Analysis
-
max time kernel
116s -
max time network
115s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 05:54
Static task
static1
Behavioral task
behavioral1
Sample
5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe
Resource
win10v2004-20241007-en
General
-
Target
5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe
-
Size
902KB
-
MD5
b999866cb6f4de38d607097d8e7498f0
-
SHA1
634494552ab4eecd3f82632d44fe2204293e0c91
-
SHA256
5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9
-
SHA512
8ac5ee137c5efe2d26e85899265abd3de09ab9a438cde7ae3bae73273d855a5fccbc6543772a621bc946c0a9151fe684a6529379b433adf757987d0337fa6716
-
SSDEEP
12288:jNuF/n3rZXFw3mBfzCUWnbW3R+7orptr6X+IxyIq984O:huF/dXFWEfWUWnih+7ofr6LyI2O
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 12 IoCs
resource yara_rule behavioral1/memory/2816-10-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2816-7-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2816-20-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2816-21-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2816-23-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2816-24-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2816-25-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2816-27-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2816-28-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2816-29-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2816-31-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral1/memory/2816-33-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\rundll32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\rundll32.exe:*:Enabled:Windows Messanger" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\WINDOWS\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jjLUgIcHfxXxJDVEbL.exe 5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jjLUgIcHfxXxJDVEbL.exe 5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1856 set thread context of 2816 1856 5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2596 reg.exe 2588 reg.exe 2580 reg.exe 2624 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 2816 vbc.exe Token: SeCreateTokenPrivilege 2816 vbc.exe Token: SeAssignPrimaryTokenPrivilege 2816 vbc.exe Token: SeLockMemoryPrivilege 2816 vbc.exe Token: SeIncreaseQuotaPrivilege 2816 vbc.exe Token: SeMachineAccountPrivilege 2816 vbc.exe Token: SeTcbPrivilege 2816 vbc.exe Token: SeSecurityPrivilege 2816 vbc.exe Token: SeTakeOwnershipPrivilege 2816 vbc.exe Token: SeLoadDriverPrivilege 2816 vbc.exe Token: SeSystemProfilePrivilege 2816 vbc.exe Token: SeSystemtimePrivilege 2816 vbc.exe Token: SeProfSingleProcessPrivilege 2816 vbc.exe Token: SeIncBasePriorityPrivilege 2816 vbc.exe Token: SeCreatePagefilePrivilege 2816 vbc.exe Token: SeCreatePermanentPrivilege 2816 vbc.exe Token: SeBackupPrivilege 2816 vbc.exe Token: SeRestorePrivilege 2816 vbc.exe Token: SeShutdownPrivilege 2816 vbc.exe Token: SeDebugPrivilege 2816 vbc.exe Token: SeAuditPrivilege 2816 vbc.exe Token: SeSystemEnvironmentPrivilege 2816 vbc.exe Token: SeChangeNotifyPrivilege 2816 vbc.exe Token: SeRemoteShutdownPrivilege 2816 vbc.exe Token: SeUndockPrivilege 2816 vbc.exe Token: SeSyncAgentPrivilege 2816 vbc.exe Token: SeEnableDelegationPrivilege 2816 vbc.exe Token: SeManageVolumePrivilege 2816 vbc.exe Token: SeImpersonatePrivilege 2816 vbc.exe Token: SeCreateGlobalPrivilege 2816 vbc.exe Token: 31 2816 vbc.exe Token: 32 2816 vbc.exe Token: 33 2816 vbc.exe Token: 34 2816 vbc.exe Token: 35 2816 vbc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2816 vbc.exe 2816 vbc.exe 2816 vbc.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 1856 wrote to memory of 2816 1856 5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe 30 PID 1856 wrote to memory of 2816 1856 5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe 30 PID 1856 wrote to memory of 2816 1856 5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe 30 PID 1856 wrote to memory of 2816 1856 5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe 30 PID 1856 wrote to memory of 2816 1856 5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe 30 PID 1856 wrote to memory of 2816 1856 5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe 30 PID 1856 wrote to memory of 2816 1856 5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe 30 PID 1856 wrote to memory of 2816 1856 5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe 30 PID 2816 wrote to memory of 2996 2816 vbc.exe 31 PID 2816 wrote to memory of 2996 2816 vbc.exe 31 PID 2816 wrote to memory of 2996 2816 vbc.exe 31 PID 2816 wrote to memory of 2996 2816 vbc.exe 31 PID 2816 wrote to memory of 2696 2816 vbc.exe 32 PID 2816 wrote to memory of 2696 2816 vbc.exe 32 PID 2816 wrote to memory of 2696 2816 vbc.exe 32 PID 2816 wrote to memory of 2696 2816 vbc.exe 32 PID 2816 wrote to memory of 2868 2816 vbc.exe 33 PID 2816 wrote to memory of 2868 2816 vbc.exe 33 PID 2816 wrote to memory of 2868 2816 vbc.exe 33 PID 2816 wrote to memory of 2868 2816 vbc.exe 33 PID 2816 wrote to memory of 2740 2816 vbc.exe 34 PID 2816 wrote to memory of 2740 2816 vbc.exe 34 PID 2816 wrote to memory of 2740 2816 vbc.exe 34 PID 2816 wrote to memory of 2740 2816 vbc.exe 34 PID 2696 wrote to memory of 2580 2696 cmd.exe 39 PID 2696 wrote to memory of 2580 2696 cmd.exe 39 PID 2696 wrote to memory of 2580 2696 cmd.exe 39 PID 2696 wrote to memory of 2580 2696 cmd.exe 39 PID 2868 wrote to memory of 2596 2868 cmd.exe 41 PID 2868 wrote to memory of 2596 2868 cmd.exe 41 PID 2868 wrote to memory of 2596 2868 cmd.exe 41 PID 2868 wrote to memory of 2596 2868 cmd.exe 41 PID 2740 wrote to memory of 2588 2740 cmd.exe 40 PID 2740 wrote to memory of 2588 2740 cmd.exe 40 PID 2740 wrote to memory of 2588 2740 cmd.exe 40 PID 2740 wrote to memory of 2588 2740 cmd.exe 40 PID 2996 wrote to memory of 2624 2996 cmd.exe 42 PID 2996 wrote to memory of 2624 2996 cmd.exe 42 PID 2996 wrote to memory of 2624 2996 cmd.exe 42 PID 2996 wrote to memory of 2624 2996 cmd.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe"C:\Users\Admin\AppData\Local\Temp\5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2624
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2580
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2596
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\rundll32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rundll32.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\rundll32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rundll32.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2588
-
-
-