Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system -
submitted
07/03/2025, 18:15
Behavioral task
behavioral1
Sample
JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe
Resource
win7-20250207-en
General
-
Target
JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe
-
Size
209KB
-
MD5
58e9725fe8d6f89dfc81bf2163038eb4
-
SHA1
8c9168027b7eab26b9b954278aa987e7ff0efa2c
-
SHA256
48b33d6272e17be1144aaaf1e1ae8b4b79d3671dae9ef18e6b1e856a79d05ddb
-
SHA512
2a2900f88c7868b689215511d362c3aa6464472b8877e7a6dcedfac2d77f2322f50f6c8da85bc18f57e7033b4565cfc89840bd36eac1e8579e1a2573473b13be
-
SSDEEP
6144:O54VyoKfdUIP3LntKyoGTuT9Gbq7lm1T9h8DMtoS:xu3LnTUGocp9HoS
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 12 IoCs
resource yara_rule behavioral1/memory/3012-156-0x0000000000400000-0x000000000047C000-memory.dmp family_blackshades behavioral1/memory/3012-152-0x0000000000400000-0x000000000047C000-memory.dmp family_blackshades behavioral1/memory/3012-168-0x0000000000400000-0x000000000047C000-memory.dmp family_blackshades behavioral1/memory/3012-172-0x0000000000400000-0x000000000047C000-memory.dmp family_blackshades behavioral1/memory/3012-175-0x0000000000400000-0x000000000047C000-memory.dmp family_blackshades behavioral1/memory/3012-177-0x0000000000400000-0x000000000047C000-memory.dmp family_blackshades behavioral1/memory/3012-179-0x0000000000400000-0x000000000047C000-memory.dmp family_blackshades behavioral1/memory/3012-182-0x0000000000400000-0x000000000047C000-memory.dmp family_blackshades behavioral1/memory/3012-184-0x0000000000400000-0x000000000047C000-memory.dmp family_blackshades behavioral1/memory/3012-186-0x0000000000400000-0x000000000047C000-memory.dmp family_blackshades behavioral1/memory/3012-189-0x0000000000400000-0x000000000047C000-memory.dmp family_blackshades behavioral1/memory/3012-191-0x0000000000400000-0x000000000047C000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\DarkEye.exe = "C:\\Users\\Admin\\AppData\\Roaming\\DarkEye.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\MedicalProcess.exe = "C:\\Users\\Admin\\AppData\\Roaming\\MedicalProcess.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Executes dropped EXE 3 IoCs
pid Process 2664 MedicalProcess.exe 2296 MedicalProcess.exe 3012 MedicalProcess.exe -
Loads dropped DLL 5 IoCs
pid Process 1116 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe 1116 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe 1116 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe 1116 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe 1116 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\MedicalProcess = "C:\\Users\\Admin\\AppData\\Roaming\\MedicalProcess.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1048 set thread context of 1116 1048 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe 30 PID 2664 set thread context of 2296 2664 MedicalProcess.exe 35 PID 2664 set thread context of 3012 2664 MedicalProcess.exe 36 -
resource yara_rule behavioral1/memory/1048-0-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral1/memory/1048-16-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral1/memory/1048-17-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral1/memory/1048-22-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral1/memory/1048-27-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral1/memory/1116-46-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1116-48-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1116-45-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1048-44-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral1/memory/1116-41-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1116-37-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1116-35-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/files/0x00080000000120ea-73.dat upx behavioral1/memory/1116-75-0x00000000034C0000-0x0000000003588000-memory.dmp upx behavioral1/memory/2664-91-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral1/memory/2664-94-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral1/memory/2664-120-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral1/memory/2664-119-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral1/memory/2664-118-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral1/memory/2664-117-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral1/memory/3012-138-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral1/memory/2664-161-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral1/memory/1116-166-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/3012-156-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral1/memory/1116-154-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/3012-152-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral1/memory/3012-151-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral1/memory/3012-144-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral1/memory/3012-140-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral1/memory/2296-167-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/3012-168-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral1/memory/3012-172-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral1/memory/3012-175-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral1/memory/3012-177-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral1/memory/3012-179-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral1/memory/3012-182-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral1/memory/3012-184-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral1/memory/3012-186-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral1/memory/3012-189-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral1/memory/3012-191-0x0000000000400000-0x000000000047C000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MedicalProcess.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MedicalProcess.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MedicalProcess.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2064 reg.exe 2060 reg.exe 1608 reg.exe 536 reg.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1048 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe Token: SeShutdownPrivilege 1048 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe Token: SeShutdownPrivilege 1048 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe Token: SeShutdownPrivilege 1048 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe Token: SeShutdownPrivilege 1048 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe Token: SeShutdownPrivilege 2664 MedicalProcess.exe Token: SeShutdownPrivilege 2664 MedicalProcess.exe Token: SeShutdownPrivilege 2664 MedicalProcess.exe Token: SeShutdownPrivilege 2664 MedicalProcess.exe Token: SeShutdownPrivilege 2664 MedicalProcess.exe Token: 1 3012 MedicalProcess.exe Token: SeCreateTokenPrivilege 3012 MedicalProcess.exe Token: SeAssignPrimaryTokenPrivilege 3012 MedicalProcess.exe Token: SeLockMemoryPrivilege 3012 MedicalProcess.exe Token: SeIncreaseQuotaPrivilege 3012 MedicalProcess.exe Token: SeMachineAccountPrivilege 3012 MedicalProcess.exe Token: SeTcbPrivilege 3012 MedicalProcess.exe Token: SeSecurityPrivilege 3012 MedicalProcess.exe Token: SeTakeOwnershipPrivilege 3012 MedicalProcess.exe Token: SeLoadDriverPrivilege 3012 MedicalProcess.exe Token: SeSystemProfilePrivilege 3012 MedicalProcess.exe Token: SeSystemtimePrivilege 3012 MedicalProcess.exe Token: SeProfSingleProcessPrivilege 3012 MedicalProcess.exe Token: SeIncBasePriorityPrivilege 3012 MedicalProcess.exe Token: SeCreatePagefilePrivilege 3012 MedicalProcess.exe Token: SeCreatePermanentPrivilege 3012 MedicalProcess.exe Token: SeBackupPrivilege 3012 MedicalProcess.exe Token: SeRestorePrivilege 3012 MedicalProcess.exe Token: SeShutdownPrivilege 3012 MedicalProcess.exe Token: SeDebugPrivilege 3012 MedicalProcess.exe Token: SeAuditPrivilege 3012 MedicalProcess.exe Token: SeSystemEnvironmentPrivilege 3012 MedicalProcess.exe Token: SeChangeNotifyPrivilege 3012 MedicalProcess.exe Token: SeRemoteShutdownPrivilege 3012 MedicalProcess.exe Token: SeUndockPrivilege 3012 MedicalProcess.exe Token: SeSyncAgentPrivilege 3012 MedicalProcess.exe Token: SeEnableDelegationPrivilege 3012 MedicalProcess.exe Token: SeManageVolumePrivilege 3012 MedicalProcess.exe Token: SeImpersonatePrivilege 3012 MedicalProcess.exe Token: SeCreateGlobalPrivilege 3012 MedicalProcess.exe Token: 31 3012 MedicalProcess.exe Token: 32 3012 MedicalProcess.exe Token: 33 3012 MedicalProcess.exe Token: 34 3012 MedicalProcess.exe Token: 35 3012 MedicalProcess.exe Token: SeDebugPrivilege 2296 MedicalProcess.exe Token: SeDebugPrivilege 2296 MedicalProcess.exe Token: SeDebugPrivilege 2296 MedicalProcess.exe Token: SeDebugPrivilege 2296 MedicalProcess.exe Token: SeDebugPrivilege 2296 MedicalProcess.exe Token: SeDebugPrivilege 2296 MedicalProcess.exe Token: SeDebugPrivilege 2296 MedicalProcess.exe Token: SeDebugPrivilege 2296 MedicalProcess.exe Token: SeDebugPrivilege 2296 MedicalProcess.exe Token: SeDebugPrivilege 2296 MedicalProcess.exe Token: SeDebugPrivilege 2296 MedicalProcess.exe Token: SeDebugPrivilege 2296 MedicalProcess.exe Token: SeDebugPrivilege 2296 MedicalProcess.exe Token: SeDebugPrivilege 2296 MedicalProcess.exe Token: SeDebugPrivilege 2296 MedicalProcess.exe Token: SeDebugPrivilege 2296 MedicalProcess.exe Token: SeDebugPrivilege 2296 MedicalProcess.exe Token: SeDebugPrivilege 2296 MedicalProcess.exe Token: SeDebugPrivilege 2296 MedicalProcess.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 1048 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe 1116 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe 2664 MedicalProcess.exe 2296 MedicalProcess.exe 3012 MedicalProcess.exe 3012 MedicalProcess.exe 3012 MedicalProcess.exe 3012 MedicalProcess.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1048 wrote to memory of 1116 1048 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe 30 PID 1048 wrote to memory of 1116 1048 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe 30 PID 1048 wrote to memory of 1116 1048 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe 30 PID 1048 wrote to memory of 1116 1048 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe 30 PID 1048 wrote to memory of 1116 1048 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe 30 PID 1048 wrote to memory of 1116 1048 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe 30 PID 1048 wrote to memory of 1116 1048 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe 30 PID 1048 wrote to memory of 1116 1048 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe 30 PID 1116 wrote to memory of 2160 1116 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe 31 PID 1116 wrote to memory of 2160 1116 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe 31 PID 1116 wrote to memory of 2160 1116 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe 31 PID 1116 wrote to memory of 2160 1116 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe 31 PID 2160 wrote to memory of 2936 2160 cmd.exe 33 PID 2160 wrote to memory of 2936 2160 cmd.exe 33 PID 2160 wrote to memory of 2936 2160 cmd.exe 33 PID 2160 wrote to memory of 2936 2160 cmd.exe 33 PID 1116 wrote to memory of 2664 1116 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe 34 PID 1116 wrote to memory of 2664 1116 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe 34 PID 1116 wrote to memory of 2664 1116 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe 34 PID 1116 wrote to memory of 2664 1116 JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe 34 PID 2664 wrote to memory of 2296 2664 MedicalProcess.exe 35 PID 2664 wrote to memory of 2296 2664 MedicalProcess.exe 35 PID 2664 wrote to memory of 2296 2664 MedicalProcess.exe 35 PID 2664 wrote to memory of 2296 2664 MedicalProcess.exe 35 PID 2664 wrote to memory of 2296 2664 MedicalProcess.exe 35 PID 2664 wrote to memory of 2296 2664 MedicalProcess.exe 35 PID 2664 wrote to memory of 2296 2664 MedicalProcess.exe 35 PID 2664 wrote to memory of 2296 2664 MedicalProcess.exe 35 PID 2664 wrote to memory of 3012 2664 MedicalProcess.exe 36 PID 2664 wrote to memory of 3012 2664 MedicalProcess.exe 36 PID 2664 wrote to memory of 3012 2664 MedicalProcess.exe 36 PID 2664 wrote to memory of 3012 2664 MedicalProcess.exe 36 PID 2664 wrote to memory of 3012 2664 MedicalProcess.exe 36 PID 2664 wrote to memory of 3012 2664 MedicalProcess.exe 36 PID 2664 wrote to memory of 3012 2664 MedicalProcess.exe 36 PID 2664 wrote to memory of 3012 2664 MedicalProcess.exe 36 PID 3012 wrote to memory of 2308 3012 MedicalProcess.exe 37 PID 3012 wrote to memory of 2308 3012 MedicalProcess.exe 37 PID 3012 wrote to memory of 2308 3012 MedicalProcess.exe 37 PID 3012 wrote to memory of 2308 3012 MedicalProcess.exe 37 PID 3012 wrote to memory of 1148 3012 MedicalProcess.exe 38 PID 3012 wrote to memory of 1148 3012 MedicalProcess.exe 38 PID 3012 wrote to memory of 1148 3012 MedicalProcess.exe 38 PID 3012 wrote to memory of 1148 3012 MedicalProcess.exe 38 PID 3012 wrote to memory of 1936 3012 MedicalProcess.exe 39 PID 3012 wrote to memory of 1936 3012 MedicalProcess.exe 39 PID 3012 wrote to memory of 1936 3012 MedicalProcess.exe 39 PID 3012 wrote to memory of 1936 3012 MedicalProcess.exe 39 PID 3012 wrote to memory of 1436 3012 MedicalProcess.exe 40 PID 3012 wrote to memory of 1436 3012 MedicalProcess.exe 40 PID 3012 wrote to memory of 1436 3012 MedicalProcess.exe 40 PID 3012 wrote to memory of 1436 3012 MedicalProcess.exe 40 PID 1436 wrote to memory of 1608 1436 cmd.exe 44 PID 1436 wrote to memory of 1608 1436 cmd.exe 44 PID 1436 wrote to memory of 1608 1436 cmd.exe 44 PID 1436 wrote to memory of 1608 1436 cmd.exe 44 PID 1148 wrote to memory of 2060 1148 cmd.exe 45 PID 1148 wrote to memory of 2060 1148 cmd.exe 45 PID 1148 wrote to memory of 2060 1148 cmd.exe 45 PID 1148 wrote to memory of 2060 1148 cmd.exe 45 PID 2308 wrote to memory of 2064 2308 cmd.exe 46 PID 2308 wrote to memory of 2064 2308 cmd.exe 46 PID 2308 wrote to memory of 2064 2308 cmd.exe 46 PID 2308 wrote to memory of 2064 2308 cmd.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58e9725fe8d6f89dfc81bf2163038eb4.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\GTAJX.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MedicalProcess" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MedicalProcess.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2936
-
-
-
C:\Users\Admin\AppData\Roaming\MedicalProcess.exe"C:\Users\Admin\AppData\Roaming\MedicalProcess.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Roaming\MedicalProcess.exe"C:\Users\Admin\AppData\Roaming\MedicalProcess.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2296
-
-
C:\Users\Admin\AppData\Roaming\MedicalProcess.exe"C:\Users\Admin\AppData\Roaming\MedicalProcess.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2064
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\MedicalProcess.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MedicalProcess.exe:*:Enabled:Windows Messanger" /f5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\MedicalProcess.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MedicalProcess.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2060
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:536
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DarkEye.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DarkEye.exe:*:Enabled:Windows Messanger" /f5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DarkEye.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DarkEye.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1608
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD58b5ff1d72c34e1afce63042fc0bd1594
SHA1eabf621e989b65a39070f513a83cef8c73c45dd2
SHA2562e9d9991be7446ce8da403b969106b3457e34aa3d5513f70225c9784456817ba
SHA51208911216cb2e5bfc05d5b98a64b454772c6b026dc1d7af28daa71b89ddd0febb232f2200ae87c42c425ddabd4252cf782805c651844f052cb7b1004da4e2ba47
-
Filesize
209KB
MD5acfa76240d40e7f926ec34e84d7ee5cb
SHA10a1f498a67c2aac5256bb79fa9d70d71368f3ddc
SHA256d18538e668a20f4ff3f1b0a83af74ba7dcd98e6fd69cb968b0c6aa2463c346db
SHA512a7869cb69e2e5fb5cc6645335dc046ca135c1efb86fabd9bbce34544700e6a0539b4ab0c310fc8b9adbc99394186b111a1babdaa97f8c62de811d27533ea9c4b