Analysis

  • max time kernel
    116s
  • max time network
    115s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/01/2025, 05:54

General

  • Target

    5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe

  • Size

    902KB

  • MD5

    b999866cb6f4de38d607097d8e7498f0

  • SHA1

    634494552ab4eecd3f82632d44fe2204293e0c91

  • SHA256

    5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9

  • SHA512

    8ac5ee137c5efe2d26e85899265abd3de09ab9a438cde7ae3bae73273d855a5fccbc6543772a621bc946c0a9151fe684a6529379b433adf757987d0337fa6716

  • SSDEEP

    12288:jNuF/n3rZXFw3mBfzCUWnbW3R+7orptr6X+IxyIq984O:huF/dXFWEfWUWnih+7ofr6LyI2O

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 12 IoCs
  • Modifies firewall policy service 3 TTPs 8 IoCs
  • Drops startup file 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe
    "C:\Users\Admin\AppData\Local\Temp\5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1856
    • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2624
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2696
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2580
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2596
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\rundll32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rundll32.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\rundll32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rundll32.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1856-0-0x00000000749D1000-0x00000000749D2000-memory.dmp

    Filesize

    4KB

  • memory/1856-1-0x00000000749D0000-0x0000000074F7B000-memory.dmp

    Filesize

    5.7MB

  • memory/1856-2-0x00000000749D0000-0x0000000074F7B000-memory.dmp

    Filesize

    5.7MB

  • memory/1856-19-0x00000000749D0000-0x0000000074F7B000-memory.dmp

    Filesize

    5.7MB

  • memory/2816-5-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2816-23-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2816-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2816-7-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2816-3-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2816-20-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2816-21-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2816-10-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2816-24-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2816-25-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2816-27-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2816-28-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2816-29-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2816-31-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2816-33-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB