blackshades | 7d6ae029a210650160bf136cef4fd04c5743558a393b6e64316274ac8b0fc9b7

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/03/2025, 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe
Size

570KB
MD5

468c8d2a8812459198c0140b3b0d805c
SHA1

a4a26b5ab5b09bdc1c415a057fcf53d9174b789b
SHA256

7d6ae029a210650160bf136cef4fd04c5743558a393b6e64316274ac8b0fc9b7
SHA512

1add09c07b9e722ea2b26b971b1aec2efb5d81383407bc07db7fdd73fbd713c9b941caa8696c17ae9810e85f59ea6c289bbdd9ece3709e3933f2d7b81ed5f27f
SSDEEP

12288:Q/Uj3WbaOzuYM78NW29Uuezee5UpbDK1vPenlYIQHkfNd8/oSGi:K5bxzud8NW2WueSrQ3e4UNd8gi

Score

10^/10

blackshades defense_evasion discovery persistence rat upx

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 10 IoCs

resource	yara_rule
behavioral1/memory/2180-89-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2180-99-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2180-121-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2180-216-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2180-218-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2180-220-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2180-223-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2180-224-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2180-229-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2180-231-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\csrs.exe = "C:\\Users\\Admin\\AppData\\Roaming\\csrs.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svhost32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svhost32.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
2120	vwkKq.exe
2092	csrs.exe
2180	csrs.exe

Loads dropped DLL 21 IoCs

pid	Process
2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe
2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe
2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe
2120	vwkKq.exe
2120	vwkKq.exe
2120	vwkKq.exe
2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe
2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe
2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe
2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe
2092	csrs.exe
2092	csrs.exe
2092	csrs.exe
2092	csrs.exe
2180	csrs.exe
2180	csrs.exe
2180	csrs.exe
2120	vwkKq.exe
2120	vwkKq.exe
2120	vwkKq.exe
2120	vwkKq.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Users\\Admin\\AppData\\Roaming\\csrs.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2092 set thread context of 2180	2092	csrs.exe	36

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2396-0-0x0000000000400000-0x00000000007DC000-memory.dmp	upx
behavioral1/files/0x00080000000164de-51.dat	upx
behavioral1/memory/2396-54-0x0000000003BE0000-0x0000000003FBC000-memory.dmp	upx
behavioral1/memory/2092-77-0x0000000000400000-0x00000000007DC000-memory.dmp	upx
behavioral1/memory/2396-69-0x0000000000400000-0x00000000007DC000-memory.dmp	upx
behavioral1/memory/2180-88-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2180-84-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2180-82-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2092-95-0x0000000000400000-0x00000000007DC000-memory.dmp	upx
behavioral1/memory/2180-89-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2180-99-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2180-121-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2180-216-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2180-218-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2180-220-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2180-223-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2180-224-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2180-229-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2180-231-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Tracker Checker 2\Tracker Checker 2.exe	vwkKq.exe
File created	C:\Program Files (x86)\Tracker Checker 2\trackers.xml	vwkKq.exe
File created	C:\Program Files (x86)\Tracker Checker 2\Uninstall.exe	vwkKq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vwkKq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000d00000001277d-7.dat	nsis_installer_1
behavioral1/files/0x0006000000016df5-117.dat	nsis_installer_1

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
328	reg.exe
2936	reg.exe
3036	reg.exe
2924	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2120	vwkKq.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2180	csrs.exe
Token: SeCreateTokenPrivilege	2180	csrs.exe
Token: SeAssignPrimaryTokenPrivilege	2180	csrs.exe
Token: SeLockMemoryPrivilege	2180	csrs.exe
Token: SeIncreaseQuotaPrivilege	2180	csrs.exe
Token: SeMachineAccountPrivilege	2180	csrs.exe
Token: SeTcbPrivilege	2180	csrs.exe
Token: SeSecurityPrivilege	2180	csrs.exe
Token: SeTakeOwnershipPrivilege	2180	csrs.exe
Token: SeLoadDriverPrivilege	2180	csrs.exe
Token: SeSystemProfilePrivilege	2180	csrs.exe
Token: SeSystemtimePrivilege	2180	csrs.exe
Token: SeProfSingleProcessPrivilege	2180	csrs.exe
Token: SeIncBasePriorityPrivilege	2180	csrs.exe
Token: SeCreatePagefilePrivilege	2180	csrs.exe
Token: SeCreatePermanentPrivilege	2180	csrs.exe
Token: SeBackupPrivilege	2180	csrs.exe
Token: SeRestorePrivilege	2180	csrs.exe
Token: SeShutdownPrivilege	2180	csrs.exe
Token: SeDebugPrivilege	2180	csrs.exe
Token: SeAuditPrivilege	2180	csrs.exe
Token: SeSystemEnvironmentPrivilege	2180	csrs.exe
Token: SeChangeNotifyPrivilege	2180	csrs.exe
Token: SeRemoteShutdownPrivilege	2180	csrs.exe
Token: SeUndockPrivilege	2180	csrs.exe
Token: SeSyncAgentPrivilege	2180	csrs.exe
Token: SeEnableDelegationPrivilege	2180	csrs.exe
Token: SeManageVolumePrivilege	2180	csrs.exe
Token: SeImpersonatePrivilege	2180	csrs.exe
Token: SeCreateGlobalPrivilege	2180	csrs.exe
Token: 31	2180	csrs.exe
Token: 32	2180	csrs.exe
Token: 33	2180	csrs.exe
Token: 34	2180	csrs.exe
Token: 35	2180	csrs.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe
2092	csrs.exe
2180	csrs.exe
2180	csrs.exe
2180	csrs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2120	2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe	31
PID 2396 wrote to memory of 2120	2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe	31
PID 2396 wrote to memory of 2120	2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe	31
PID 2396 wrote to memory of 2120	2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe	31
PID 2396 wrote to memory of 2120	2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe	31
PID 2396 wrote to memory of 2120	2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe	31
PID 2396 wrote to memory of 2120	2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe	31
PID 2396 wrote to memory of 2624	2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe	32
PID 2396 wrote to memory of 2624	2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe	32
PID 2396 wrote to memory of 2624	2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe	32
PID 2396 wrote to memory of 2624	2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe	32
PID 2396 wrote to memory of 2624	2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe	32
PID 2396 wrote to memory of 2624	2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe	32
PID 2396 wrote to memory of 2624	2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe	32
PID 2624 wrote to memory of 2004	2624	cmd.exe	34
PID 2624 wrote to memory of 2004	2624	cmd.exe	34
PID 2624 wrote to memory of 2004	2624	cmd.exe	34
PID 2624 wrote to memory of 2004	2624	cmd.exe	34
PID 2624 wrote to memory of 2004	2624	cmd.exe	34
PID 2624 wrote to memory of 2004	2624	cmd.exe	34
PID 2624 wrote to memory of 2004	2624	cmd.exe	34
PID 2396 wrote to memory of 2092	2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe	35
PID 2396 wrote to memory of 2092	2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe	35
PID 2396 wrote to memory of 2092	2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe	35
PID 2396 wrote to memory of 2092	2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe	35
PID 2396 wrote to memory of 2092	2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe	35
PID 2396 wrote to memory of 2092	2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe	35
PID 2396 wrote to memory of 2092	2396	JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe	35
PID 2092 wrote to memory of 2180	2092	csrs.exe	36
PID 2092 wrote to memory of 2180	2092	csrs.exe	36
PID 2092 wrote to memory of 2180	2092	csrs.exe	36
PID 2092 wrote to memory of 2180	2092	csrs.exe	36
PID 2092 wrote to memory of 2180	2092	csrs.exe	36
PID 2092 wrote to memory of 2180	2092	csrs.exe	36
PID 2092 wrote to memory of 2180	2092	csrs.exe	36
PID 2092 wrote to memory of 2180	2092	csrs.exe	36
PID 2092 wrote to memory of 2180	2092	csrs.exe	36
PID 2092 wrote to memory of 2180	2092	csrs.exe	36
PID 2092 wrote to memory of 2180	2092	csrs.exe	36
PID 2092 wrote to memory of 2180	2092	csrs.exe	36
PID 2180 wrote to memory of 2944	2180	csrs.exe	37
PID 2180 wrote to memory of 2944	2180	csrs.exe	37
PID 2180 wrote to memory of 2944	2180	csrs.exe	37
PID 2180 wrote to memory of 2944	2180	csrs.exe	37
PID 2180 wrote to memory of 2944	2180	csrs.exe	37
PID 2180 wrote to memory of 2944	2180	csrs.exe	37
PID 2180 wrote to memory of 2944	2180	csrs.exe	37
PID 2180 wrote to memory of 2940	2180	csrs.exe	38
PID 2180 wrote to memory of 2940	2180	csrs.exe	38
PID 2180 wrote to memory of 2940	2180	csrs.exe	38
PID 2180 wrote to memory of 2940	2180	csrs.exe	38
PID 2180 wrote to memory of 2940	2180	csrs.exe	38
PID 2180 wrote to memory of 2940	2180	csrs.exe	38
PID 2180 wrote to memory of 2940	2180	csrs.exe	38
PID 2180 wrote to memory of 2948	2180	csrs.exe	39
PID 2180 wrote to memory of 2948	2180	csrs.exe	39
PID 2180 wrote to memory of 2948	2180	csrs.exe	39
PID 2180 wrote to memory of 2948	2180	csrs.exe	39
PID 2180 wrote to memory of 2948	2180	csrs.exe	39
PID 2180 wrote to memory of 2948	2180	csrs.exe	39
PID 2180 wrote to memory of 2948	2180	csrs.exe	39
PID 2180 wrote to memory of 2956	2180	csrs.exe	40
PID 2180 wrote to memory of 2956	2180	csrs.exe	40
PID 2180 wrote to memory of 2956	2180	csrs.exe	40

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_468c8d2a8812459198c0140b3b0d805c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\vwkKq.exe
  "C:\Users\Admin\AppData\Local\Temp\vwkKq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\NrlIY.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "csrs" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2004
- C:\Users\Admin\AppData\Roaming\csrs.exe
  "C:\Users\Admin\AppData\Roaming\csrs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\AppData\Roaming\csrs.exe
    C:\Users\Admin\AppData\Roaming\csrs.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2944
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:328
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2940
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2936
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2948
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3036
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost32.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2956
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost32.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NrlIY.bat

Filesize
130B

MD5
34a635bb69f9dc2d8e8ceba2f6b25308

SHA1
66bbd6b4eb975af0a799c6be7aaed6917f5df10c

SHA256
eb18b0e443ffb00db0eb4438c0d3ec49cf67c3b7cbc9da8e25c60298c970a59a

SHA512
ae355a265391afe02a37d82ffb0df6664788dc4aee975678aeb524ff47f889d1e5ecab42b073093d71494c9868276dc9794d4bebce4c967d866b189c136a9545

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseE735.tmp\ioSpecial.ini

Filesize
609B

MD5
e065dcd1ed6685fa72121b2deb90b854

SHA1
1e1b9b119876c0ff085a9baa145c3c457c95654e

SHA256
de87af985b852f44ba96a749d43ecb26f0d124ad1fca7be99e49d2567a85f7b6

SHA512
7f7e1869609a04108a1f38a63ee61210736d2b832d49baefa40be580288a34a630214b9093a783f78164511e800ae5d1ec940eec72cfb849c5a1775417fc2e51

Download Submit
C:\Users\Admin\AppData\Roaming\csrs.exe

Filesize
570KB

MD5
50b8a130b3d62c55a7b96776f7a67fb6

SHA1
94a807d324fc5a9038534659c24e29a606952651

SHA256
187725f3ee78b28ac4acb982f6c41a182a4f8eda212330b6b8c9b55e99e02787

SHA512
a3b4675363e919d49b57fe2cf0d229cfb9724e4b3b217a1c475112337de0652b51c7e449645c6606f22681874fa383d676702cb89e50ebe9010ae9ac4d720a95

Download Submit
\Program Files (x86)\Tracker Checker 2\Tracker Checker 2.exe

Filesize
76KB

MD5
69ef91523511664525bcb4878c7f5738

SHA1
008677a4b95be9b395c3c5f9c235d47f4e8006fe

SHA256
f80b24b82d17c5b203643e1ee6377fbc4d2f5d1531b97ac83e2d2ad2393ce837

SHA512
1dcd1c9d168d4b404a67acb9b9358f4d708e44c9d529a56e784c8f6461b8a113b4d10f0b13e2871eb3772faa654f0ec40374a542389b617183c0af993f248316

Download Submit
\Program Files (x86)\Tracker Checker 2\Uninstall.exe

Filesize
65KB

MD5
34e18d9f67847860e723efba41337407

SHA1
3f52dd0b1ae15d90edaf4c8e43c0c5edbf4920d3

SHA256
6d53051ba29de39f0b9bbbc4b0fdb32922c31205e2e3fcea0217e446cafc0909

SHA512
d96948ef67e1882d79da8151719d6b49db6dd6d27061cc0865fe33015ff0e595ee983ecc6cda3354fbba9fb4260518e4e57d181027eef6635481a987fac00e22

Download Submit
\Users\Admin\AppData\Local\Temp\nseE735.tmp\InstallOptions.dll

Filesize
14KB

MD5
296a5f3179fa8d7a7a855eaf696ede44

SHA1
57aa5b71553ed282dd22c768e039a187f5c13f63

SHA256
ee0ad77e681c4d0fdf1d67df5f4ca03e6bdd8e3b05dfb47a83ad5c733ed62960

SHA512
bc527d1485f468e8d098057e0e38e8cb7aa6eb64d4ca30927b99b1552a3177b132b989015ff95bdf2ca046bf11a54b4b456f51e024fbc734fbb548c3499e53f6

Download Submit
\Users\Admin\AppData\Local\Temp\nseE735.tmp\System.dll

Filesize
10KB

MD5
86b5a07a43b7cbc5c49263b8d974b736

SHA1
78388286a311810d812c13d87dea12d581713e60

SHA256
5897fb00be38e502fb5dfd047d97e5e4da6387a7a6259633dc31c2427612901b

SHA512
dcbe379c28302bb3472339cd24949b16548fa0003882a920df6839078cc7b2563f058a0524bf25df0a5ec8b08e302ebc9e646033109958669d8af883af959ffe

Download Submit
\Users\Admin\AppData\Local\Temp\vwkKq.exe

Filesize
134KB

MD5
0886cebbac590d40e9d58149deaff91b

SHA1
c1e4c70ea6a191112944668c7051c4e06346358d

SHA256
3b67b34b7e8b15662f091bcc8ce44cbfee54ea7405ab2dc55c7440c722cc4862

SHA512
65b5f489bb1b43b70fee0f0a91436296c14090d22ae0df0565750bc43afba437b4123b2c239cfae6a86c679fc907aeb5ffa0809ca49640862bcd811a9bac9ad5

Download Submit
memory/2092-81-0x00000000032A0000-0x000000000367C000-memory.dmp

Filesize
3.9MB

Download
memory/2092-75-0x0000000001040000-0x000000000141C000-memory.dmp

Filesize
3.9MB

Download
memory/2092-77-0x0000000000400000-0x00000000007DC000-memory.dmp

Filesize
3.9MB

Download
memory/2092-76-0x0000000001040000-0x000000000141C000-memory.dmp

Filesize
3.9MB

Download
memory/2092-74-0x0000000001040000-0x000000000141C000-memory.dmp

Filesize
3.9MB

Download
memory/2092-95-0x0000000000400000-0x00000000007DC000-memory.dmp

Filesize
3.9MB

Download
memory/2180-92-0x00000000008F0000-0x0000000000CCC000-memory.dmp

Filesize
3.9MB

Download
memory/2180-216-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2180-88-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2180-84-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2180-82-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2180-231-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2180-229-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2180-91-0x00000000008F0000-0x0000000000CCC000-memory.dmp

Filesize
3.9MB

Download
memory/2180-90-0x00000000008F0000-0x0000000000CCC000-memory.dmp

Filesize
3.9MB

Download
memory/2180-89-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2180-99-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2180-101-0x00000000008F0000-0x0000000000CCC000-memory.dmp

Filesize
3.9MB

Download
memory/2180-100-0x00000000008F0000-0x0000000000CCC000-memory.dmp

Filesize
3.9MB

Download
memory/2180-224-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2180-223-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2180-220-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2180-121-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2180-218-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2396-2-0x0000000001000000-0x00000000013DC000-memory.dmp

Filesize
3.9MB

Download
memory/2396-65-0x0000000003BE0000-0x0000000003FBC000-memory.dmp

Filesize
3.9MB

Download
memory/2396-4-0x0000000001000000-0x00000000013DC000-memory.dmp

Filesize
3.9MB

Download
memory/2396-54-0x0000000003BE0000-0x0000000003FBC000-memory.dmp

Filesize
3.9MB

Download
memory/2396-67-0x0000000003BE0000-0x0000000003FBC000-memory.dmp

Filesize
3.9MB

Download
memory/2396-64-0x0000000003BE0000-0x0000000003FBC000-memory.dmp

Filesize
3.9MB

Download
memory/2396-0-0x0000000000400000-0x00000000007DC000-memory.dmp

Filesize
3.9MB

Download
memory/2396-69-0x0000000000400000-0x00000000007DC000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads