blackshades | 8b89276a5097877a3e1acef6a8c833c78be3b59f1ab83b519031ef984bb06060

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe
Size

1.6MB
MD5

56a3201e29e17e386a1e7102d44becd8
SHA1

4f52762a49f6c0e75a51dc3e62178542b55cff06
SHA256

8b89276a5097877a3e1acef6a8c833c78be3b59f1ab83b519031ef984bb06060
SHA512

5ef0fdbadcf5ed0441d66dc666d14249f994458a50f1c7d88e1eb51dd3e8d03a759d46ed01f97cd0622af9b86551a841aacc84e774c7c9c1826fe42a669c6cda
SSDEEP

12288:KeCmbLFzEN3A6R1WP7vy0PqYz2bsfhH7EvIyzjy+uRXuQ7BvLEd3HX9y:OmNPbmzjy+EzI9y

Score

10^/10

blackshades defense_evasion discovery persistence rat upx

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 10 IoCs

resource	yara_rule
behavioral1/memory/2848-59-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral1/memory/2848-63-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral1/memory/2848-65-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral1/memory/2848-66-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral1/memory/2848-68-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral1/memory/2848-69-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral1/memory/2848-73-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral1/memory/2848-74-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral1/memory/2848-76-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades
behavioral1/memory/2848-79-0x0000000000400000-0x000000000045C000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Updater.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Updater.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Window Updates\\windowupdates_02.exe:*:Enabled:Windows Messanger"	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
2964	windowupdates_02.exe
2848	windowupdates_02.exe

Loads dropped DLL 11 IoCs

pid	Process
2720	JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe
2720	JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe
2720	JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe
2720	JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe
2964	windowupdates_02.exe
2964	windowupdates_02.exe
2964	windowupdates_02.exe
2964	windowupdates_02.exe
2848	windowupdates_02.exe
2848	windowupdates_02.exe
2848	windowupdates_02.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\Window Updates = "C:\\Users\\Admin\\AppData\\Roaming\\Window Updates\\windowupdates_02.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2964 set thread context of 2848	2964	windowupdates_02.exe	34

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2848-46-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2848-55-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2848-59-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2848-49-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2848-63-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2848-65-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2848-66-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2848-68-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2848-69-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2848-73-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2848-74-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2848-76-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2848-79-0x0000000000400000-0x000000000045C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowupdates_02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowupdates_02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2536	reg.exe
2472	reg.exe
2684	reg.exe
2716	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2848	windowupdates_02.exe
Token: SeCreateTokenPrivilege	2848	windowupdates_02.exe
Token: SeAssignPrimaryTokenPrivilege	2848	windowupdates_02.exe
Token: SeLockMemoryPrivilege	2848	windowupdates_02.exe
Token: SeIncreaseQuotaPrivilege	2848	windowupdates_02.exe
Token: SeMachineAccountPrivilege	2848	windowupdates_02.exe
Token: SeTcbPrivilege	2848	windowupdates_02.exe
Token: SeSecurityPrivilege	2848	windowupdates_02.exe
Token: SeTakeOwnershipPrivilege	2848	windowupdates_02.exe
Token: SeLoadDriverPrivilege	2848	windowupdates_02.exe
Token: SeSystemProfilePrivilege	2848	windowupdates_02.exe
Token: SeSystemtimePrivilege	2848	windowupdates_02.exe
Token: SeProfSingleProcessPrivilege	2848	windowupdates_02.exe
Token: SeIncBasePriorityPrivilege	2848	windowupdates_02.exe
Token: SeCreatePagefilePrivilege	2848	windowupdates_02.exe
Token: SeCreatePermanentPrivilege	2848	windowupdates_02.exe
Token: SeBackupPrivilege	2848	windowupdates_02.exe
Token: SeRestorePrivilege	2848	windowupdates_02.exe
Token: SeShutdownPrivilege	2848	windowupdates_02.exe
Token: SeDebugPrivilege	2848	windowupdates_02.exe
Token: SeAuditPrivilege	2848	windowupdates_02.exe
Token: SeSystemEnvironmentPrivilege	2848	windowupdates_02.exe
Token: SeChangeNotifyPrivilege	2848	windowupdates_02.exe
Token: SeRemoteShutdownPrivilege	2848	windowupdates_02.exe
Token: SeUndockPrivilege	2848	windowupdates_02.exe
Token: SeSyncAgentPrivilege	2848	windowupdates_02.exe
Token: SeEnableDelegationPrivilege	2848	windowupdates_02.exe
Token: SeManageVolumePrivilege	2848	windowupdates_02.exe
Token: SeImpersonatePrivilege	2848	windowupdates_02.exe
Token: SeCreateGlobalPrivilege	2848	windowupdates_02.exe
Token: 31	2848	windowupdates_02.exe
Token: 32	2848	windowupdates_02.exe
Token: 33	2848	windowupdates_02.exe
Token: 34	2848	windowupdates_02.exe
Token: 35	2848	windowupdates_02.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2720	JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe
2964	windowupdates_02.exe
2848	windowupdates_02.exe
2848	windowupdates_02.exe
2848	windowupdates_02.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 268	2720	JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe	30
PID 2720 wrote to memory of 268	2720	JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe	30
PID 2720 wrote to memory of 268	2720	JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe	30
PID 2720 wrote to memory of 268	2720	JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe	30
PID 268 wrote to memory of 1084	268	cmd.exe	32
PID 268 wrote to memory of 1084	268	cmd.exe	32
PID 268 wrote to memory of 1084	268	cmd.exe	32
PID 268 wrote to memory of 1084	268	cmd.exe	32
PID 2720 wrote to memory of 2964	2720	JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe	33
PID 2720 wrote to memory of 2964	2720	JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe	33
PID 2720 wrote to memory of 2964	2720	JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe	33
PID 2720 wrote to memory of 2964	2720	JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe	33
PID 2720 wrote to memory of 2964	2720	JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe	33
PID 2720 wrote to memory of 2964	2720	JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe	33
PID 2720 wrote to memory of 2964	2720	JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe	33
PID 2964 wrote to memory of 2848	2964	windowupdates_02.exe	34
PID 2964 wrote to memory of 2848	2964	windowupdates_02.exe	34
PID 2964 wrote to memory of 2848	2964	windowupdates_02.exe	34
PID 2964 wrote to memory of 2848	2964	windowupdates_02.exe	34
PID 2964 wrote to memory of 2848	2964	windowupdates_02.exe	34
PID 2964 wrote to memory of 2848	2964	windowupdates_02.exe	34
PID 2964 wrote to memory of 2848	2964	windowupdates_02.exe	34
PID 2964 wrote to memory of 2848	2964	windowupdates_02.exe	34
PID 2964 wrote to memory of 2848	2964	windowupdates_02.exe	34
PID 2964 wrote to memory of 2848	2964	windowupdates_02.exe	34
PID 2964 wrote to memory of 2848	2964	windowupdates_02.exe	34
PID 2964 wrote to memory of 2848	2964	windowupdates_02.exe	34
PID 2848 wrote to memory of 2936	2848	windowupdates_02.exe	35
PID 2848 wrote to memory of 2936	2848	windowupdates_02.exe	35
PID 2848 wrote to memory of 2936	2848	windowupdates_02.exe	35
PID 2848 wrote to memory of 2936	2848	windowupdates_02.exe	35
PID 2848 wrote to memory of 2936	2848	windowupdates_02.exe	35
PID 2848 wrote to memory of 2936	2848	windowupdates_02.exe	35
PID 2848 wrote to memory of 2936	2848	windowupdates_02.exe	35
PID 2848 wrote to memory of 3004	2848	windowupdates_02.exe	36
PID 2848 wrote to memory of 3004	2848	windowupdates_02.exe	36
PID 2848 wrote to memory of 3004	2848	windowupdates_02.exe	36
PID 2848 wrote to memory of 3004	2848	windowupdates_02.exe	36
PID 2848 wrote to memory of 3004	2848	windowupdates_02.exe	36
PID 2848 wrote to memory of 3004	2848	windowupdates_02.exe	36
PID 2848 wrote to memory of 3004	2848	windowupdates_02.exe	36
PID 2848 wrote to memory of 3024	2848	windowupdates_02.exe	37
PID 2848 wrote to memory of 3024	2848	windowupdates_02.exe	37
PID 2848 wrote to memory of 3024	2848	windowupdates_02.exe	37
PID 2848 wrote to memory of 3024	2848	windowupdates_02.exe	37
PID 2848 wrote to memory of 3024	2848	windowupdates_02.exe	37
PID 2848 wrote to memory of 3024	2848	windowupdates_02.exe	37
PID 2848 wrote to memory of 3024	2848	windowupdates_02.exe	37
PID 2848 wrote to memory of 2664	2848	windowupdates_02.exe	38
PID 2848 wrote to memory of 2664	2848	windowupdates_02.exe	38
PID 2848 wrote to memory of 2664	2848	windowupdates_02.exe	38
PID 2848 wrote to memory of 2664	2848	windowupdates_02.exe	38
PID 2848 wrote to memory of 2664	2848	windowupdates_02.exe	38
PID 2848 wrote to memory of 2664	2848	windowupdates_02.exe	38
PID 2848 wrote to memory of 2664	2848	windowupdates_02.exe	38
PID 2664 wrote to memory of 2684	2664	cmd.exe	43
PID 2664 wrote to memory of 2684	2664	cmd.exe	43
PID 2664 wrote to memory of 2684	2664	cmd.exe	43
PID 2664 wrote to memory of 2684	2664	cmd.exe	43
PID 2664 wrote to memory of 2684	2664	cmd.exe	43
PID 2664 wrote to memory of 2684	2664	cmd.exe	43
PID 2664 wrote to memory of 2684	2664	cmd.exe	43
PID 3004 wrote to memory of 2716	3004	cmd.exe	44
PID 3004 wrote to memory of 2716	3004	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56a3201e29e17e386a1e7102d44becd8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\przNl.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Window Updates" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1084
- C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
  "C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe
    "C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2936
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2472
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2716
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3024
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2536
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\przNl.bat

Filesize
167B

MD5
477c27332fc112e4f0cf76a5a09e64e1

SHA1
5a3b531dba82da553213b23ec3cd477730b4fa19

SHA256
2e7e2becf2dd46169bf1c3094e8551e2a8cc0a4401169e2ab4607ec93c630e89

SHA512
6dd0b686e0a5ec4fa88782583654f51b8a7a0c900a9bbb4ed7e4ca907e59fb657d2344350832f5c43969c481a811700d4e5beaf65189db2ab8bd8bdb301d3b15

Download Submit
C:\Users\Admin\AppData\Roaming\Window Updates\windowupdates_02.exe

Filesize
1.6MB

MD5
135c6466edfc5ca4ea2a7dd03c73e38a

SHA1
d52becc23827e7008f770fab3ae5ae98532d6306

SHA256
dea8332d4a109bb2e77ea487e0a35273614398940417cee75e0087c7a982211e

SHA512
ff87663fe4d36c973f22ffc0f8f9116d7a4b233aac675c21613dd63f6f14403a9db148af9eac922b7e41625c10f1e06852d812ee706392c70572ec5e8ae8cffb

Download Submit
memory/2848-46-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2848-55-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2848-59-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2848-49-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2848-63-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2848-65-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2848-66-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2848-68-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2848-69-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2848-73-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2848-74-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2848-76-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2848-79-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads