blackshades | 3ce1eee52dc8fea528222d6bdd72ae63919cd33c373f1ec47583a7cab7dfc6c8

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
30/03/2025, 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_98557c0d1b535086bec54d7149a4f3db.exe
Size

245KB
MD5

98557c0d1b535086bec54d7149a4f3db
SHA1

2c2e6b26b64aa97e2b58646cf508757bd757e32e
SHA256

3ce1eee52dc8fea528222d6bdd72ae63919cd33c373f1ec47583a7cab7dfc6c8
SHA512

dfb54d7da09a035f0628f1fac1f3f39a7aeb4bb8938153441b7fb22a18d2a0439619b4b10241126da99857e4e7d838693cbfd43ce3b3bcf624fb21a8c013911b
SSDEEP

6144:PLy4KzNoLvn/7fheYFmJBNwcuvJ5uBelDBdJFNkhzR0CW3oS:jyp8nz76H4h5u4lFnghWoS

Score

10^/10

blackshades defense_evasion discovery persistence rat trojan upx

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 1 IoCs

resource	yara_rule
behavioral1/memory/2848-58-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\svchost.exe = "C:\\Windows\\SysWOW64\\svchost.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\WinDefender.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefender.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
2624	svchost.exe
1272	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
2236	JaffaCakes118_98557c0d1b535086bec54d7149a4f3db.exe
2236	JaffaCakes118_98557c0d1b535086bec54d7149a4f3db.exe
2236	JaffaCakes118_98557c0d1b535086bec54d7149a4f3db.exe
2236	JaffaCakes118_98557c0d1b535086bec54d7149a4f3db.exe
2624	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\Microsoft\\svchost.exe"	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2624 set thread context of 2848	2624	svchost.exe	38
PID 2624 set thread context of 1272	2624	svchost.exe	39

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2236-0-0x0000000000400000-0x000000000068F000-memory.dmp	upx
behavioral1/files/0x0008000000018b68-35.dat	upx
behavioral1/memory/2236-46-0x0000000003CB0000-0x0000000003F3F000-memory.dmp	upx
behavioral1/memory/2236-51-0x0000000000400000-0x000000000068F000-memory.dmp	upx
behavioral1/memory/2848-54-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1272-71-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2624-69-0x0000000000400000-0x000000000068F000-memory.dmp	upx
behavioral1/memory/1272-65-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/1272-64-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/1272-59-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2848-58-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2848-57-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1272-74-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft\svchost.exe	JaffaCakes118_98557c0d1b535086bec54d7149a4f3db.exe
File opened for modification	C:\Windows\Microsoft\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Microsoft\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_98557c0d1b535086bec54d7149a4f3db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2608	reg.exe
2880	reg.exe
2180	reg.exe
2140	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2228	explorer.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: 1	2848	svchost.exe
Token: SeCreateTokenPrivilege	2848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2848	svchost.exe
Token: SeLockMemoryPrivilege	2848	svchost.exe
Token: SeIncreaseQuotaPrivilege	2848	svchost.exe
Token: SeMachineAccountPrivilege	2848	svchost.exe
Token: SeTcbPrivilege	2848	svchost.exe
Token: SeSecurityPrivilege	2848	svchost.exe
Token: SeTakeOwnershipPrivilege	2848	svchost.exe
Token: SeLoadDriverPrivilege	2848	svchost.exe
Token: SeSystemProfilePrivilege	2848	svchost.exe
Token: SeSystemtimePrivilege	2848	svchost.exe
Token: SeProfSingleProcessPrivilege	2848	svchost.exe
Token: SeIncBasePriorityPrivilege	2848	svchost.exe
Token: SeCreatePagefilePrivilege	2848	svchost.exe
Token: SeCreatePermanentPrivilege	2848	svchost.exe
Token: SeBackupPrivilege	2848	svchost.exe
Token: SeRestorePrivilege	2848	svchost.exe
Token: SeShutdownPrivilege	2848	svchost.exe
Token: SeDebugPrivilege	2848	svchost.exe
Token: SeAuditPrivilege	2848	svchost.exe
Token: SeSystemEnvironmentPrivilege	2848	svchost.exe
Token: SeChangeNotifyPrivilege	2848	svchost.exe
Token: SeRemoteShutdownPrivilege	2848	svchost.exe
Token: SeUndockPrivilege	2848	svchost.exe
Token: SeSyncAgentPrivilege	2848	svchost.exe
Token: SeEnableDelegationPrivilege	2848	svchost.exe
Token: SeManageVolumePrivilege	2848	svchost.exe
Token: SeImpersonatePrivilege	2848	svchost.exe
Token: SeCreateGlobalPrivilege	2848	svchost.exe
Token: 31	2848	svchost.exe
Token: 32	2848	svchost.exe
Token: 33	2848	svchost.exe
Token: 34	2848	svchost.exe
Token: 35	2848	svchost.exe
Token: SeDebugPrivilege	1272	svchost.exe
Token: SeShutdownPrivilege	2228	explorer.exe
Token: SeShutdownPrivilege	2228	explorer.exe
Token: SeShutdownPrivilege	2228	explorer.exe
Token: SeShutdownPrivilege	2228	explorer.exe
Token: SeShutdownPrivilege	2228	explorer.exe
Token: SeShutdownPrivilege	2228	explorer.exe
Token: SeShutdownPrivilege	2228	explorer.exe
Token: SeShutdownPrivilege	2228	explorer.exe
Token: SeShutdownPrivilege	2228	explorer.exe
Token: SeShutdownPrivilege	2228	explorer.exe
Token: SeShutdownPrivilege	2228	explorer.exe
Token: SeShutdownPrivilege	2228	explorer.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2236	JaffaCakes118_98557c0d1b535086bec54d7149a4f3db.exe
2624	svchost.exe
2848	svchost.exe
2848	svchost.exe
1272	svchost.exe
2848	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2688	2236	JaffaCakes118_98557c0d1b535086bec54d7149a4f3db.exe	30
PID 2236 wrote to memory of 2688	2236	JaffaCakes118_98557c0d1b535086bec54d7149a4f3db.exe	30
PID 2236 wrote to memory of 2688	2236	JaffaCakes118_98557c0d1b535086bec54d7149a4f3db.exe	30
PID 2236 wrote to memory of 2688	2236	JaffaCakes118_98557c0d1b535086bec54d7149a4f3db.exe	30
PID 2688 wrote to memory of 2584	2688	cmd.exe	32
PID 2688 wrote to memory of 2584	2688	cmd.exe	32
PID 2688 wrote to memory of 2584	2688	cmd.exe	32
PID 2688 wrote to memory of 2584	2688	cmd.exe	32
PID 2688 wrote to memory of 2792	2688	cmd.exe	33
PID 2688 wrote to memory of 2792	2688	cmd.exe	33
PID 2688 wrote to memory of 2792	2688	cmd.exe	33
PID 2688 wrote to memory of 2792	2688	cmd.exe	33
PID 2236 wrote to memory of 2728	2236	JaffaCakes118_98557c0d1b535086bec54d7149a4f3db.exe	34
PID 2236 wrote to memory of 2728	2236	JaffaCakes118_98557c0d1b535086bec54d7149a4f3db.exe	34
PID 2236 wrote to memory of 2728	2236	JaffaCakes118_98557c0d1b535086bec54d7149a4f3db.exe	34
PID 2236 wrote to memory of 2728	2236	JaffaCakes118_98557c0d1b535086bec54d7149a4f3db.exe	34
PID 2728 wrote to memory of 2544	2728	cmd.exe	36
PID 2728 wrote to memory of 2544	2728	cmd.exe	36
PID 2728 wrote to memory of 2544	2728	cmd.exe	36
PID 2728 wrote to memory of 2544	2728	cmd.exe	36
PID 2236 wrote to memory of 2624	2236	JaffaCakes118_98557c0d1b535086bec54d7149a4f3db.exe	37
PID 2236 wrote to memory of 2624	2236	JaffaCakes118_98557c0d1b535086bec54d7149a4f3db.exe	37
PID 2236 wrote to memory of 2624	2236	JaffaCakes118_98557c0d1b535086bec54d7149a4f3db.exe	37
PID 2236 wrote to memory of 2624	2236	JaffaCakes118_98557c0d1b535086bec54d7149a4f3db.exe	37
PID 2624 wrote to memory of 2848	2624	svchost.exe	38
PID 2624 wrote to memory of 2848	2624	svchost.exe	38
PID 2624 wrote to memory of 2848	2624	svchost.exe	38
PID 2624 wrote to memory of 2848	2624	svchost.exe	38
PID 2624 wrote to memory of 2848	2624	svchost.exe	38
PID 2624 wrote to memory of 2848	2624	svchost.exe	38
PID 2624 wrote to memory of 2848	2624	svchost.exe	38
PID 2624 wrote to memory of 2848	2624	svchost.exe	38
PID 2624 wrote to memory of 2848	2624	svchost.exe	38
PID 2624 wrote to memory of 1272	2624	svchost.exe	39
PID 2624 wrote to memory of 1272	2624	svchost.exe	39
PID 2624 wrote to memory of 1272	2624	svchost.exe	39
PID 2624 wrote to memory of 1272	2624	svchost.exe	39
PID 2624 wrote to memory of 1272	2624	svchost.exe	39
PID 2624 wrote to memory of 1272	2624	svchost.exe	39
PID 2624 wrote to memory of 1272	2624	svchost.exe	39
PID 2624 wrote to memory of 1272	2624	svchost.exe	39
PID 2624 wrote to memory of 1272	2624	svchost.exe	39
PID 2848 wrote to memory of 1504	2848	svchost.exe	40
PID 2848 wrote to memory of 1504	2848	svchost.exe	40
PID 2848 wrote to memory of 1504	2848	svchost.exe	40
PID 2848 wrote to memory of 1504	2848	svchost.exe	40
PID 2848 wrote to memory of 2528	2848	svchost.exe	41
PID 2848 wrote to memory of 2528	2848	svchost.exe	41
PID 2848 wrote to memory of 2528	2848	svchost.exe	41
PID 2848 wrote to memory of 2528	2848	svchost.exe	41
PID 1504 wrote to memory of 2180	1504	cmd.exe	44
PID 1504 wrote to memory of 2180	1504	cmd.exe	44
PID 1504 wrote to memory of 2180	1504	cmd.exe	44
PID 1504 wrote to memory of 2180	1504	cmd.exe	44
PID 2848 wrote to memory of 2964	2848	svchost.exe	42
PID 2848 wrote to memory of 2964	2848	svchost.exe	42
PID 2848 wrote to memory of 2964	2848	svchost.exe	42
PID 2848 wrote to memory of 2964	2848	svchost.exe	42
PID 2848 wrote to memory of 2220	2848	svchost.exe	46
PID 2848 wrote to memory of 2220	2848	svchost.exe	46
PID 2848 wrote to memory of 2220	2848	svchost.exe	46
PID 2848 wrote to memory of 2220	2848	svchost.exe	46
PID 2964 wrote to memory of 2140	2964	cmd.exe	49
PID 2964 wrote to memory of 2140	2964	cmd.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98557c0d1b535086bec54d7149a4f3db.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98557c0d1b535086bec54d7149a4f3db.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BWJFQA.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\reg.exe
    REG ADD
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2584
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\gIYfD.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Microsoft" /t REG_SZ /d "C:\Windows\Microsoft\svchost.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2544
- C:\Windows\Microsoft\svchost.exe
  "C:\Windows\Microsoft\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\SysWOW64\svchost.exe
    False
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1504
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2180
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\svchost.exe" /t REG_SZ /d "C:\Windows\SysWOW64\svchost.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2528
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\svchost.exe" /t REG_SZ /d "C:\Windows\SysWOW64\svchost.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2140
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WinDefender.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinDefender.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2220
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WinDefender.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinDefender.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2880
- - C:\Windows\Microsoft\svchost.exe
    False
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1272

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BWJFQA.bat

Filesize
158B

MD5
27c0901dd0c2c867221ef0b9c9e02898

SHA1
909256eaf2866e610e8f1df8c015c613828cb16e

SHA256
087d9be6b18d52420e48f5a9c82417fdba3c01d5d5d3bddddd4ed89cf349716a

SHA512
d6131c9eac12393ac76e3c6e82966727244054cdd1e4342cfdbd9c0f0dc5985405be3cd15c8c4b103e4fd3d7b5b542c725a9162c980c0450f19f2bd4e9feef78

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIYfD.bat

Filesize
126B

MD5
2f5e2259fa1a5cfe1e238b5357df3ceb

SHA1
3921edd3d628da827905fd3a9e237dad5156c0e4

SHA256
92238bdf4aeaa08b3c254a6d689c0ad82fb4864f481e790017298d335bb0eb7a

SHA512
acec756d63e271abb0075c09fbfe4ff610cf933861330f22ae2c5b4187e496ce47eb826c4a3775aef18c77bda54f4f3a184c3771fe0b55fa10804cfa3b71aa2d

Download Submit
\Windows\Microsoft\svchost.exe

Filesize
245KB

MD5
98557c0d1b535086bec54d7149a4f3db

SHA1
2c2e6b26b64aa97e2b58646cf508757bd757e32e

SHA256
3ce1eee52dc8fea528222d6bdd72ae63919cd33c373f1ec47583a7cab7dfc6c8

SHA512
dfb54d7da09a035f0628f1fac1f3f39a7aeb4bb8938153441b7fb22a18d2a0439619b4b10241126da99857e4e7d838693cbfd43ce3b3bcf624fb21a8c013911b

Download Submit
memory/1272-71-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1272-74-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1272-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1272-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1272-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2228-95-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/2236-47-0x0000000003CB0000-0x0000000003F3F000-memory.dmp

Filesize
2.6MB

Download
memory/2236-48-0x0000000003CB0000-0x0000000003F3F000-memory.dmp

Filesize
2.6MB

Download
memory/2236-51-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/2236-46-0x0000000003CB0000-0x0000000003F3F000-memory.dmp

Filesize
2.6MB

Download
memory/2236-0-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/2624-70-0x0000000002AC0000-0x0000000002D4F000-memory.dmp

Filesize
2.6MB

Download
memory/2624-69-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/2848-54-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2848-58-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2848-57-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads