blackshades | f85eaa0b14370b4f85b20c22ea2bc1cfb531671db00abf8c738c197f2ac40a1e

Analysis

max time kernel
148s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
07/04/2025, 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9f61e571c724650df9508ac5ca429fb6.exe
Size

537KB
MD5

9f61e571c724650df9508ac5ca429fb6
SHA1

b0b37eff7238527032fa150962907b5fdb900adf
SHA256

f85eaa0b14370b4f85b20c22ea2bc1cfb531671db00abf8c738c197f2ac40a1e
SHA512

4c678d58606a93dd60ca169f1b01d2e7bc097b3eb07622de7400cc5eb4661a9b875cda3c83fd0ac2895e94170c43da461d80e0b2c67948deda21c678997c49f1
SSDEEP

12288:FJpOHdy19sXHT7vKxc+DrNAFz18KJVZiTX2ckeL6wu15t66:8HkA7vSJ9mqKrZiyYL4FL

Score

10^/10

blackshades defense_evasion discovery persistence rat trojan upx

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 12 IoCs

resource	yara_rule
behavioral1/memory/3400-53-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3400-62-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3400-64-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3400-67-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3400-69-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3400-71-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3400-74-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3400-76-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3400-78-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3400-81-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3400-83-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3400-85-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\system\\iexplore.exe"	reg.exe

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\iexplore.exe = "C:\\Users\\Admin\\AppData\\Roaming\\iexplore.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system\iexplore.exe = "C:\\Windows\\system\\iexplore.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	JaffaCakes118_9f61e571c724650df9508ac5ca429fb6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	iexplore.exe

Executes dropped EXE 3 IoCs

pid	Process
3852	iexplore.exe
3680	iexplore.exe
3400	iexplore.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wnds Uppdtrs = "C:\\Windows\\system\\iexplore.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Wnds Uppdtrs = "C:\\Windows\\system\\iexplore.exe"	reg.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3852 set thread context of 3680	3852	iexplore.exe	123
PID 3852 set thread context of 3400	3852	iexplore.exe	124

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5304-0-0x0000000000400000-0x0000000000601000-memory.dmp	upx
behavioral1/memory/5304-3-0x0000000000400000-0x0000000000601000-memory.dmp	upx
behavioral1/files/0x00070000000243e1-24.dat	upx
behavioral1/memory/3852-32-0x0000000000400000-0x0000000000601000-memory.dmp	upx
behavioral1/memory/5304-35-0x0000000000400000-0x0000000000601000-memory.dmp	upx
behavioral1/memory/3852-37-0x0000000000400000-0x0000000000601000-memory.dmp	upx
behavioral1/memory/3400-48-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3400-51-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3400-53-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3852-60-0x0000000000400000-0x0000000000601000-memory.dmp	upx
behavioral1/memory/3400-62-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3400-64-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3400-67-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3400-69-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3400-71-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3400-74-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3400-76-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3400-78-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3400-81-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3400-83-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3400-85-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\iexplore.exe	iexplore.exe
File created	C:\Windows\system\iexplore.exe	JaffaCakes118_9f61e571c724650df9508ac5ca429fb6.exe
File opened for modification	C:\Windows\system\iexplore.exe	JaffaCakes118_9f61e571c724650df9508ac5ca429fb6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3900	3852	WerFault.exe	114

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9f61e571c724650df9508ac5ca429fb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4000	reg.exe
3124	reg.exe
5676	reg.exe
5464	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	3680	iexplore.exe
Token: 1	3400	iexplore.exe
Token: SeCreateTokenPrivilege	3400	iexplore.exe
Token: SeAssignPrimaryTokenPrivilege	3400	iexplore.exe
Token: SeLockMemoryPrivilege	3400	iexplore.exe
Token: SeIncreaseQuotaPrivilege	3400	iexplore.exe
Token: SeMachineAccountPrivilege	3400	iexplore.exe
Token: SeTcbPrivilege	3400	iexplore.exe
Token: SeSecurityPrivilege	3400	iexplore.exe
Token: SeTakeOwnershipPrivilege	3400	iexplore.exe
Token: SeLoadDriverPrivilege	3400	iexplore.exe
Token: SeSystemProfilePrivilege	3400	iexplore.exe
Token: SeSystemtimePrivilege	3400	iexplore.exe
Token: SeProfSingleProcessPrivilege	3400	iexplore.exe
Token: SeIncBasePriorityPrivilege	3400	iexplore.exe
Token: SeCreatePagefilePrivilege	3400	iexplore.exe
Token: SeCreatePermanentPrivilege	3400	iexplore.exe
Token: SeBackupPrivilege	3400	iexplore.exe
Token: SeRestorePrivilege	3400	iexplore.exe
Token: SeShutdownPrivilege	3400	iexplore.exe
Token: SeDebugPrivilege	3400	iexplore.exe
Token: SeAuditPrivilege	3400	iexplore.exe
Token: SeSystemEnvironmentPrivilege	3400	iexplore.exe
Token: SeChangeNotifyPrivilege	3400	iexplore.exe
Token: SeRemoteShutdownPrivilege	3400	iexplore.exe
Token: SeUndockPrivilege	3400	iexplore.exe
Token: SeSyncAgentPrivilege	3400	iexplore.exe
Token: SeEnableDelegationPrivilege	3400	iexplore.exe
Token: SeManageVolumePrivilege	3400	iexplore.exe
Token: SeImpersonatePrivilege	3400	iexplore.exe
Token: SeCreateGlobalPrivilege	3400	iexplore.exe
Token: 31	3400	iexplore.exe
Token: 32	3400	iexplore.exe
Token: 33	3400	iexplore.exe
Token: 34	3400	iexplore.exe
Token: 35	3400	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5304	JaffaCakes118_9f61e571c724650df9508ac5ca429fb6.exe
3852	iexplore.exe
3852	iexplore.exe
3680	iexplore.exe
3400	iexplore.exe
3400	iexplore.exe
3400	iexplore.exe
3400	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5304 wrote to memory of 4808	5304	JaffaCakes118_9f61e571c724650df9508ac5ca429fb6.exe	97
PID 5304 wrote to memory of 4808	5304	JaffaCakes118_9f61e571c724650df9508ac5ca429fb6.exe	97
PID 5304 wrote to memory of 4808	5304	JaffaCakes118_9f61e571c724650df9508ac5ca429fb6.exe	97
PID 4808 wrote to memory of 4216	4808	cmd.exe	100
PID 4808 wrote to memory of 4216	4808	cmd.exe	100
PID 4808 wrote to memory of 4216	4808	cmd.exe	100
PID 5304 wrote to memory of 2860	5304	JaffaCakes118_9f61e571c724650df9508ac5ca429fb6.exe	101
PID 5304 wrote to memory of 2860	5304	JaffaCakes118_9f61e571c724650df9508ac5ca429fb6.exe	101
PID 5304 wrote to memory of 2860	5304	JaffaCakes118_9f61e571c724650df9508ac5ca429fb6.exe	101
PID 2860 wrote to memory of 2216	2860	cmd.exe	103
PID 2860 wrote to memory of 2216	2860	cmd.exe	103
PID 2860 wrote to memory of 2216	2860	cmd.exe	103
PID 5304 wrote to memory of 1188	5304	JaffaCakes118_9f61e571c724650df9508ac5ca429fb6.exe	106
PID 5304 wrote to memory of 1188	5304	JaffaCakes118_9f61e571c724650df9508ac5ca429fb6.exe	106
PID 5304 wrote to memory of 1188	5304	JaffaCakes118_9f61e571c724650df9508ac5ca429fb6.exe	106
PID 1188 wrote to memory of 3576	1188	cmd.exe	108
PID 1188 wrote to memory of 3576	1188	cmd.exe	108
PID 1188 wrote to memory of 3576	1188	cmd.exe	108
PID 5304 wrote to memory of 2020	5304	JaffaCakes118_9f61e571c724650df9508ac5ca429fb6.exe	111
PID 5304 wrote to memory of 2020	5304	JaffaCakes118_9f61e571c724650df9508ac5ca429fb6.exe	111
PID 5304 wrote to memory of 2020	5304	JaffaCakes118_9f61e571c724650df9508ac5ca429fb6.exe	111
PID 2020 wrote to memory of 1960	2020	cmd.exe	113
PID 2020 wrote to memory of 1960	2020	cmd.exe	113
PID 2020 wrote to memory of 1960	2020	cmd.exe	113
PID 5304 wrote to memory of 3852	5304	JaffaCakes118_9f61e571c724650df9508ac5ca429fb6.exe	114
PID 5304 wrote to memory of 3852	5304	JaffaCakes118_9f61e571c724650df9508ac5ca429fb6.exe	114
PID 5304 wrote to memory of 3852	5304	JaffaCakes118_9f61e571c724650df9508ac5ca429fb6.exe	114
PID 3852 wrote to memory of 5784	3852	iexplore.exe	120
PID 3852 wrote to memory of 5784	3852	iexplore.exe	120
PID 3852 wrote to memory of 5784	3852	iexplore.exe	120
PID 5784 wrote to memory of 4584	5784	cmd.exe	122
PID 5784 wrote to memory of 4584	5784	cmd.exe	122
PID 5784 wrote to memory of 4584	5784	cmd.exe	122
PID 3852 wrote to memory of 3680	3852	iexplore.exe	123
PID 3852 wrote to memory of 3680	3852	iexplore.exe	123
PID 3852 wrote to memory of 3680	3852	iexplore.exe	123
PID 3852 wrote to memory of 3680	3852	iexplore.exe	123
PID 3852 wrote to memory of 3680	3852	iexplore.exe	123
PID 3852 wrote to memory of 3680	3852	iexplore.exe	123
PID 3852 wrote to memory of 3680	3852	iexplore.exe	123
PID 3852 wrote to memory of 3400	3852	iexplore.exe	124
PID 3852 wrote to memory of 3400	3852	iexplore.exe	124
PID 3852 wrote to memory of 3400	3852	iexplore.exe	124
PID 3852 wrote to memory of 3400	3852	iexplore.exe	124
PID 3852 wrote to memory of 3400	3852	iexplore.exe	124
PID 3852 wrote to memory of 3400	3852	iexplore.exe	124
PID 3852 wrote to memory of 3400	3852	iexplore.exe	124
PID 3852 wrote to memory of 3400	3852	iexplore.exe	124
PID 3400 wrote to memory of 4072	3400	iexplore.exe	127
PID 3400 wrote to memory of 4072	3400	iexplore.exe	127
PID 3400 wrote to memory of 4072	3400	iexplore.exe	127
PID 3400 wrote to memory of 2336	3400	iexplore.exe	129
PID 3400 wrote to memory of 2336	3400	iexplore.exe	129
PID 3400 wrote to memory of 2336	3400	iexplore.exe	129
PID 3400 wrote to memory of 5076	3400	iexplore.exe	130
PID 3400 wrote to memory of 5076	3400	iexplore.exe	130
PID 3400 wrote to memory of 5076	3400	iexplore.exe	130
PID 3400 wrote to memory of 3948	3400	iexplore.exe	131
PID 3400 wrote to memory of 3948	3400	iexplore.exe	131
PID 3400 wrote to memory of 3948	3400	iexplore.exe	131
PID 4072 wrote to memory of 5464	4072	cmd.exe	136
PID 4072 wrote to memory of 5464	4072	cmd.exe	136
PID 4072 wrote to memory of 5464	4072	cmd.exe	136
PID 5076 wrote to memory of 4000	5076	cmd.exe	137

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f61e571c724650df9508ac5ca429fb6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f61e571c724650df9508ac5ca429fb6.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240880468.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    PID:4216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240880984.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Wnds Uppdtrs" /t REG_SZ /d "C:\Windows\system\iexplore.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240881125.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Wnds Uppdtrs" /t REG_SZ /d "C:\Windows\system\iexplore.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240881312.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "Explorer.exe, C:\Windows\system\iexplore.exe" /f
    3⤵
    - Modifies WinLogon for persistence
    - System Location Discovery: System Language Discovery
    PID:1960
- C:\Windows\system\iexplore.exe
  "C:\Windows\system\iexplore.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240899015.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5784
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      PID:4584
- - C:\Windows\system\iexplore.exe
    "C:\Windows\system\iexplore.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3680
- - C:\Windows\system\iexplore.exe
    "C:\Windows\system\iexplore.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3400
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4072
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5464
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\system\iexplore.exe" /t REG_SZ /d "C:\Windows\system\iexplore.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2336
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\system\iexplore.exe" /t REG_SZ /d "C:\Windows\system\iexplore.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5676
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5076
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4000
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\iexplore.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\iexplore.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3948
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\iexplore.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\iexplore.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 1408
    3⤵
    - Program crash
    PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system\iexplore.exe
1⤵
PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system\iexplore.exe
1⤵
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3852 -ip 3852
1⤵
PID:592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240880468.bat

Filesize
118B

MD5
a7abd9bdc5677f68c18d7524eb9ec1ab

SHA1
948db612bae78b17e4df26d1884f9d2129e6ac9f

SHA256
79192d9e9ebc7f9a864fdae37e771650afe5d41b8ba7da7a6ffeaff12b32e7b7

SHA512
bfcbbb6f9a76457427000e05b241755c13f1a6def8f0b0afc5d491409b812bacceed8545bd3e781779b2e2cd3fe8b1c323c17d3665df868cacc063c2e38c465d

Download Submit
C:\Users\Admin\AppData\Local\Temp\240880984.bat

Filesize
127B

MD5
2781243347986f546d183c1275ff7353

SHA1
0b6eaf0e86a8754888b448b2a25be8dd62447958

SHA256
01ca08fc11576b676919cd7387263205601084f49d2ba73f733183e0796225a5

SHA512
692451a05d26773c5a1c929b3c403e385eaa705e01d9b92fb1bff3152a7bb5d2a171f02a507e8ccf5bdf04c0af2cc2975c7f0ab4614a7a287653d4f94b8976b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\240881125.bat

Filesize
127B

MD5
45f63b23d2b1a17463b67317f4b2a34f

SHA1
ca1e002ea9c0afaed743a03529885034fe428147

SHA256
c36bdf5a4432018628a3258f4fd40bddd0d5abbb08fdbe9316c87d89d5cca4db

SHA512
7a07a4833162df0e9574d357c14cd963816517a37e11b8e58174444f6f6383be06daa63634961924a788bcc15ccfb92e13836e6830cd432becf729cc767ee8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\240881312.bat

Filesize
156B

MD5
0086b685f906c6a3d50f1b8003155424

SHA1
2a9219711035ce722a1578d38cd57b1417369327

SHA256
d61c92e4288500ded9e4904ec197fa39c261aa182e1f697df061639390f3b14c

SHA512
1e1bfa4b8947dea5eeb19bdb1c2751e29511d4e135a70929f3a3090d23fb7df7c71b2c50307873e6ab3ed8c29efdbc6f06be51a4ad8af312de7a1914beb1410a

Download Submit
C:\Windows\System\iexplore.exe

Filesize
537KB

MD5
9f61e571c724650df9508ac5ca429fb6

SHA1
b0b37eff7238527032fa150962907b5fdb900adf

SHA256
f85eaa0b14370b4f85b20c22ea2bc1cfb531671db00abf8c738c197f2ac40a1e

SHA512
4c678d58606a93dd60ca169f1b01d2e7bc097b3eb07622de7400cc5eb4661a9b875cda3c83fd0ac2895e94170c43da461d80e0b2c67948deda21c678997c49f1

Download Submit
memory/3400-64-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3400-74-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3400-85-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3400-83-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3400-81-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3400-78-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3400-76-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3400-62-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3400-71-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3400-48-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3400-51-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3400-69-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3400-53-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3400-67-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3680-44-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3680-61-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3680-47-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3680-46-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3680-45-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3680-42-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3852-60-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/3852-37-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/3852-32-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/5304-0-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/5304-3-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/5304-35-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads