Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2022, 23:06
Static task
static1
Behavioral task
behavioral1
Sample
0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe
Resource
win10v2004-20220812-en
General
-
Target
0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe
-
Size
908KB
-
MD5
5034e0f2a1fd479fd77190f6185657e0
-
SHA1
450973616ffb8e3a0c90e76defc374b5ae31ce05
-
SHA256
0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96
-
SHA512
dc9a52dfd878ffaef14b18381a0fb21441e3589d9cedf0070b9593db0a5b485e7f667ab297ab4cd44daeb7e707015e6b0a8b879119f62998d89b6cdb5075c2b8
-
SSDEEP
12288:VhkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aboHdGEKRKGI/CxquTOrLf:jRmJkcoQricOIQxiZY1iaboHX/qqusb
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\BlackShades.exe = "C:\\Users\\Admin\\AppData\\Roaming\\BlackShades.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\BlackShades.exe" 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5CF59D9-CEAB-DBBA-EDEE-7CBEE8E56C39} 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5CF59D9-CEAB-DBBA-EDEE-7CBEE8E56C39}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\BlackShades.exe" 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{A5CF59D9-CEAB-DBBA-EDEE-7CBEE8E56C39} 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{A5CF59D9-CEAB-DBBA-EDEE-7CBEE8E56C39}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\BlackShades.exe" 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe -
resource yara_rule behavioral2/memory/4576-133-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/4576-135-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/4576-136-0x0000000000400000-0x000000000047D000-memory.dmp upx behavioral2/memory/4576-148-0x0000000000400000-0x000000000047D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\BlackShades.exe" 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\BlackShades.exe" 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2892 set thread context of 4576 2892 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 80 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 4 IoCs
pid Process 4840 reg.exe 2352 reg.exe 2404 reg.exe 2220 reg.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeCreateTokenPrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeAssignPrimaryTokenPrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeLockMemoryPrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeIncreaseQuotaPrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeMachineAccountPrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeTcbPrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeSecurityPrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeTakeOwnershipPrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeLoadDriverPrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeSystemProfilePrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeSystemtimePrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeProfSingleProcessPrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeIncBasePriorityPrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeCreatePagefilePrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeCreatePermanentPrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeBackupPrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeRestorePrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeShutdownPrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeDebugPrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeAuditPrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeSystemEnvironmentPrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeChangeNotifyPrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeRemoteShutdownPrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeUndockPrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeSyncAgentPrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeEnableDelegationPrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeManageVolumePrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeImpersonatePrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeCreateGlobalPrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: 31 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: 32 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: 33 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: 34 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: 35 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe Token: SeDebugPrivilege 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2892 wrote to memory of 4576 2892 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 80 PID 2892 wrote to memory of 4576 2892 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 80 PID 2892 wrote to memory of 4576 2892 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 80 PID 2892 wrote to memory of 4576 2892 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 80 PID 2892 wrote to memory of 4576 2892 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 80 PID 2892 wrote to memory of 4576 2892 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 80 PID 2892 wrote to memory of 4576 2892 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 80 PID 2892 wrote to memory of 4576 2892 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 80 PID 4576 wrote to memory of 1404 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 81 PID 4576 wrote to memory of 1404 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 81 PID 4576 wrote to memory of 1404 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 81 PID 4576 wrote to memory of 4992 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 82 PID 4576 wrote to memory of 4992 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 82 PID 4576 wrote to memory of 4992 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 82 PID 4576 wrote to memory of 4944 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 83 PID 4576 wrote to memory of 4944 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 83 PID 4576 wrote to memory of 4944 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 83 PID 4576 wrote to memory of 4912 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 84 PID 4576 wrote to memory of 4912 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 84 PID 4576 wrote to memory of 4912 4576 0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe 84 PID 1404 wrote to memory of 2352 1404 cmd.exe 89 PID 1404 wrote to memory of 2352 1404 cmd.exe 89 PID 1404 wrote to memory of 2352 1404 cmd.exe 89 PID 4944 wrote to memory of 2404 4944 cmd.exe 90 PID 4944 wrote to memory of 2404 4944 cmd.exe 90 PID 4944 wrote to memory of 2404 4944 cmd.exe 90 PID 4992 wrote to memory of 2220 4992 cmd.exe 91 PID 4992 wrote to memory of 2220 4992 cmd.exe 91 PID 4992 wrote to memory of 2220 4992 cmd.exe 91 PID 4912 wrote to memory of 4840 4912 cmd.exe 92 PID 4912 wrote to memory of 4840 4912 cmd.exe 92 PID 4912 wrote to memory of 4840 4912 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe"C:\Users\Admin\AppData\Local\Temp\0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe"C:\Users\Admin\AppData\Local\Temp\0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe"2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:2352
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\0aaaa0cd21310532c43f226e45f5590a7b1581c3376f2f654afe2d9681b4ed96.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:2220
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:2404
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\BlackShades.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\BlackShades.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\BlackShades.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\BlackShades.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:4840
-
-
-