blackshades | c7977100fc1646569fd6950823df204803bc2cba5c99f650fb2c24a45b6b2c87

Analysis

max time kernel
147s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/03/2025, 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5cd14011db57669c8b833053723afcef.exe
Size

413KB
MD5

5cd14011db57669c8b833053723afcef
SHA1

f30309a0d9ea75fe5158c8c8a5d8f9c8cc02a3e5
SHA256

c7977100fc1646569fd6950823df204803bc2cba5c99f650fb2c24a45b6b2c87
SHA512

e249e98a59d03993847880c4841760e6a5776cd3b715533510d0a881c7c4ea46e009507fc0eaf81590171886c3d8df61ab5d79bfee54b26c02c08f05d8b783f3
SSDEEP

6144:jKyeinX6ZtSlXiVBI69xeD0JGeOvQt4I8QlcqZ7DK6mXiHZuulCk5BFVBmcabe:ainGtzVBVcYJYIt4f6HK6mud5BRNabe

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 13 IoCs

resource	yara_rule
behavioral1/memory/2936-24-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/2936-17-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/2936-14-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/2936-60-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/2936-61-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/2936-63-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/2936-65-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/2936-66-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/2936-67-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/2936-69-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/2936-71-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/2936-74-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/2936-77-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\DC.exe = "C:\\Users\\Admin\\AppData\\Roaming\\DC.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\updater\winlogon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\updater\\winlogon.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
2684	winlogon.exe
2936	winlogon.exe

Loads dropped DLL 3 IoCs

pid	Process
1840	JaffaCakes118_5cd14011db57669c8b833053723afcef.exe
1840	JaffaCakes118_5cd14011db57669c8b833053723afcef.exe
2684	winlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\updater\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\updater\\winlogon.exe"	JaffaCakes118_5cd14011db57669c8b833053723afcef.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2684 set thread context of 2936	2684	winlogon.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5cd14011db57669c8b833053723afcef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1620	reg.exe
2772	reg.exe
1712	reg.exe
536	reg.exe

Modifies system certificate store 2 TTPs 4 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	JaffaCakes118_5cd14011db57669c8b833053723afcef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	winlogon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e1900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd90b000000010000001200000044006900670069004300650072007400000014000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd155090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	JaffaCakes118_5cd14011db57669c8b833053723afcef.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	2936	winlogon.exe
Token: SeCreateTokenPrivilege	2936	winlogon.exe
Token: SeAssignPrimaryTokenPrivilege	2936	winlogon.exe
Token: SeLockMemoryPrivilege	2936	winlogon.exe
Token: SeIncreaseQuotaPrivilege	2936	winlogon.exe
Token: SeMachineAccountPrivilege	2936	winlogon.exe
Token: SeTcbPrivilege	2936	winlogon.exe
Token: SeSecurityPrivilege	2936	winlogon.exe
Token: SeTakeOwnershipPrivilege	2936	winlogon.exe
Token: SeLoadDriverPrivilege	2936	winlogon.exe
Token: SeSystemProfilePrivilege	2936	winlogon.exe
Token: SeSystemtimePrivilege	2936	winlogon.exe
Token: SeProfSingleProcessPrivilege	2936	winlogon.exe
Token: SeIncBasePriorityPrivilege	2936	winlogon.exe
Token: SeCreatePagefilePrivilege	2936	winlogon.exe
Token: SeCreatePermanentPrivilege	2936	winlogon.exe
Token: SeBackupPrivilege	2936	winlogon.exe
Token: SeRestorePrivilege	2936	winlogon.exe
Token: SeShutdownPrivilege	2936	winlogon.exe
Token: SeDebugPrivilege	2936	winlogon.exe
Token: SeAuditPrivilege	2936	winlogon.exe
Token: SeSystemEnvironmentPrivilege	2936	winlogon.exe
Token: SeChangeNotifyPrivilege	2936	winlogon.exe
Token: SeRemoteShutdownPrivilege	2936	winlogon.exe
Token: SeUndockPrivilege	2936	winlogon.exe
Token: SeSyncAgentPrivilege	2936	winlogon.exe
Token: SeEnableDelegationPrivilege	2936	winlogon.exe
Token: SeManageVolumePrivilege	2936	winlogon.exe
Token: SeImpersonatePrivilege	2936	winlogon.exe
Token: SeCreateGlobalPrivilege	2936	winlogon.exe
Token: 31	2936	winlogon.exe
Token: 32	2936	winlogon.exe
Token: 33	2936	winlogon.exe
Token: 34	2936	winlogon.exe
Token: 35	2936	winlogon.exe
Token: SeDebugPrivilege	2936	winlogon.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2936	winlogon.exe
2936	winlogon.exe
2936	winlogon.exe
2936	winlogon.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 2684	1840	JaffaCakes118_5cd14011db57669c8b833053723afcef.exe	31
PID 1840 wrote to memory of 2684	1840	JaffaCakes118_5cd14011db57669c8b833053723afcef.exe	31
PID 1840 wrote to memory of 2684	1840	JaffaCakes118_5cd14011db57669c8b833053723afcef.exe	31
PID 1840 wrote to memory of 2684	1840	JaffaCakes118_5cd14011db57669c8b833053723afcef.exe	31
PID 2684 wrote to memory of 2936	2684	winlogon.exe	32
PID 2684 wrote to memory of 2936	2684	winlogon.exe	32
PID 2684 wrote to memory of 2936	2684	winlogon.exe	32
PID 2684 wrote to memory of 2936	2684	winlogon.exe	32
PID 2684 wrote to memory of 2936	2684	winlogon.exe	32
PID 2684 wrote to memory of 2936	2684	winlogon.exe	32
PID 2684 wrote to memory of 2936	2684	winlogon.exe	32
PID 2684 wrote to memory of 2936	2684	winlogon.exe	32
PID 2936 wrote to memory of 2712	2936	winlogon.exe	33
PID 2936 wrote to memory of 2712	2936	winlogon.exe	33
PID 2936 wrote to memory of 2712	2936	winlogon.exe	33
PID 2936 wrote to memory of 2712	2936	winlogon.exe	33
PID 2936 wrote to memory of 2688	2936	winlogon.exe	34
PID 2936 wrote to memory of 2688	2936	winlogon.exe	34
PID 2936 wrote to memory of 2688	2936	winlogon.exe	34
PID 2936 wrote to memory of 2688	2936	winlogon.exe	34
PID 2936 wrote to memory of 2928	2936	winlogon.exe	35
PID 2936 wrote to memory of 2928	2936	winlogon.exe	35
PID 2936 wrote to memory of 2928	2936	winlogon.exe	35
PID 2936 wrote to memory of 2928	2936	winlogon.exe	35
PID 2936 wrote to memory of 2576	2936	winlogon.exe	36
PID 2936 wrote to memory of 2576	2936	winlogon.exe	36
PID 2936 wrote to memory of 2576	2936	winlogon.exe	36
PID 2936 wrote to memory of 2576	2936	winlogon.exe	36
PID 2928 wrote to memory of 1712	2928	cmd.exe	42
PID 2928 wrote to memory of 1712	2928	cmd.exe	42
PID 2928 wrote to memory of 1712	2928	cmd.exe	42
PID 2928 wrote to memory of 1712	2928	cmd.exe	42
PID 2712 wrote to memory of 1620	2712	cmd.exe	44
PID 2712 wrote to memory of 1620	2712	cmd.exe	44
PID 2712 wrote to memory of 1620	2712	cmd.exe	44
PID 2712 wrote to memory of 1620	2712	cmd.exe	44
PID 2576 wrote to memory of 2772	2576	cmd.exe	43
PID 2576 wrote to memory of 2772	2576	cmd.exe	43
PID 2576 wrote to memory of 2772	2576	cmd.exe	43
PID 2576 wrote to memory of 2772	2576	cmd.exe	43
PID 2688 wrote to memory of 536	2688	cmd.exe	41
PID 2688 wrote to memory of 536	2688	cmd.exe	41
PID 2688 wrote to memory of 536	2688	cmd.exe	41
PID 2688 wrote to memory of 536	2688	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5cd14011db57669c8b833053723afcef.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5cd14011db57669c8b833053723afcef.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Users\Admin\AppData\Roaming\updater\winlogon.exe
  "C:\Users\Admin\AppData\Roaming\updater\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Roaming\updater\winlogon.exe
    "C:\Users\Admin\AppData\Roaming\updater\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1620
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\updater\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\updater\winlogon.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\updater\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\updater\winlogon.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:536
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1712
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DC.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DC.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DC.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DC.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
7d49674809fd6e5271c6ec98c603db1b

SHA1
a7c57d863604a401c50eae29eb47ed20fef47508

SHA256
0a8f407be70086beb8d204f6a8956b1124389061b026fda2bbe46f07ebf59718

SHA512
d797b54229642a649959f98ffd7f7980ebd41e869315a3ebb7f1d63d025e9b5c778da8b44eba862ac1e3b6146d51fce0753c1010203c4b552d8d5fb260488696

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_509F9531D34B67093963A7990D344CA7

Filesize
471B

MD5
0afd98661714825565c9f4b8761bbc90

SHA1
719b65f48ef6000cd2ce0eadfdb2e4e2efda5849

SHA256
add230e06c3f2370014cc5e641d331780369ccf4e33dbe21afb15d62c3096046

SHA512
1383858194afb361a28cd976d58ef4ac71aeddef0d67c40e8a66b3b8834479024be26469350aba149d3b35e44a1d059a8a78a02b6a4e3c80fc43163e9aca68f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25d4ba8e6f200b074c69d69ff100e6d4

SHA1
df591a1522832dfc4ee891d95d2ef6f13d39e69b

SHA256
05b844ee40a39aae8233ade9b5bba2cfaa7ecf2c04ce1c52dc90d122bdabfe9d

SHA512
af9a3b1bb5da9be219bb142d9acfc47cfa1f98e04fb0c853d9fdff3269c48bd41e20853490ba1be4e28f44d191830f9beaf069fff698667777e860bbf0a633f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
617e5ec61edebd93819930f82e601ae2

SHA1
6f8cbe744189fc62514094ad2a461ba077767498

SHA256
8fab334c6181603b2ef120e66ff6ad21bb6377157f5418878d63daa775dd113d

SHA512
467828c7257486b00e00bed9a9df0849ae21b50123ac938bb8a1b099a3137f1a44174d10957c3032aabafe764ce1efbfe4cd16a0ae33caa88292fd7f3ed1b344

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_509F9531D34B67093963A7990D344CA7

Filesize
408B

MD5
5849dfd8b769fdb9375a8bc15904f33f

SHA1
96d3ffe414ad634114fe90e9cbde3b18aea6748e

SHA256
a10e02e323015e0b260844dbe4133a9702ab866c89c65029d16b6d97ec79d59d

SHA512
a78db95476739f345927b9d9f08f46fc412b5ed2710fd84a6b6d1ba1f9d8ef5d013c7ea950beb146c4678801b16081e0d7dd9a24721d690af03118574b0081fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEC52.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
\Users\Admin\AppData\Roaming\updater\winlogon.exe

Filesize
413KB

MD5
5cd14011db57669c8b833053723afcef

SHA1
f30309a0d9ea75fe5158c8c8a5d8f9c8cc02a3e5

SHA256
c7977100fc1646569fd6950823df204803bc2cba5c99f650fb2c24a45b6b2c87

SHA512
e249e98a59d03993847880c4841760e6a5776cd3b715533510d0a881c7c4ea46e009507fc0eaf81590171886c3d8df61ab5d79bfee54b26c02c08f05d8b783f3

Download Submit
memory/2936-12-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2936-61-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2936-14-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2936-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2936-17-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2936-24-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2936-60-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2936-10-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2936-63-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2936-65-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2936-66-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2936-67-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2936-69-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2936-71-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2936-74-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2936-77-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads