blackshades | 63c0e5ddf4de6ff77478c8e14bba3b2416dff0051d628b1002b653d692070a2a

Analysis

max time kernel
148s
max time network
145s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/02/2025, 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe
Size

748KB
MD5

1c1fb67eb0f53187c684aac2d715bfdb
SHA1

bf9bafa426e2289121b5e49e0ab601a2af3af4e6
SHA256

63c0e5ddf4de6ff77478c8e14bba3b2416dff0051d628b1002b653d692070a2a
SHA512

f750258b7600e3feca34fb521df4f9e4acaf6c4152c33d7af19e080ed128fbd5d36aab9b62f86869f0ecaeb1f2e33a23aff9a900eee4cc408db389bccb4795f2
SSDEEP

12288:4RR9++Rc8sGuS+KvtNBXJWZWX5BZ6vlpCAN4KFTbcdFKoIFXuyOEvRU:4RRIrUuS+KvtNBXYZWTZ6dYKJmKoIJif

Score

10^/10

blackshades bootkit defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 15 IoCs

resource	yara_rule
behavioral1/memory/2384-60-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2384-57-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2384-73-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2384-75-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2384-78-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2384-80-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2384-82-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2384-84-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2384-87-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2384-89-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2384-92-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2384-94-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2384-96-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2384-99-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral1/memory/2384-101-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\local.exe = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\506e1qQl7n.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\506e1qQl7n.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
2868	506e1qQl7n.exe
2592	506e1qQl7n.exe
2384	506e1qQl7n.exe

Loads dropped DLL 4 IoCs

pid	Process
3000	JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe
3000	JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe
2868	506e1qQl7n.exe
2592	506e1qQl7n.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe
File opened for modification	\??\PhysicalDrive0	506e1qQl7n.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1732 set thread context of 3000	1732	JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe	30
PID 2868 set thread context of 2592	2868	506e1qQl7n.exe	33
PID 2592 set thread context of 2384	2592	506e1qQl7n.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	506e1qQl7n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	506e1qQl7n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	506e1qQl7n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2464	reg.exe
2424	reg.exe
1960	reg.exe
2056	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	2384	506e1qQl7n.exe
Token: SeCreateTokenPrivilege	2384	506e1qQl7n.exe
Token: SeAssignPrimaryTokenPrivilege	2384	506e1qQl7n.exe
Token: SeLockMemoryPrivilege	2384	506e1qQl7n.exe
Token: SeIncreaseQuotaPrivilege	2384	506e1qQl7n.exe
Token: SeMachineAccountPrivilege	2384	506e1qQl7n.exe
Token: SeTcbPrivilege	2384	506e1qQl7n.exe
Token: SeSecurityPrivilege	2384	506e1qQl7n.exe
Token: SeTakeOwnershipPrivilege	2384	506e1qQl7n.exe
Token: SeLoadDriverPrivilege	2384	506e1qQl7n.exe
Token: SeSystemProfilePrivilege	2384	506e1qQl7n.exe
Token: SeSystemtimePrivilege	2384	506e1qQl7n.exe
Token: SeProfSingleProcessPrivilege	2384	506e1qQl7n.exe
Token: SeIncBasePriorityPrivilege	2384	506e1qQl7n.exe
Token: SeCreatePagefilePrivilege	2384	506e1qQl7n.exe
Token: SeCreatePermanentPrivilege	2384	506e1qQl7n.exe
Token: SeBackupPrivilege	2384	506e1qQl7n.exe
Token: SeRestorePrivilege	2384	506e1qQl7n.exe
Token: SeShutdownPrivilege	2384	506e1qQl7n.exe
Token: SeDebugPrivilege	2384	506e1qQl7n.exe
Token: SeAuditPrivilege	2384	506e1qQl7n.exe
Token: SeSystemEnvironmentPrivilege	2384	506e1qQl7n.exe
Token: SeChangeNotifyPrivilege	2384	506e1qQl7n.exe
Token: SeRemoteShutdownPrivilege	2384	506e1qQl7n.exe
Token: SeUndockPrivilege	2384	506e1qQl7n.exe
Token: SeSyncAgentPrivilege	2384	506e1qQl7n.exe
Token: SeEnableDelegationPrivilege	2384	506e1qQl7n.exe
Token: SeManageVolumePrivilege	2384	506e1qQl7n.exe
Token: SeImpersonatePrivilege	2384	506e1qQl7n.exe
Token: SeCreateGlobalPrivilege	2384	506e1qQl7n.exe
Token: 31	2384	506e1qQl7n.exe
Token: 32	2384	506e1qQl7n.exe
Token: 33	2384	506e1qQl7n.exe
Token: 34	2384	506e1qQl7n.exe
Token: 35	2384	506e1qQl7n.exe
Token: SeDebugPrivilege	2384	506e1qQl7n.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2800	DllHost.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1732	JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe
3000	JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe
2868	506e1qQl7n.exe
2800	DllHost.exe
2800	DllHost.exe
2592	506e1qQl7n.exe
2384	506e1qQl7n.exe
2384	506e1qQl7n.exe
2384	506e1qQl7n.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 3000	1732	JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe	30
PID 1732 wrote to memory of 3000	1732	JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe	30
PID 1732 wrote to memory of 3000	1732	JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe	30
PID 1732 wrote to memory of 3000	1732	JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe	30
PID 1732 wrote to memory of 3000	1732	JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe	30
PID 1732 wrote to memory of 3000	1732	JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe	30
PID 1732 wrote to memory of 3000	1732	JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe	30
PID 1732 wrote to memory of 3000	1732	JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe	30
PID 1732 wrote to memory of 3000	1732	JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe	30
PID 3000 wrote to memory of 2868	3000	JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe	32
PID 3000 wrote to memory of 2868	3000	JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe	32
PID 3000 wrote to memory of 2868	3000	JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe	32
PID 3000 wrote to memory of 2868	3000	JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe	32
PID 2868 wrote to memory of 2592	2868	506e1qQl7n.exe	33
PID 2868 wrote to memory of 2592	2868	506e1qQl7n.exe	33
PID 2868 wrote to memory of 2592	2868	506e1qQl7n.exe	33
PID 2868 wrote to memory of 2592	2868	506e1qQl7n.exe	33
PID 2868 wrote to memory of 2592	2868	506e1qQl7n.exe	33
PID 2868 wrote to memory of 2592	2868	506e1qQl7n.exe	33
PID 2868 wrote to memory of 2592	2868	506e1qQl7n.exe	33
PID 2868 wrote to memory of 2592	2868	506e1qQl7n.exe	33
PID 2868 wrote to memory of 2592	2868	506e1qQl7n.exe	33
PID 2592 wrote to memory of 2384	2592	506e1qQl7n.exe	34
PID 2592 wrote to memory of 2384	2592	506e1qQl7n.exe	34
PID 2592 wrote to memory of 2384	2592	506e1qQl7n.exe	34
PID 2592 wrote to memory of 2384	2592	506e1qQl7n.exe	34
PID 2592 wrote to memory of 2384	2592	506e1qQl7n.exe	34
PID 2592 wrote to memory of 2384	2592	506e1qQl7n.exe	34
PID 2592 wrote to memory of 2384	2592	506e1qQl7n.exe	34
PID 2592 wrote to memory of 2384	2592	506e1qQl7n.exe	34
PID 2384 wrote to memory of 2288	2384	506e1qQl7n.exe	35
PID 2384 wrote to memory of 2288	2384	506e1qQl7n.exe	35
PID 2384 wrote to memory of 2288	2384	506e1qQl7n.exe	35
PID 2384 wrote to memory of 2288	2384	506e1qQl7n.exe	35
PID 2384 wrote to memory of 2460	2384	506e1qQl7n.exe	36
PID 2384 wrote to memory of 2460	2384	506e1qQl7n.exe	36
PID 2384 wrote to memory of 2460	2384	506e1qQl7n.exe	36
PID 2384 wrote to memory of 2460	2384	506e1qQl7n.exe	36
PID 2384 wrote to memory of 2408	2384	506e1qQl7n.exe	38
PID 2384 wrote to memory of 2408	2384	506e1qQl7n.exe	38
PID 2384 wrote to memory of 2408	2384	506e1qQl7n.exe	38
PID 2384 wrote to memory of 2408	2384	506e1qQl7n.exe	38
PID 2384 wrote to memory of 1920	2384	506e1qQl7n.exe	41
PID 2384 wrote to memory of 1920	2384	506e1qQl7n.exe	41
PID 2384 wrote to memory of 1920	2384	506e1qQl7n.exe	41
PID 2384 wrote to memory of 1920	2384	506e1qQl7n.exe	41
PID 2460 wrote to memory of 2464	2460	cmd.exe	43
PID 2460 wrote to memory of 2464	2460	cmd.exe	43
PID 2460 wrote to memory of 2464	2460	cmd.exe	43
PID 2460 wrote to memory of 2464	2460	cmd.exe	43
PID 2288 wrote to memory of 2424	2288	cmd.exe	44
PID 2288 wrote to memory of 2424	2288	cmd.exe	44
PID 2288 wrote to memory of 2424	2288	cmd.exe	44
PID 2288 wrote to memory of 2424	2288	cmd.exe	44
PID 2408 wrote to memory of 1960	2408	cmd.exe	45
PID 2408 wrote to memory of 1960	2408	cmd.exe	45
PID 2408 wrote to memory of 1960	2408	cmd.exe	45
PID 2408 wrote to memory of 1960	2408	cmd.exe	45
PID 1920 wrote to memory of 2056	1920	cmd.exe	46
PID 1920 wrote to memory of 2056	1920	cmd.exe	46
PID 1920 wrote to memory of 2056	1920	cmd.exe	46
PID 1920 wrote to memory of 2056	1920	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c1fb67eb0f53187c684aac2d715bfdb.exe"
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Users\Admin\AppData\Local\Temp\506e1qQl7n.exe
    "C:\Users\Admin\AppData\Local\Temp\506e1qQl7n.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Users\Admin\AppData\Local\Temp\506e1qQl7n.exe
      "C:\Users\Admin\AppData\Local\Temp\506e1qQl7n.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Users\Admin\AppData\Local\Temp\506e1qQl7n.exe
        
        "C:\Users\Admin\AppData\Local\Temp\506e1qQl7n.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2384
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        7⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2424
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\506e1qQl7n.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\506e1qQl7n.exe:*:Enabled:Windows Messanger" /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\506e1qQl7n.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\506e1qQl7n.exe:*:Enabled:Windows Messanger" /f
        7⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2464
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        7⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1960
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f
        7⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2056

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kelly.jpg

Filesize
47KB

MD5
c81128fb0c060d4ef7e7134edc997e06

SHA1
8ad0ee8baadf198bd9d71e49448a9920e35a7d83

SHA256
77705c29cc0b8b099b7ca4fd099154f95cc5cd2ea1cf29375246d82222cad220

SHA512
92c32b1c95064d0270838ccb210659c12d2039bdb64a1dddad89743a5a23c45ff7bb8d04a40bc84b7377e08e24771e14743bc61da3095d9d3ca2e25e5f2ff6e5

Download Submit
\Users\Admin\AppData\Local\Temp\506e1qQl7n.exe

Filesize
560KB

MD5
78d82731e14f213cbc633ce43c475afd

SHA1
1c3c8b1b275a6e9907b5dbdce617976df6f9f688

SHA256
b3756e992300f487c5625f06e3ce03da0ac9b6c1f50732ad64a3a2ccaca65944

SHA512
1c0c21caab2519b73f0d6faa97d62d2c6c78a93a63110c25b644d758dbcbbbba27100bf02ba2c289babe9d0de3f235466a304e3d12d40e511f06308f6522c0c2

Download Submit
memory/2384-82-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2384-55-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2384-101-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2384-99-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2384-96-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2384-87-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2384-80-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2384-94-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2384-92-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2384-78-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2384-75-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2384-60-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2384-57-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2384-84-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2384-53-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2384-73-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2384-89-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2592-38-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2592-49-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2592-42-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2592-72-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2592-47-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2592-40-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2800-68-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2800-21-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2800-19-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/3000-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3000-2-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/3000-6-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/3000-34-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/3000-4-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/3000-18-0x0000000002670000-0x0000000002672000-memory.dmp

Filesize
8KB

Download
memory/3000-12-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/3000-14-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads