/memory/456-88-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades behavioral2/memory/456-90-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades behavioral2/memory/456-92-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades behavioral2/memory/456-98-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades behavioral2/memory/456-100-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades behavioral2/memory/456-103-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades behavioral2/memory/456-105-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades behavioral2/memory/456-112-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\javaruntime.exe = "C:\\Windows\\javaruntime.exe:*:Enabled:Windows Messanger" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\winprocess.exe = "C:\\Users\\Admin\\AppData\\Roaming\\winprocess.exe:*:Enabled:Windows Messanger" reg.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Control Panel\International\Geo\Nation 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe -
Executes dropped EXE 3 IoCs
pid Process 512 javaruntime.exe 3676 javaruntime.exe 456 javaruntime.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaruntime = "C:\\Windows\\javaruntime.exe" reg.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 3664 set thread context of 4072 3664 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 87 PID 3664 set thread context of 3536 3664 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 88 PID 512 set thread context of 1068 512 javaruntime.exe 94 PID 512 set thread context of 3676 512 javaruntime.exe 95 PID 512 set thread context of 456 512 javaruntime.exe 96 -
resource yara_rule behavioral2/memory/3664-0-0x0000000000400000-0x000000000052D000-memory.dmp upx behavioral2/memory/3664-13-0x0000000000400000-0x000000000052D000-memory.dmp upx behavioral2/memory/3536-16-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3536-18-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3536-14-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3664-22-0x0000000000400000-0x000000000052D000-memory.dmp upx behavioral2/files/0x000d000000023d0b-36.dat upx behavioral2/memory/512-44-0x0000000000400000-0x000000000052D000-memory.dmp upx behavioral2/memory/512-48-0x0000000000400000-0x000000000052D000-memory.dmp upx behavioral2/memory/3536-51-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/512-56-0x0000000000400000-0x000000000052D000-memory.dmp upx behavioral2/memory/456-64-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/456-68-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/456-66-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/512-75-0x0000000000400000-0x000000000052D000-memory.dmp upx behavioral2/memory/3536-78-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3676-80-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/456-83-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/456-85-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/456-88-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/456-90-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/456-92-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/456-98-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/456-100-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/456-103-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/456-105-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/456-112-0x0000000000400000-0x000000000047B000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\javaruntime.exe 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe File created C:\Windows\javaruntime.exe 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaruntime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaruntime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaruntime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1640 MicrosoftEdgeUpdate.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 3508 reg.exe 2808 reg.exe 2604 reg.exe 1612 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe 4072 svchost.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: 1 456 javaruntime.exe Token: SeCreateTokenPrivilege 456 javaruntime.exe Token: SeAssignPrimaryTokenPrivilege 456 javaruntime.exe Token: SeLockMemoryPrivilege 456 javaruntime.exe Token: SeIncreaseQuotaPrivilege 456 javaruntime.exe Token: SeMachineAccountPrivilege 456 javaruntime.exe Token: SeTcbPrivilege 456 javaruntime.exe Token: SeSecurityPrivilege 456 javaruntime.exe Token: SeTakeOwnershipPrivilege 456 javaruntime.exe Token: SeLoadDriverPrivilege 456 javaruntime.exe Token: SeSystemProfilePrivilege 456 javaruntime.exe Token: SeSystemtimePrivilege 456 javaruntime.exe Token: SeProfSingleProcessPrivilege 456 javaruntime.exe Token: SeIncBasePriorityPrivilege 456 javaruntime.exe Token: SeCreatePagefilePrivilege 456 javaruntime.exe Token: SeCreatePermanentPrivilege 456 javaruntime.exe Token: SeBackupPrivilege 456 javaruntime.exe Token: SeRestorePrivilege 456 javaruntime.exe Token: SeShutdownPrivilege 456 javaruntime.exe Token: SeDebugPrivilege 456 javaruntime.exe Token: SeAuditPrivilege 456 javaruntime.exe Token: SeSystemEnvironmentPrivilege 456 javaruntime.exe Token: SeChangeNotifyPrivilege 456 javaruntime.exe Token: SeRemoteShutdownPrivilege 456 javaruntime.exe Token: SeUndockPrivilege 456 javaruntime.exe Token: SeSyncAgentPrivilege 456 javaruntime.exe Token: SeEnableDelegationPrivilege 456 javaruntime.exe Token: SeManageVolumePrivilege 456 javaruntime.exe Token: SeImpersonatePrivilege 456 javaruntime.exe Token: SeCreateGlobalPrivilege 456 javaruntime.exe Token: 31 456 javaruntime.exe Token: 32 456 javaruntime.exe Token: 33 456 javaruntime.exe Token: 34 456 javaruntime.exe Token: 35 456 javaruntime.exe Token: SeDebugPrivilege 3676 javaruntime.exe Token: SeDebugPrivilege 3676 javaruntime.exe Token: SeDebugPrivilege 3676 javaruntime.exe Token: SeDebugPrivilege 3676 javaruntime.exe Token: SeDebugPrivilege 3676 javaruntime.exe Token: SeDebugPrivilege 3676 javaruntime.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 3664 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 4072 svchost.exe 3536 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 512 javaruntime.exe 512 javaruntime.exe 1068 svchost.exe 3676 javaruntime.exe 456 javaruntime.exe 456 javaruntime.exe 456 javaruntime.exe 456 javaruntime.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3664 wrote to memory of 4072 3664 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 87 PID 3664 wrote to memory of 4072 3664 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 87 PID 3664 wrote to memory of 4072 3664 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 87 PID 3664 wrote to memory of 4072 3664 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 87 PID 3664 wrote to memory of 4072 3664 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 87 PID 3664 wrote to memory of 4072 3664 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 87 PID 3664 wrote to memory of 4072 3664 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 87 PID 3664 wrote to memory of 4072 3664 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 87 PID 3664 wrote to memory of 4072 3664 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 87 PID 3664 wrote to memory of 3536 3664 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 88 PID 3664 wrote to memory of 3536 3664 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 88 PID 3664 wrote to memory of 3536 3664 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 88 PID 3664 wrote to memory of 3536 3664 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 88 PID 3664 wrote to memory of 3536 3664 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 88 PID 3664 wrote to memory of 3536 3664 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 88 PID 3664 wrote to memory of 3536 3664 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 88 PID 3664 wrote to memory of 3536 3664 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 88 PID 3536 wrote to memory of 4764 3536 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 89 PID 3536 wrote to memory of 4764 3536 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 89 PID 3536 wrote to memory of 4764 3536 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 89 PID 4764 wrote to memory of 4692 4764 cmd.exe 92 PID 4764 wrote to memory of 4692 4764 cmd.exe 92 PID 4764 wrote to memory of 4692 4764 cmd.exe 92 PID 3536 wrote to memory of 512 3536 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 93 PID 3536 wrote to memory of 512 3536 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 93 PID 3536 wrote to memory of 512 3536 315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe 93 PID 512 wrote to memory of 1068 512 javaruntime.exe 94 PID 512 wrote to memory of 1068 512 javaruntime.exe 94 PID 512 wrote to memory of 1068 512 javaruntime.exe 94 PID 512 wrote to memory of 1068 512 javaruntime.exe 94 PID 512 wrote to memory of 1068 512 javaruntime.exe 94 PID 512 wrote to memory of 1068 512 javaruntime.exe 94 PID 512 wrote to memory of 1068 512 javaruntime.exe 94 PID 512 wrote to memory of 1068 512 javaruntime.exe 94 PID 512 wrote to memory of 1068 512 javaruntime.exe 94 PID 512 wrote to memory of 3676 512 javaruntime.exe 95 PID 512 wrote to memory of 3676 512 javaruntime.exe 95 PID 512 wrote to memory of 3676 512 javaruntime.exe 95 PID 512 wrote to memory of 3676 512 javaruntime.exe 95 PID 512 wrote to memory of 3676 512 javaruntime.exe 95 PID 512 wrote to memory of 3676 512 javaruntime.exe 95 PID 512 wrote to memory of 3676 512 javaruntime.exe 95 PID 512 wrote to memory of 3676 512 javaruntime.exe 95 PID 512 wrote to memory of 456 512 javaruntime.exe 96 PID 512 wrote to memory of 456 512 javaruntime.exe 96 PID 512 wrote to memory of 456 512 javaruntime.exe 96 PID 512 wrote to memory of 456 512 javaruntime.exe 96 PID 512 wrote to memory of 456 512 javaruntime.exe 96 PID 512 wrote to memory of 456 512 javaruntime.exe 96 PID 512 wrote to memory of 456 512 javaruntime.exe 96 PID 512 wrote to memory of 456 512 javaruntime.exe 96 PID 456 wrote to memory of 4836 456 javaruntime.exe 97 PID 456 wrote to memory of 4836 456 javaruntime.exe 97 PID 456 wrote to memory of 4836 456 javaruntime.exe 97 PID 456 wrote to memory of 1768 456 javaruntime.exe 98 PID 456 wrote to memory of 1768 456 javaruntime.exe 98 PID 456 wrote to memory of 1768 456 javaruntime.exe 98 PID 456 wrote to memory of 3360 456 javaruntime.exe 99 PID 456 wrote to memory of 3360 456 javaruntime.exe 99 PID 456 wrote to memory of 3360 456 javaruntime.exe 99 PID 456 wrote to memory of 3236 456 javaruntime.exe 100 PID 456 wrote to memory of 3236 456 javaruntime.exe 100 PID 456 wrote to memory of 3236 456 javaruntime.exe 100 PID 4836 wrote to memory of 3508 4836 cmd.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe"C:\Users\Admin\AppData\Local\Temp\315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4072
-
-
C:\Users\Admin\AppData\Local\Temp\315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe"C:\Users\Admin\AppData\Local\Temp\315daba2353427a690f4c5eab69011c4e8fe4697da2f15bfb3e4dbe4feac2546.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IUYVJ.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaruntime" /t REG_SZ /d "C:\Windows\javaruntime.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4692
-
-
-
C:\Windows\javaruntime.exe"C:\Windows\javaruntime.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1068
-
-
C:\Windows\javaruntime.exe"C:\Windows\javaruntime.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3676
-
-
C:\Windows\javaruntime.exe"C:\Windows\javaruntime.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3508
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\javaruntime.exe" /t REG_SZ /d "C:\Windows\javaruntime.exe:*:Enabled:Windows Messanger" /f5⤵
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\javaruntime.exe" /t REG_SZ /d "C:\Windows\javaruntime.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1612
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- System Location Discovery: System Language Discovery
PID:3360 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2808
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winprocess.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winprocess.exe:*:Enabled:Windows Messanger" /f5⤵
- System Location Discovery: System Language Discovery
PID:3236 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winprocess.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winprocess.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2604
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjkzQzM3MEQtMUNEQi00MkI1LTkwODQtRTlDNkY3RTY4Qjc1fSIgdXNlcmlkPSJ7OEY1Q0ZCRkUtOTM4NC00M0JCLThBM0YtRDVEOTZEMDk1QUNBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MDNFNDc0MTQtRERGNy00RkUzLUI5RkEtMEI3RkNFN0E1NDBFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1Mzg2MDYxNjE2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1640
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124B
MD5163f8e838efe1d166ffff7408b814e28
SHA152fa0ccba649587e7d24d21d182657078fa6d028
SHA256dc60287c419225759aa9e1ea0423be4106337dad71aaa0cdc9d55d2b1af3edb7
SHA512b6685390029555f7d812f0d1a9f138c619555712add3e79c1c90a1a5a0c544e4a86768a626d25c6af3cec09afc0bbaf7f398114e849831bdc5666fc443a1f68d
-
Filesize
405KB
MD5cc3ee856e55416cb29ae2d60cdd95ea5
SHA12496469b195c4c2a6492d0dd383a2f47ae5b1e8c
SHA256776291d6ed8ee2f547e75216632bcd5cad4137efdb107cd9b9b92a042d0342d9
SHA5121c10e07c7d5fa8bb20bf350616997346bc08e2971bc9d5286d362b26793b2749d26fd7b0311e689781ffd3e72349d55b91684661ffadf58581d5189b971d1660