blackshades | 64138fdf06aed257299dc945e32ad5eae74b3dde7c0282733493e24f39e4a117

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/03/2025, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4faa12b615e8410b978944ca65c60335.exe
Size

302KB
MD5

4faa12b615e8410b978944ca65c60335
SHA1

a94942298fe79a86f622fa5e4e14cfc643125554
SHA256

64138fdf06aed257299dc945e32ad5eae74b3dde7c0282733493e24f39e4a117
SHA512

b01ce627061267545af86a337c20989c013a297bfc04413cfddb1ec05e7b299296bf87803c66d685bb08aee45cf6c3182ea05be21a2de16b8810e2a320917ad3
SSDEEP

6144:X6Dxcir7//mnwFyAiiwfItVtZ0OCnxOnogFVV2NWpJLdp0:X6Vf8tiwfetZixOfFVYYprW

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 14 IoCs

resource	yara_rule
behavioral1/memory/2668-18-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades
behavioral1/memory/2668-27-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades
behavioral1/memory/2668-33-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades
behavioral1/memory/2668-35-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades
behavioral1/memory/2668-36-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades
behavioral1/memory/2668-38-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades
behavioral1/memory/2668-40-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades
behavioral1/memory/2668-41-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades
behavioral1/memory/2668-43-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades
behavioral1/memory/2668-44-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades
behavioral1/memory/2668-47-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades
behavioral1/memory/2668-48-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades
behavioral1/memory/2668-50-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades
behavioral1/memory/2668-51-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\taskmgr.exe = "C:\\Users\\Admin\\AppData\\Roaming\\taskmgr.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
2816	CalcL.exe
2676	Systemf.exe

Loads dropped DLL 6 IoCs

pid	Process
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2816	CalcL.exe
2816	CalcL.exe
2816	CalcL.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\updates = "\"C:\\Users\\Admin\\AppData\\Local\\Systemf.exe\""	Systemf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2676 set thread context of 2668	2676	Systemf.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4faa12b615e8410b978944ca65c60335.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CalcL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Systemf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	CalcL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	CalcL.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	CalcL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	CalcL.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	CalcL.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings	CalcL.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	CalcL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	CalcL.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	CalcL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	CalcL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c004346534616003100000000002359ab29122041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe2359ab292359ab292a000000ed0100000000020000000000000000000000000000004100700070004400610074006100000042000000	CalcL.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	CalcL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	CalcL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	CalcL.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	CalcL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	CalcL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c00310000000000645ac2aa10204c6f63616c00380008000400efbe2359ab29645ac2aa2a000000000200000000020000000000000000000000000000004c006f00630061006c00000014000000	CalcL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	CalcL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	CalcL.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	CalcL.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	CalcL.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	CalcL.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2672	reg.exe
2036	reg.exe
2832	reg.exe
2372	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2816	CalcL.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2668	vbc.exe
Token: SeCreateTokenPrivilege	2668	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2668	vbc.exe
Token: SeLockMemoryPrivilege	2668	vbc.exe
Token: SeIncreaseQuotaPrivilege	2668	vbc.exe
Token: SeMachineAccountPrivilege	2668	vbc.exe
Token: SeTcbPrivilege	2668	vbc.exe
Token: SeSecurityPrivilege	2668	vbc.exe
Token: SeTakeOwnershipPrivilege	2668	vbc.exe
Token: SeLoadDriverPrivilege	2668	vbc.exe
Token: SeSystemProfilePrivilege	2668	vbc.exe
Token: SeSystemtimePrivilege	2668	vbc.exe
Token: SeProfSingleProcessPrivilege	2668	vbc.exe
Token: SeIncBasePriorityPrivilege	2668	vbc.exe
Token: SeCreatePagefilePrivilege	2668	vbc.exe
Token: SeCreatePermanentPrivilege	2668	vbc.exe
Token: SeBackupPrivilege	2668	vbc.exe
Token: SeRestorePrivilege	2668	vbc.exe
Token: SeShutdownPrivilege	2668	vbc.exe
Token: SeDebugPrivilege	2668	vbc.exe
Token: SeAuditPrivilege	2668	vbc.exe
Token: SeSystemEnvironmentPrivilege	2668	vbc.exe
Token: SeChangeNotifyPrivilege	2668	vbc.exe
Token: SeRemoteShutdownPrivilege	2668	vbc.exe
Token: SeUndockPrivilege	2668	vbc.exe
Token: SeSyncAgentPrivilege	2668	vbc.exe
Token: SeEnableDelegationPrivilege	2668	vbc.exe
Token: SeManageVolumePrivilege	2668	vbc.exe
Token: SeImpersonatePrivilege	2668	vbc.exe
Token: SeCreateGlobalPrivilege	2668	vbc.exe
Token: 31	2668	vbc.exe
Token: 32	2668	vbc.exe
Token: 33	2668	vbc.exe
Token: 34	2668	vbc.exe
Token: 35	2668	vbc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2668	vbc.exe
2668	vbc.exe
2668	vbc.exe
2816	CalcL.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2700	2660	JaffaCakes118_4faa12b615e8410b978944ca65c60335.exe	30
PID 2660 wrote to memory of 2700	2660	JaffaCakes118_4faa12b615e8410b978944ca65c60335.exe	30
PID 2660 wrote to memory of 2700	2660	JaffaCakes118_4faa12b615e8410b978944ca65c60335.exe	30
PID 2660 wrote to memory of 2700	2660	JaffaCakes118_4faa12b615e8410b978944ca65c60335.exe	30
PID 2700 wrote to memory of 2816	2700	cmd.exe	32
PID 2700 wrote to memory of 2816	2700	cmd.exe	32
PID 2700 wrote to memory of 2816	2700	cmd.exe	32
PID 2700 wrote to memory of 2816	2700	cmd.exe	32
PID 2700 wrote to memory of 2676	2700	cmd.exe	33
PID 2700 wrote to memory of 2676	2700	cmd.exe	33
PID 2700 wrote to memory of 2676	2700	cmd.exe	33
PID 2700 wrote to memory of 2676	2700	cmd.exe	33
PID 2676 wrote to memory of 2668	2676	Systemf.exe	34
PID 2676 wrote to memory of 2668	2676	Systemf.exe	34
PID 2676 wrote to memory of 2668	2676	Systemf.exe	34
PID 2676 wrote to memory of 2668	2676	Systemf.exe	34
PID 2676 wrote to memory of 2668	2676	Systemf.exe	34
PID 2676 wrote to memory of 2668	2676	Systemf.exe	34
PID 2676 wrote to memory of 2668	2676	Systemf.exe	34
PID 2676 wrote to memory of 2668	2676	Systemf.exe	34
PID 2676 wrote to memory of 2668	2676	Systemf.exe	34
PID 2668 wrote to memory of 2940	2668	vbc.exe	35
PID 2668 wrote to memory of 2940	2668	vbc.exe	35
PID 2668 wrote to memory of 2940	2668	vbc.exe	35
PID 2668 wrote to memory of 2940	2668	vbc.exe	35
PID 2668 wrote to memory of 2112	2668	vbc.exe	36
PID 2668 wrote to memory of 2112	2668	vbc.exe	36
PID 2668 wrote to memory of 2112	2668	vbc.exe	36
PID 2668 wrote to memory of 2112	2668	vbc.exe	36
PID 2668 wrote to memory of 2688	2668	vbc.exe	37
PID 2668 wrote to memory of 2688	2668	vbc.exe	37
PID 2668 wrote to memory of 2688	2668	vbc.exe	37
PID 2668 wrote to memory of 2688	2668	vbc.exe	37
PID 2668 wrote to memory of 2664	2668	vbc.exe	40
PID 2668 wrote to memory of 2664	2668	vbc.exe	40
PID 2668 wrote to memory of 2664	2668	vbc.exe	40
PID 2668 wrote to memory of 2664	2668	vbc.exe	40
PID 2688 wrote to memory of 2672	2688	cmd.exe	44
PID 2688 wrote to memory of 2672	2688	cmd.exe	44
PID 2688 wrote to memory of 2672	2688	cmd.exe	44
PID 2688 wrote to memory of 2672	2688	cmd.exe	44
PID 2112 wrote to memory of 2036	2112	cmd.exe	43
PID 2112 wrote to memory of 2036	2112	cmd.exe	43
PID 2112 wrote to memory of 2036	2112	cmd.exe	43
PID 2112 wrote to memory of 2036	2112	cmd.exe	43
PID 2664 wrote to memory of 2832	2664	cmd.exe	45
PID 2664 wrote to memory of 2832	2664	cmd.exe	45
PID 2664 wrote to memory of 2832	2664	cmd.exe	45
PID 2664 wrote to memory of 2832	2664	cmd.exe	45
PID 2940 wrote to memory of 2372	2940	cmd.exe	46
PID 2940 wrote to memory of 2372	2940	cmd.exe	46
PID 2940 wrote to memory of 2372	2940	cmd.exe	46
PID 2940 wrote to memory of 2372	2940	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4faa12b615e8410b978944ca65c60335.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4faa12b615e8410b978944ca65c60335.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt52855.bat "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4faa12b615e8410b978944ca65c60335.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\CalcL.exe
    C:\Users\Admin\AppData\Local\calcL.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2816
- - C:\Users\Admin\AppData\Local\Systemf.exe
    C:\Users\Admin\AppData\Local\systemf.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2372
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2112
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2036
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2672
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\taskmgr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\taskmgr.exe:*:Enabled:Windows Messanger" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\taskmgr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\taskmgr.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Systemf.exe

Filesize
472KB

MD5
7a52315f10a53d03f4959194f6d41096

SHA1
ba3103927973522962aecc6ca259486e631db201

SHA256
7af422ef89646d0e80370c18298aa6cdd081f09c288a10a567a076f15b36c034

SHA512
820c8e0edabfa5d1a0967768218f636f7ac51eaa1b5cedaf6f3d7a8f414fc27c4e4a0578636837eb6cf3943ce5b68a596cda8416b23c24ca0e4b643cca85fc97

Download Submit
C:\Users\Admin\AppData\Local\Temp\bt52855.bat

Filesize
71B

MD5
8e19442d8f3b56b4af97b2cc7e258c6f

SHA1
7cf36b46d6b83c98c916aa1e17d044bf1ef6a841

SHA256
9bfea4c9f102435c8655f1ab2d75e1c540fefd4f3840d48200c2475d42861ff4

SHA512
3024a1567618886a61989b26fd8e524d667d699e762322ce856e1c3b7af9fcc68a43a64441c86cbab5cffec33e51e4c6374b5f1f33e97e610d09bbbb31f61fd7

Download Submit
\Users\Admin\AppData\Local\CalcL.exe

Filesize
17KB

MD5
45cc9739663805cc6b1d3d94d72359f0

SHA1
039e69a75be43f20cbfeb990a5a749da7913a9cf

SHA256
75bf1de84926e9c304bd58eb2a12ada5301df4cc1d82f112afe2c3debc560a1b

SHA512
277a68b13583e67700375c0b91f434c19d12b08a3a4d7c5819a62c5709e25c7630949f6f3e621f123a766511e37496b1b3c516fc14c2fed3480bbe67d4a71cb5

Download Submit
memory/2660-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2668-43-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2668-27-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2668-51-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2668-50-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2668-48-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2668-18-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2668-47-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2668-40-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2668-44-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2668-41-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2668-33-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2668-35-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2668-36-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2668-38-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2676-21-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2676-17-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2676-16-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2676-15-0x00000000747D1000-0x00000000747D2000-memory.dmp

Filesize
4KB

Download
memory/2700-7-0x0000000000170000-0x0000000000179000-memory.dmp

Filesize
36KB

Download
memory/2816-32-0x0000000006690000-0x0000000006699000-memory.dmp

Filesize
36KB

Download
memory/2816-42-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2816-28-0x0000000005920000-0x0000000005922000-memory.dmp

Filesize
8KB

Download
memory/2816-46-0x0000000006690000-0x0000000006699000-memory.dmp

Filesize
36KB

Download
memory/2816-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads