blackshades | a4e4ac00d4ba53d06796e517e5153981ceb64f6c6cec9ea2498866d31967298f

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/03/2025, 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe
Size

801KB
MD5

6453b926503f0a47ace96ee12c18bc33
SHA1

37cee84fa9803f42ccd049063959570adaa425ba
SHA256

a4e4ac00d4ba53d06796e517e5153981ceb64f6c6cec9ea2498866d31967298f
SHA512

b0c31b05d59dccf9ec4ad7154f1b6e1c381e3d80ea1ce80c1d795ac7d08b2857fda30a1e984d8a79859b70437729ecf14d8a5c76c76babca3c5f2ebc199d21d6
SSDEEP

12288:QwGTnyOtnxv6S4mtDuPa97JnEFEmR3PyiYg6cDL1WtThAVARl6t2YeHFvk3+f:DsyS6xcsEli8iz9uhDknOR

Score

10^/10

blackshades latentbot credential_access defense_evasion discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

latentbot

softwaredev.zapto.org

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 12 IoCs

resource	yara_rule
behavioral1/memory/2576-64-0x0000000000400000-0x0000000000459000-memory.dmp	family_blackshades
behavioral1/memory/2576-61-0x0000000000400000-0x0000000000459000-memory.dmp	family_blackshades
behavioral1/memory/2576-76-0x0000000000400000-0x0000000000459000-memory.dmp	family_blackshades
behavioral1/memory/2576-77-0x0000000000400000-0x0000000000459000-memory.dmp	family_blackshades
behavioral1/memory/2576-79-0x0000000000400000-0x0000000000459000-memory.dmp	family_blackshades
behavioral1/memory/2576-80-0x0000000000400000-0x0000000000459000-memory.dmp	family_blackshades
behavioral1/memory/2576-81-0x0000000000400000-0x0000000000459000-memory.dmp	family_blackshades
behavioral1/memory/2576-83-0x0000000000400000-0x0000000000459000-memory.dmp	family_blackshades
behavioral1/memory/2576-85-0x0000000000400000-0x0000000000459000-memory.dmp	family_blackshades
behavioral1/memory/2576-89-0x0000000000400000-0x0000000000459000-memory.dmp	family_blackshades
behavioral1/memory/2576-92-0x0000000000400000-0x0000000000459000-memory.dmp	family_blackshades
behavioral1/memory/2576-93-0x0000000000400000-0x0000000000459000-memory.dmp	family_blackshades

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firefox Speed Booster V 4.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchoster.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	Firefox Speed Booster V 4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe"	Firefox Speed Booster V 4.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{ECD9CBEB-A1FC-AFA7-CEC8-5BFF8CD021BC}	Firefox Speed Booster V 4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components\{ECD9CBEB-A1FC-AFA7-CEC8-5BFF8CD021BC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe"	Firefox Speed Booster V 4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECD9CBEB-A1FC-AFA7-CEC8-5BFF8CD021BC}	Firefox Speed Booster V 4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECD9CBEB-A1FC-AFA7-CEC8-5BFF8CD021BC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe"	Firefox Speed Booster V 4.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefox Speed Booster V 4.exe	Firefox Speed Booster V 4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefox Speed Booster V 4.exe	Firefox Speed Booster V 4.exe

Executes dropped EXE 4 IoCs

pid	Process
2908	Firefox Speed Booster V 4.exe
2788	SVCH0ST.exe
2288	SVCH0ST.exe
2576	Firefox Speed Booster V 4.exe

Loads dropped DLL 22 IoCs

pid	Process
1820	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe
1820	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe
1820	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe
1820	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe
2908	Firefox Speed Booster V 4.exe
2908	Firefox Speed Booster V 4.exe
2908	Firefox Speed Booster V 4.exe
2788	SVCH0ST.exe
2788	SVCH0ST.exe
2788	SVCH0ST.exe
2788	SVCH0ST.exe
2288	SVCH0ST.exe
2288	SVCH0ST.exe
2288	SVCH0ST.exe
2908	Firefox Speed Booster V 4.exe
2908	Firefox Speed Booster V 4.exe
2908	Firefox Speed Booster V 4.exe
2908	Firefox Speed Booster V 4.exe
2908	Firefox Speed Booster V 4.exe
2576	Firefox Speed Booster V 4.exe
2576	Firefox Speed Booster V 4.exe
2576	Firefox Speed Booster V 4.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe"	Firefox Speed Booster V 4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe"	Firefox Speed Booster V 4.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2788 set thread context of 2288	2788	SVCH0ST.exe	30
PID 2908 set thread context of 2576	2908	Firefox Speed Booster V 4.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCH0ST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Firefox Speed Booster V 4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Firefox Speed Booster V 4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCH0ST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2436	reg.exe
2432	reg.exe
2452	reg.exe
2468	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2576	Firefox Speed Booster V 4.exe
Token: SeCreateTokenPrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeAssignPrimaryTokenPrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeLockMemoryPrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeIncreaseQuotaPrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeMachineAccountPrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeTcbPrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeSecurityPrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeTakeOwnershipPrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeLoadDriverPrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeSystemProfilePrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeSystemtimePrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeProfSingleProcessPrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeIncBasePriorityPrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeCreatePagefilePrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeCreatePermanentPrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeBackupPrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeRestorePrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeShutdownPrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeDebugPrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeAuditPrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeSystemEnvironmentPrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeChangeNotifyPrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeRemoteShutdownPrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeUndockPrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeSyncAgentPrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeEnableDelegationPrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeManageVolumePrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeImpersonatePrivilege	2576	Firefox Speed Booster V 4.exe
Token: SeCreateGlobalPrivilege	2576	Firefox Speed Booster V 4.exe
Token: 31	2576	Firefox Speed Booster V 4.exe
Token: 32	2576	Firefox Speed Booster V 4.exe
Token: 33	2576	Firefox Speed Booster V 4.exe
Token: 34	2576	Firefox Speed Booster V 4.exe
Token: 35	2576	Firefox Speed Booster V 4.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2788	SVCH0ST.exe
2576	Firefox Speed Booster V 4.exe
2576	Firefox Speed Booster V 4.exe
2576	Firefox Speed Booster V 4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2908	1820	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe	28
PID 1820 wrote to memory of 2908	1820	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe	28
PID 1820 wrote to memory of 2908	1820	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe	28
PID 1820 wrote to memory of 2908	1820	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe	28
PID 1820 wrote to memory of 2908	1820	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe	28
PID 1820 wrote to memory of 2908	1820	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe	28
PID 1820 wrote to memory of 2908	1820	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe	28
PID 1820 wrote to memory of 2788	1820	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe	29
PID 1820 wrote to memory of 2788	1820	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe	29
PID 1820 wrote to memory of 2788	1820	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe	29
PID 1820 wrote to memory of 2788	1820	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe	29
PID 1820 wrote to memory of 2788	1820	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe	29
PID 1820 wrote to memory of 2788	1820	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe	29
PID 1820 wrote to memory of 2788	1820	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe	29
PID 2788 wrote to memory of 2288	2788	SVCH0ST.exe	30
PID 2788 wrote to memory of 2288	2788	SVCH0ST.exe	30
PID 2788 wrote to memory of 2288	2788	SVCH0ST.exe	30
PID 2788 wrote to memory of 2288	2788	SVCH0ST.exe	30
PID 2788 wrote to memory of 2288	2788	SVCH0ST.exe	30
PID 2788 wrote to memory of 2288	2788	SVCH0ST.exe	30
PID 2788 wrote to memory of 2288	2788	SVCH0ST.exe	30
PID 2788 wrote to memory of 2288	2788	SVCH0ST.exe	30
PID 2788 wrote to memory of 2288	2788	SVCH0ST.exe	30
PID 2788 wrote to memory of 2288	2788	SVCH0ST.exe	30
PID 2788 wrote to memory of 2288	2788	SVCH0ST.exe	30
PID 2788 wrote to memory of 2288	2788	SVCH0ST.exe	30
PID 2788 wrote to memory of 2288	2788	SVCH0ST.exe	30
PID 2908 wrote to memory of 2576	2908	Firefox Speed Booster V 4.exe	31
PID 2908 wrote to memory of 2576	2908	Firefox Speed Booster V 4.exe	31
PID 2908 wrote to memory of 2576	2908	Firefox Speed Booster V 4.exe	31
PID 2908 wrote to memory of 2576	2908	Firefox Speed Booster V 4.exe	31
PID 2908 wrote to memory of 2576	2908	Firefox Speed Booster V 4.exe	31
PID 2908 wrote to memory of 2576	2908	Firefox Speed Booster V 4.exe	31
PID 2908 wrote to memory of 2576	2908	Firefox Speed Booster V 4.exe	31
PID 2908 wrote to memory of 2576	2908	Firefox Speed Booster V 4.exe	31
PID 2908 wrote to memory of 2576	2908	Firefox Speed Booster V 4.exe	31
PID 2908 wrote to memory of 2576	2908	Firefox Speed Booster V 4.exe	31
PID 2908 wrote to memory of 2576	2908	Firefox Speed Booster V 4.exe	31
PID 2576 wrote to memory of 2704	2576	Firefox Speed Booster V 4.exe	32
PID 2576 wrote to memory of 2704	2576	Firefox Speed Booster V 4.exe	32
PID 2576 wrote to memory of 2704	2576	Firefox Speed Booster V 4.exe	32
PID 2576 wrote to memory of 2704	2576	Firefox Speed Booster V 4.exe	32
PID 2576 wrote to memory of 2704	2576	Firefox Speed Booster V 4.exe	32
PID 2576 wrote to memory of 2704	2576	Firefox Speed Booster V 4.exe	32
PID 2576 wrote to memory of 2704	2576	Firefox Speed Booster V 4.exe	32
PID 2576 wrote to memory of 2596	2576	Firefox Speed Booster V 4.exe	33
PID 2576 wrote to memory of 2596	2576	Firefox Speed Booster V 4.exe	33
PID 2576 wrote to memory of 2596	2576	Firefox Speed Booster V 4.exe	33
PID 2576 wrote to memory of 2596	2576	Firefox Speed Booster V 4.exe	33
PID 2576 wrote to memory of 2596	2576	Firefox Speed Booster V 4.exe	33
PID 2576 wrote to memory of 2596	2576	Firefox Speed Booster V 4.exe	33
PID 2576 wrote to memory of 2596	2576	Firefox Speed Booster V 4.exe	33
PID 2576 wrote to memory of 2652	2576	Firefox Speed Booster V 4.exe	35
PID 2576 wrote to memory of 2652	2576	Firefox Speed Booster V 4.exe	35
PID 2576 wrote to memory of 2652	2576	Firefox Speed Booster V 4.exe	35
PID 2576 wrote to memory of 2652	2576	Firefox Speed Booster V 4.exe	35
PID 2576 wrote to memory of 2652	2576	Firefox Speed Booster V 4.exe	35
PID 2576 wrote to memory of 2652	2576	Firefox Speed Booster V 4.exe	35
PID 2576 wrote to memory of 2652	2576	Firefox Speed Booster V 4.exe	35
PID 2576 wrote to memory of 2752	2576	Firefox Speed Booster V 4.exe	37
PID 2576 wrote to memory of 2752	2576	Firefox Speed Booster V 4.exe	37
PID 2576 wrote to memory of 2752	2576	Firefox Speed Booster V 4.exe	37
PID 2576 wrote to memory of 2752	2576	Firefox Speed Booster V 4.exe	37
PID 2576 wrote to memory of 2752	2576	Firefox Speed Booster V 4.exe	37

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe
  "C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe
    "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2704
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2436
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2596
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2468
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2652
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2452
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchoster.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchoster.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2752
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchoster.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchoster.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2432
- C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
  "C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
    C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\license.dll

Filesize
13KB

MD5
b5afa963a369efefb8f905594bafa2df

SHA1
18a2375501100007a067944f6c2f494fd085528e

SHA256
58fb10a17191f36961266e5a0153e81219f6c99b464b3998e8e75d636151ae95

SHA512
7ac1c5c9c9a66dff9a43aa055288a7ec8deec1c7e2b74a18a7e2509409df4094b0bf6d789bca59fd2ef3045cb768d1d9979779dcf68a91332ec1cf9c6bf118de

Download Submit
\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe

Filesize
532KB

MD5
a1fbc2ee381a4981c973ad8efd275e92

SHA1
ddc036889893267d8917facc48b1e3eea380f6f0

SHA256
2b361e099e0af9eed2f67973873a189c290b1f32984dc2f560d277b8e1c87a72

SHA512
b4482c7984c5676618db162accfcd507752c1463fdb40259056e14a17bb8b05cc99763b37004f6dd12d1c5e3deb00c323e6f76703d6fe47655636979e809c277

Download Submit
\Users\Admin\AppData\Local\Temp\SVCH0ST.exe

Filesize
444KB

MD5
cc3f40aaa43594aa6bdeb476e1e734c6

SHA1
e2268857d09aa6179f6bc50579c616f34d912545

SHA256
622997cc3aa13d63bb0a01a50082f36753d86e96b0af2b3ad78de9d46f33ffdd

SHA512
0fc5a0c3288086ffecc8149eb3bfcd585fc3cb43814df9379e738cf1d0d1ff660dfc8b1db32c7a8c62e38f5b59d4d9ed7c22e9473b19919c5c26b6c696264b77

Download Submit
\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe

Filesize
16KB

MD5
02172c9f873de4309101c7b0aa635bb7

SHA1
fc33532d22494d1c5e841961e21dd3fcac6154cf

SHA256
cfba657e65e098fc8c5c23a260b3d1f9d0769c255b03531b7aa34a2845153a13

SHA512
bfa7fb080abb825d2cdbff2d7a7ba30f21ff20c81f30e902f826b00a63f2fe1b02f6eb77c6db8487dd31140540fcdae46ce32d6314586d68c58df787f5d6e754

Download Submit
memory/2288-36-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2288-29-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2288-31-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2288-39-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2576-57-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2576-79-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2576-61-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2576-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2576-64-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2576-76-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2576-77-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2576-59-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2576-80-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2576-81-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2576-83-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2576-85-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2576-89-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2576-92-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2576-93-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads