blackshades | 407e18e6787da05679a918c9ae48d6358054a7e27c62d36dde7e5a798335d48d

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11/03/2025, 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_65e4bc9f33a8b382c02d34bf69f15e9f.exe
Size

272KB
MD5

65e4bc9f33a8b382c02d34bf69f15e9f
SHA1

4e16d4ba45ead14c26eb6880b32ccd43cf6d2481
SHA256

407e18e6787da05679a918c9ae48d6358054a7e27c62d36dde7e5a798335d48d
SHA512

e5435e389003dc50a829ddb099e8070506780a3a7e7909f3fc94ea5aa8ac8c8c8b2710ffbc9701726842f0738cbf773ea39e6a27b184f19d7da890b1d244fc45
SSDEEP

6144:zW////q5kqfDWOTQeBVlc363RR/X32SJ0zxVhZ/Jn6XZPp:zW////q5faO9PlhhR/21rhZ/JYZPp

Score

10^/10

blackshades defense_evasion discovery persistence rat upx

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 16 IoCs

resource	yara_rule
behavioral1/memory/2840-40-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral1/memory/2840-36-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral1/memory/2840-47-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral1/memory/2840-48-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral1/memory/2840-50-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral1/memory/2840-51-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral1/memory/2840-52-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral1/memory/2840-54-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral1/memory/2840-55-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral1/memory/2840-56-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral1/memory/2840-57-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral1/memory/2840-59-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral1/memory/2840-60-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral1/memory/2840-62-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral1/memory/2840-63-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades
behavioral1/memory/2840-64-0x0000000000400000-0x000000000047B000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\B0Z41YQFLX.exe = "C:\\Users\\Admin\\AppData\\Roaming\\B0Z41YQFLX.exe:*:Enabled:Windows Messanger"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\B0Z41YQFLX.exe"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Active Setup\Installed Components\{DCCEFEA5-E3EA-CD5D-F1B7-99DCEBDC59FC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\B0Z41YQFLX.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCCEFEA5-E3EA-CD5D-F1B7-99DCEBDC59FC}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCCEFEA5-E3EA-CD5D-F1B7-99DCEBDC59FC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\B0Z41YQFLX.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{DCCEFEA5-E3EA-CD5D-F1B7-99DCEBDC59FC}	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
816	URamKV.exe
2840	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
2804	JaffaCakes118_65e4bc9f33a8b382c02d34bf69f15e9f.exe
2804	JaffaCakes118_65e4bc9f33a8b382c02d34bf69f15e9f.exe
2804	JaffaCakes118_65e4bc9f33a8b382c02d34bf69f15e9f.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\javaw.exe"	URamKV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\B0Z41YQFLX.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\B0Z41YQFLX.exe"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2804 set thread context of 2840	2804	JaffaCakes118_65e4bc9f33a8b382c02d34bf69f15e9f.exe	34

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2840-33-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2840-40-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2840-36-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2840-35-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2840-30-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2840-28-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2840-47-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2840-48-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2840-50-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2840-51-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2840-52-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2840-54-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2840-55-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2840-56-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2840-57-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2840-59-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2840-60-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2840-62-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2840-63-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2840-64-0x0000000000400000-0x000000000047B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_65e4bc9f33a8b382c02d34bf69f15e9f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	URamKV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2648	reg.exe
2180	reg.exe
340	reg.exe
2104	reg.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	JaffaCakes118_65e4bc9f33a8b382c02d34bf69f15e9f.exe
Token: 1	2840	svchost.exe
Token: SeCreateTokenPrivilege	2840	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2840	svchost.exe
Token: SeLockMemoryPrivilege	2840	svchost.exe
Token: SeIncreaseQuotaPrivilege	2840	svchost.exe
Token: SeMachineAccountPrivilege	2840	svchost.exe
Token: SeTcbPrivilege	2840	svchost.exe
Token: SeSecurityPrivilege	2840	svchost.exe
Token: SeTakeOwnershipPrivilege	2840	svchost.exe
Token: SeLoadDriverPrivilege	2840	svchost.exe
Token: SeSystemProfilePrivilege	2840	svchost.exe
Token: SeSystemtimePrivilege	2840	svchost.exe
Token: SeProfSingleProcessPrivilege	2840	svchost.exe
Token: SeIncBasePriorityPrivilege	2840	svchost.exe
Token: SeCreatePagefilePrivilege	2840	svchost.exe
Token: SeCreatePermanentPrivilege	2840	svchost.exe
Token: SeBackupPrivilege	2840	svchost.exe
Token: SeRestorePrivilege	2840	svchost.exe
Token: SeShutdownPrivilege	2840	svchost.exe
Token: SeDebugPrivilege	2840	svchost.exe
Token: SeAuditPrivilege	2840	svchost.exe
Token: SeSystemEnvironmentPrivilege	2840	svchost.exe
Token: SeChangeNotifyPrivilege	2840	svchost.exe
Token: SeRemoteShutdownPrivilege	2840	svchost.exe
Token: SeUndockPrivilege	2840	svchost.exe
Token: SeSyncAgentPrivilege	2840	svchost.exe
Token: SeEnableDelegationPrivilege	2840	svchost.exe
Token: SeManageVolumePrivilege	2840	svchost.exe
Token: SeImpersonatePrivilege	2840	svchost.exe
Token: SeCreateGlobalPrivilege	2840	svchost.exe
Token: 31	2840	svchost.exe
Token: 32	2840	svchost.exe
Token: 33	2840	svchost.exe
Token: 34	2840	svchost.exe
Token: 35	2840	svchost.exe
Token: SeDebugPrivilege	2840	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2764	2804	JaffaCakes118_65e4bc9f33a8b382c02d34bf69f15e9f.exe	30
PID 2804 wrote to memory of 2764	2804	JaffaCakes118_65e4bc9f33a8b382c02d34bf69f15e9f.exe	30
PID 2804 wrote to memory of 2764	2804	JaffaCakes118_65e4bc9f33a8b382c02d34bf69f15e9f.exe	30
PID 2804 wrote to memory of 2764	2804	JaffaCakes118_65e4bc9f33a8b382c02d34bf69f15e9f.exe	30
PID 2764 wrote to memory of 2896	2764	csc.exe	32
PID 2764 wrote to memory of 2896	2764	csc.exe	32
PID 2764 wrote to memory of 2896	2764	csc.exe	32
PID 2764 wrote to memory of 2896	2764	csc.exe	32
PID 2804 wrote to memory of 816	2804	JaffaCakes118_65e4bc9f33a8b382c02d34bf69f15e9f.exe	33
PID 2804 wrote to memory of 816	2804	JaffaCakes118_65e4bc9f33a8b382c02d34bf69f15e9f.exe	33
PID 2804 wrote to memory of 816	2804	JaffaCakes118_65e4bc9f33a8b382c02d34bf69f15e9f.exe	33
PID 2804 wrote to memory of 816	2804	JaffaCakes118_65e4bc9f33a8b382c02d34bf69f15e9f.exe	33
PID 2804 wrote to memory of 2840	2804	JaffaCakes118_65e4bc9f33a8b382c02d34bf69f15e9f.exe	34
PID 2804 wrote to memory of 2840	2804	JaffaCakes118_65e4bc9f33a8b382c02d34bf69f15e9f.exe	34
PID 2804 wrote to memory of 2840	2804	JaffaCakes118_65e4bc9f33a8b382c02d34bf69f15e9f.exe	34
PID 2804 wrote to memory of 2840	2804	JaffaCakes118_65e4bc9f33a8b382c02d34bf69f15e9f.exe	34
PID 2804 wrote to memory of 2840	2804	JaffaCakes118_65e4bc9f33a8b382c02d34bf69f15e9f.exe	34
PID 2804 wrote to memory of 2840	2804	JaffaCakes118_65e4bc9f33a8b382c02d34bf69f15e9f.exe	34
PID 2804 wrote to memory of 2840	2804	JaffaCakes118_65e4bc9f33a8b382c02d34bf69f15e9f.exe	34
PID 2804 wrote to memory of 2840	2804	JaffaCakes118_65e4bc9f33a8b382c02d34bf69f15e9f.exe	34
PID 2840 wrote to memory of 528	2840	svchost.exe	35
PID 2840 wrote to memory of 528	2840	svchost.exe	35
PID 2840 wrote to memory of 528	2840	svchost.exe	35
PID 2840 wrote to memory of 528	2840	svchost.exe	35
PID 2840 wrote to memory of 716	2840	svchost.exe	36
PID 2840 wrote to memory of 716	2840	svchost.exe	36
PID 2840 wrote to memory of 716	2840	svchost.exe	36
PID 2840 wrote to memory of 716	2840	svchost.exe	36
PID 2840 wrote to memory of 660	2840	svchost.exe	38
PID 2840 wrote to memory of 660	2840	svchost.exe	38
PID 2840 wrote to memory of 660	2840	svchost.exe	38
PID 2840 wrote to memory of 660	2840	svchost.exe	38
PID 528 wrote to memory of 2648	528	cmd.exe	42
PID 528 wrote to memory of 2648	528	cmd.exe	42
PID 528 wrote to memory of 2648	528	cmd.exe	42
PID 528 wrote to memory of 2648	528	cmd.exe	42
PID 2840 wrote to memory of 968	2840	svchost.exe	40
PID 2840 wrote to memory of 968	2840	svchost.exe	40
PID 2840 wrote to memory of 968	2840	svchost.exe	40
PID 2840 wrote to memory of 968	2840	svchost.exe	40
PID 716 wrote to memory of 2180	716	cmd.exe	43
PID 716 wrote to memory of 2180	716	cmd.exe	43
PID 716 wrote to memory of 2180	716	cmd.exe	43
PID 716 wrote to memory of 2180	716	cmd.exe	43
PID 660 wrote to memory of 340	660	cmd.exe	45
PID 660 wrote to memory of 340	660	cmd.exe	45
PID 660 wrote to memory of 340	660	cmd.exe	45
PID 660 wrote to memory of 340	660	cmd.exe	45
PID 968 wrote to memory of 2104	968	cmd.exe	46
PID 968 wrote to memory of 2104	968	cmd.exe	46
PID 968 wrote to memory of 2104	968	cmd.exe	46
PID 968 wrote to memory of 2104	968	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_65e4bc9f33a8b382c02d34bf69f15e9f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_65e4bc9f33a8b382c02d34bf69f15e9f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kubldzjq.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4903.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4902.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2896
- C:\Users\Admin\AppData\Local\Temp\URamKV.exe
  "C:\Users\Admin\AppData\Local\Temp\URamKV.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:816
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:528
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:716
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:340
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\B0Z41YQFLX.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\B0Z41YQFLX.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\B0Z41YQFLX.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\B0Z41YQFLX.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4903.tmp

Filesize
1KB

MD5
82ae15d19bd6eaca66c3205eb68288ea

SHA1
0dd5b990286ea4286613d944f2379796c485039d

SHA256
a0b9fe9bfbaf16837da89ecdd1e721e449116e7068a45469bec7258b61d85e19

SHA512
f8de804631c83c960ada5eb8ea7a60e7df7fc3c57aba2e6247353f7ecee837db778a8c0fd0f867084e47e9dae0258633d3bdac864bf84a6317d9833e528d0615

Download Submit
C:\Users\Admin\AppData\Local\Temp\URamKV.exe

Filesize
4KB

MD5
4d9022584f6d8d823e92d6db5ab6e026

SHA1
db4e7dc06598446e812f1bb13c0dbf239abbad4e

SHA256
1ca5c7fb06621f866ee7e96564b36ecc96a390f8ffaafd6cbf4b6de2d9231804

SHA512
b02c61a245b6165680811b57895422065261da9b1c7ef5ab8296d667a824653560af823670e586da8a20c1738a8769b7f84897f20b8b495cf53d773e88a746cd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4902.tmp

Filesize
644B

MD5
b6085519974d5a1c1f789d34b718db3e

SHA1
000ca4f23a10d87ca708e4f1054c69635779e8b3

SHA256
6210dc15b6a0da72c83fc5b532106bd807f84f631776657e7337f74654719953

SHA512
35145a8122ecbded61637b4d40c27000413a788d9ce55e0c5bf2f4d38cbc961e7f4f89b4a6b8a76e50abf2a97bc6813986f13f50fcaf30580e12eef8bca7595d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kubldzjq.0.cs

Filesize
1KB

MD5
3454a6e858e7358492a86a523bf7fd7e

SHA1
74c90ca50f25680fd7332c496306f865023aea4d

SHA256
f0729c2e0620f65fc29c14faa25c9ed8c3d035ec180fcc191311597f310b5a0a

SHA512
4b475ced5e20c89eade83bb7c2cbe7564cf90c4378feee546a565649a5ec8e3e5c52af0fabc5d64ea212a9cc7d74c4823a801e1ec91c28508867d69be04a9afd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kubldzjq.cmdline

Filesize
259B

MD5
8a32d80b2b167aafd9193bbedb6ac995

SHA1
f98703a555d7e701b3c2a79ba5e2b4b95a37e28e

SHA256
5542c68c3c202b4ba08a2ae8f200f6f7d6161c29e6612883fc8dad30acb47160

SHA512
c58b366deb4bcbd80f0e83b31b08023b0f1d3ba5c5f272a246bffabeaa1532796c961baf697aba1bc97a460dc42f62aca119699dbd2328d68e63cdab40c03267

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/2764-8-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-15-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-41-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-1-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-2-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-0-0x0000000074FC1000-0x0000000074FC2000-memory.dmp

Filesize
4KB

Download
memory/2840-35-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2840-51-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2840-40-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2840-36-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2840-26-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2840-30-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2840-28-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2840-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2840-47-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2840-48-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2840-50-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2840-33-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2840-52-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2840-54-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2840-55-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2840-56-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2840-57-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2840-59-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2840-60-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2840-62-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2840-63-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2840-64-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads