Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    24/01/2025, 05:35

General

  • Target

    f5356d6c796405774d19fa81d405c30e8370170b58b152e842b559790a54ad96N.exe

  • Size

    2.0MB

  • MD5

    ebd4bf9d027377c302d811589f88fca0

  • SHA1

    73cb7b4678b0386f696c6bc21e87495aba46b433

  • SHA256

    f5356d6c796405774d19fa81d405c30e8370170b58b152e842b559790a54ad96

  • SHA512

    4ea20a9302c887f55795ac237a698bfe53036de8543d1c1043057201677d0c88a55ad6458402caad96056793f1fcafc464fce4c5e00fc34b7205f4ba642d56a0

  • SSDEEP

    49152:fmTWr53HxurntpSJU2mN2xl42d91cKSd5W6l/p7AFWVBpG947fVr0YfwCCkB1mpt:fmTWr53HxurntpSJU2mN2xu2d91cKSdo

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 9 IoCs
  • Modifies firewall policy service 3 TTPs 8 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5356d6c796405774d19fa81d405c30e8370170b58b152e842b559790a54ad96N.exe
    "C:\Users\Admin\AppData\Local\Temp\f5356d6c796405774d19fa81d405c30e8370170b58b152e842b559790a54ad96N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\PycKq.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2400
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDef" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Directory\WindowsDef.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2760
    • C:\Users\Admin\AppData\Roaming\Directory\WindowsDef.exe
      "C:\Users\Admin\AppData\Roaming\Directory\WindowsDef.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Users\Admin\AppData\Roaming\Directory\WindowsDef.exe
        C:\Users\Admin\AppData\Roaming\Directory\WindowsDef.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2884
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2780
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2656
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Directory\WindowsDef.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Directory\WindowsDef.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2788
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Directory\WindowsDef.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Directory\WindowsDef.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1640
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1900
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2348
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\IDungProV5.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IDungProV5.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2836
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\IDungProV5.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IDungProV5.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2576
      • C:\Users\Admin\AppData\Roaming\Directory\WindowsDef.exe
        C:\Users\Admin\AppData\Roaming\Directory\WindowsDef.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\PycKq.bat

    Filesize

    152B

    MD5

    12506b1a3ef0e7dcef2babaaecfb81e8

    SHA1

    9564f2c31b336dab739e74cceedb5e4d07c2a563

    SHA256

    3922b88903f6e7a4cd1e9cee92f9a0de6f0cd28a4a6db73114e320fa7cbf8c8a

    SHA512

    cbf0ade56c9961edcf8018f8e1654446e17c863e8df98a78b781b4b91ca87a9ab3b1532376f245c678f6f9e00771d74dba99e0fee237ebf3f4a69473d57f0dec

  • C:\Users\Admin\AppData\Roaming\Directory\WindowsDef.exe

    Filesize

    2.0MB

    MD5

    7e68041a11f22ed557b1a05033f2428d

    SHA1

    59f5d04867d237334a3442834ac07551b570ad89

    SHA256

    25164e236ef5b56d1059ad5df567f1ca9f7f2c3d0970f3f82757814ac625f42d

    SHA512

    13056540cdea683b87601cbaa3eee8e44fa4b8b047d5f14aa8817e9d3445537a0af835507d394a8f47ccd7feb75f29e2a0f2845ee76396843770952d3cb48214

  • memory/2584-0-0x0000000000400000-0x00000000005F7000-memory.dmp

    Filesize

    2.0MB

  • memory/2876-60-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/2876-63-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/2876-64-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/2876-69-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/2884-54-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/2884-48-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/2884-67-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/2884-51-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/2884-70-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/2884-72-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/2884-75-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/2884-77-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/2884-79-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/2884-84-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/2884-89-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB