blackshades | 613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69

Analysis

max time kernel
149s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/03/2025, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe
Size

520KB
MD5

7873dd049d1c1c0874ae0620c9c349ac
SHA1

d6f5c82edec0a82dc8c9db9ccd5d81c7fbcecabd
SHA256

613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69
SHA512

e1c953cfdfbb59bfe3f0e4a018bdc01d585ca7ff485547fd6537fa80c4fcaa4be65fd82173e16ec0dac461efe73c396ad6e0c74d6f2bad8b4f147b8d3fefd191
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXJ:zW6ncoyqOp6IsTl/mXJ

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 12 IoCs

resource	yara_rule
behavioral1/memory/1640-149-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1640-154-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1640-156-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1640-158-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1640-159-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1640-161-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1640-162-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1640-165-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1640-166-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1640-167-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1640-170-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1640-171-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQWCDAJB\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKXTCWYMQWCDAJB\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Executes dropped EXE 6 IoCs

pid	Process
2676	service.exe
2168	service.exe
2756	service.exe
524	service.exe
832	service.exe
1640	service.exe

Loads dropped DLL 11 IoCs

pid	Process
1488	613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe
1488	613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe
2676	service.exe
2676	service.exe
2168	service.exe
2168	service.exe
2756	service.exe
2756	service.exe
524	service.exe
524	service.exe
832	service.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\JKHPBIMADOQLJMB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YASKQXJJCWBDUQR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\EYDOLKOBFBPVNEE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAYTRAYTJXEN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\HRNIYRCSCRSPYKQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGVTJTNLODJWWIQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\GVUIJEDFVIPKPMX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKXTCWYMQWCDAJB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\YLNIGJYMTCOSDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBQUGHEMFKYA\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
908	reg.exe
2088	reg.exe
2360	reg.exe
1908	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	1640	service.exe
Token: SeCreateTokenPrivilege	1640	service.exe
Token: SeAssignPrimaryTokenPrivilege	1640	service.exe
Token: SeLockMemoryPrivilege	1640	service.exe
Token: SeIncreaseQuotaPrivilege	1640	service.exe
Token: SeMachineAccountPrivilege	1640	service.exe
Token: SeTcbPrivilege	1640	service.exe
Token: SeSecurityPrivilege	1640	service.exe
Token: SeTakeOwnershipPrivilege	1640	service.exe
Token: SeLoadDriverPrivilege	1640	service.exe
Token: SeSystemProfilePrivilege	1640	service.exe
Token: SeSystemtimePrivilege	1640	service.exe
Token: SeProfSingleProcessPrivilege	1640	service.exe
Token: SeIncBasePriorityPrivilege	1640	service.exe
Token: SeCreatePagefilePrivilege	1640	service.exe
Token: SeCreatePermanentPrivilege	1640	service.exe
Token: SeBackupPrivilege	1640	service.exe
Token: SeRestorePrivilege	1640	service.exe
Token: SeShutdownPrivilege	1640	service.exe
Token: SeDebugPrivilege	1640	service.exe
Token: SeAuditPrivilege	1640	service.exe
Token: SeSystemEnvironmentPrivilege	1640	service.exe
Token: SeChangeNotifyPrivilege	1640	service.exe
Token: SeRemoteShutdownPrivilege	1640	service.exe
Token: SeUndockPrivilege	1640	service.exe
Token: SeSyncAgentPrivilege	1640	service.exe
Token: SeEnableDelegationPrivilege	1640	service.exe
Token: SeManageVolumePrivilege	1640	service.exe
Token: SeImpersonatePrivilege	1640	service.exe
Token: SeCreateGlobalPrivilege	1640	service.exe
Token: 31	1640	service.exe
Token: 32	1640	service.exe
Token: 33	1640	service.exe
Token: 34	1640	service.exe
Token: 35	1640	service.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1488	613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe
2676	service.exe
2168	service.exe
2756	service.exe
524	service.exe
832	service.exe
1640	service.exe
1640	service.exe
1640	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2448	1488	613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe	31
PID 1488 wrote to memory of 2448	1488	613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe	31
PID 1488 wrote to memory of 2448	1488	613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe	31
PID 1488 wrote to memory of 2448	1488	613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe	31
PID 2448 wrote to memory of 2908	2448	cmd.exe	33
PID 2448 wrote to memory of 2908	2448	cmd.exe	33
PID 2448 wrote to memory of 2908	2448	cmd.exe	33
PID 2448 wrote to memory of 2908	2448	cmd.exe	33
PID 1488 wrote to memory of 2676	1488	613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe	34
PID 1488 wrote to memory of 2676	1488	613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe	34
PID 1488 wrote to memory of 2676	1488	613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe	34
PID 1488 wrote to memory of 2676	1488	613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe	34
PID 2676 wrote to memory of 2692	2676	service.exe	35
PID 2676 wrote to memory of 2692	2676	service.exe	35
PID 2676 wrote to memory of 2692	2676	service.exe	35
PID 2676 wrote to memory of 2692	2676	service.exe	35
PID 2692 wrote to memory of 2556	2692	cmd.exe	37
PID 2692 wrote to memory of 2556	2692	cmd.exe	37
PID 2692 wrote to memory of 2556	2692	cmd.exe	37
PID 2692 wrote to memory of 2556	2692	cmd.exe	37
PID 2676 wrote to memory of 2168	2676	service.exe	38
PID 2676 wrote to memory of 2168	2676	service.exe	38
PID 2676 wrote to memory of 2168	2676	service.exe	38
PID 2676 wrote to memory of 2168	2676	service.exe	38
PID 2168 wrote to memory of 2216	2168	service.exe	39
PID 2168 wrote to memory of 2216	2168	service.exe	39
PID 2168 wrote to memory of 2216	2168	service.exe	39
PID 2168 wrote to memory of 2216	2168	service.exe	39
PID 2216 wrote to memory of 900	2216	cmd.exe	41
PID 2216 wrote to memory of 900	2216	cmd.exe	41
PID 2216 wrote to memory of 900	2216	cmd.exe	41
PID 2216 wrote to memory of 900	2216	cmd.exe	41
PID 2168 wrote to memory of 2756	2168	service.exe	42
PID 2168 wrote to memory of 2756	2168	service.exe	42
PID 2168 wrote to memory of 2756	2168	service.exe	42
PID 2168 wrote to memory of 2756	2168	service.exe	42
PID 2756 wrote to memory of 2028	2756	service.exe	43
PID 2756 wrote to memory of 2028	2756	service.exe	43
PID 2756 wrote to memory of 2028	2756	service.exe	43
PID 2756 wrote to memory of 2028	2756	service.exe	43
PID 2028 wrote to memory of 1496	2028	cmd.exe	45
PID 2028 wrote to memory of 1496	2028	cmd.exe	45
PID 2028 wrote to memory of 1496	2028	cmd.exe	45
PID 2028 wrote to memory of 1496	2028	cmd.exe	45
PID 2756 wrote to memory of 524	2756	service.exe	46
PID 2756 wrote to memory of 524	2756	service.exe	46
PID 2756 wrote to memory of 524	2756	service.exe	46
PID 2756 wrote to memory of 524	2756	service.exe	46
PID 524 wrote to memory of 2036	524	service.exe	47
PID 524 wrote to memory of 2036	524	service.exe	47
PID 524 wrote to memory of 2036	524	service.exe	47
PID 524 wrote to memory of 2036	524	service.exe	47
PID 2036 wrote to memory of 1452	2036	cmd.exe	49
PID 2036 wrote to memory of 1452	2036	cmd.exe	49
PID 2036 wrote to memory of 1452	2036	cmd.exe	49
PID 2036 wrote to memory of 1452	2036	cmd.exe	49
PID 524 wrote to memory of 832	524	service.exe	50
PID 524 wrote to memory of 832	524	service.exe	50
PID 524 wrote to memory of 832	524	service.exe	50
PID 524 wrote to memory of 832	524	service.exe	50
PID 832 wrote to memory of 1640	832	service.exe	51
PID 832 wrote to memory of 1640	832	service.exe	51
PID 832 wrote to memory of 1640	832	service.exe	51
PID 832 wrote to memory of 1640	832	service.exe	51

C:\Users\Admin\AppData\Local\Temp\613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe
"C:\Users\Admin\AppData\Local\Temp\613b3efe750ab6bd8eeb9619a1c7a85ab0e38bb9fc713c6a3ea6a8d9c2552c69.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUR.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLNIGJYMTCOSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2908
- C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe
  "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempPWFRV.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JKHPBIMADOQLJMB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASKQXJJCWBDUQR\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2556
- - C:\Users\Admin\AppData\Local\Temp\YASKQXJJCWBDUQR\service.exe
    "C:\Users\Admin\AppData\Local\Temp\YASKQXJJCWBDUQR\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempGBHVD.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2216
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EYDOLKOBFBPVNEE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXEN\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:900
  - - C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXEN\service.exe
      "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXEN\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2028
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HRNIYRCSCRSPYKQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGVTJTNLODJWWIQ\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1496
    - - C:\Users\Admin\AppData\Local\Temp\KGVTJTNLODJWWIQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGVTJTNLODJWWIQ\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:524
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVUIJEDFVIPKPMX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQWCDAJB\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1452
      - C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQWCDAJB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQWCDAJB\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQWCDAJB\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQWCDAJB\service.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        9⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQWCDAJB\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQWCDAJB\service.exe:*:Enabled:Windows Messanger" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQWCDAJB\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQWCDAJB\service.exe:*:Enabled:Windows Messanger" /f
        9⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        9⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        9⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempGBHVD.bat

Filesize
163B

MD5
0b73c94a3058589508a0c33b295217da

SHA1
f49c4f3994d8e3e512a21e05c3a9d8b96eb05f55

SHA256
8c55f8b82a4f626da7f7320314cb4142041fd49647c293528846b8468238e212

SHA512
960dec49506592614c72bbf1b58c7ad3273a8a6e2b0a70d55733b8088f119da89a8d3ed4597edb6ccefd34c676fb1c752dec9450a6bde5667b37bdf21c0312b2

Download Submit
C:\Users\Admin\AppData\Local\TempPWFRV.bat

Filesize
163B

MD5
ccb32ade776d7f44c829a69d3139c156

SHA1
533f7796a15e947509c5cbb47ac2e93d4893ffb9

SHA256
dbc310647945e0bb731424ac021dde7c41cb230e0104e7bf5de6dbff59327491

SHA512
6ef0a71be6ce3de926c7e75cce0ee7be529f17b1c4d9ab91672287f440cee52508cb6416ba4a6fb8478b45c9f74f88ca652884977667cd816a63ab4880cde3ac

Download Submit
C:\Users\Admin\AppData\Local\TempUASWR.bat

Filesize
163B

MD5
553bef3381654ce8d6afdd841befeff7

SHA1
684eb6c54b3cf697860d781e42f49e172d0ba589

SHA256
651fa337db94e08aee6ad768a72f0013798d0727aaff3d88e50ed99fa5ba1813

SHA512
ed873df1f2d15117b19d2b3d8546fc8b62705e27838fa48cd59ccf1d0676f80eb66cf1211bc9c45b1ea2a0555acb65ae98aa50cb1b14fc6abe275702217d694b

Download Submit
C:\Users\Admin\AppData\Local\TempVHFJE.bat

Filesize
163B

MD5
0647c0775adaa0704debc6c0b6ac45f4

SHA1
050ff29dd77aa083c46dd86fb05df485c1daaa42

SHA256
561ce18c8ec9ad38936b2b012c86738ee24eaafda9924245e3efe5df97f67cb5

SHA512
583bedbdb63db27c2f6bea56e49e3f6c68e3b7f7d2a60ef54eaba0417984faf2475bcbe15eaece31afa5aa3240441b7d66c66455dc09b5842f2003b58b7bcd28

Download Submit
C:\Users\Admin\AppData\Local\TempXDVUR.bat

Filesize
163B

MD5
de6e22235b535f4d4d94d9889dcf899d

SHA1
b091e51e9c7241bfb31d227e5a5568f045214b27

SHA256
f5bce3dd9e23602de01f400aebc55199435707e5c1e1ed7b6f715945a2466ec1

SHA512
07e1d003b6c3c78ef1c4146e4bf885c46392a51f6044eccf1dbb4f14f40ff8343155cda1144fe25b595e0be5047f969c6c27fa0d45a17027671dd29bac84836c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe

Filesize
520KB

MD5
7b8552a3ddbecac2e649abbf6b50dbc8

SHA1
5fb8ed0fe24deb258c476d4fca32bc9a377da71e

SHA256
570187b3908fc8542e5e50ad52204804f1165690939914055a36dbfb94cb856d

SHA512
f8b2a9b2444e8eaa5e420c12ccdf6f78143bf9dbf1796284dc6a082839ee077c72e681d5ef697bb774b5e5935af34c43898561c318a9265181a8d0062bcc336b

Download Submit
\Users\Admin\AppData\Local\Temp\BKXTCWYMQWCDAJB\service.exe

Filesize
520KB

MD5
93d9872985c5d7f2d847791996348bf8

SHA1
2fd6227c487b96c4208a87749c96ac5427af8d25

SHA256
e805912fa1a094e5ffd757b38e25ef1eae8b34f39939c34db28caed03aefd109

SHA512
bfe80d0f34b2bec9313e0a32e9edacaf4b89eafa481e5170608b385be2d44d5bb80849a89095bf8494c7c61a6a8574861c637728e2228da777b3af9b87278f5e

Download Submit
\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXEN\service.exe

Filesize
520KB

MD5
ce3124513d1900d740765510b9d408ba

SHA1
d27d08ce8e551512b5e03d7e5cf3db928055608e

SHA256
f29342e46707855caedb0b723e8fa9211961b7f2014ce876cd891c4d70b83789

SHA512
c522761e8f40d3ba1c8434d2ac23c0ee2cc8168265073bec93efe2be22bd5f5d84963406eb2f480b4a2541e477467ef420572ee9006b72952402fa9f382f929c

Download Submit
\Users\Admin\AppData\Local\Temp\KGVTJTNLODJWWIQ\service.exe

Filesize
520KB

MD5
3a4d728cc2e546eadda2fd8756e1f720

SHA1
6a9132524689857ec4cba9f380c434b0994ec502

SHA256
76ed64d703d2da031eb2640b9f1f29768fe9ee7945eb9722bea049634b85f7ee

SHA512
b01dd2c1dd6258e177e35cad89af4ff62268900a4660bb0505f9c6c8c321616f673f4ab28ab13ac04999ab48828aba19eab0c1c7d2b1ac05bb7ea0f3e8780853

Download Submit
\Users\Admin\AppData\Local\Temp\YASKQXJJCWBDUQR\service.exe

Filesize
520KB

MD5
ff1c8f682ab42aa525f538d7d74b5972

SHA1
b93f754450595a28e001f64a5c5e0f51800b5372

SHA256
cf79476fc123073908eaed5081d6bdb4866f178a8a2d0d0ca6a845479a6f60e0

SHA512
89876e61ef9704d95128a9b4888248b6dc5faaaab5dcdfc55371207168481a1a97f9142a2ba07cf29777b1048871808571eec99054386cdd8d989bf18a63fc1c

Download Submit
memory/1640-149-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1640-154-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1640-156-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1640-158-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1640-159-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1640-161-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1640-162-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1640-165-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1640-166-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1640-167-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1640-170-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1640-171-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads