Analysis

  • max time kernel
    116s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/01/2025, 05:54

General

  • Target

    5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe

  • Size

    902KB

  • MD5

    b999866cb6f4de38d607097d8e7498f0

  • SHA1

    634494552ab4eecd3f82632d44fe2204293e0c91

  • SHA256

    5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9

  • SHA512

    8ac5ee137c5efe2d26e85899265abd3de09ab9a438cde7ae3bae73273d855a5fccbc6543772a621bc946c0a9151fe684a6529379b433adf757987d0337fa6716

  • SSDEEP

    12288:jNuF/n3rZXFw3mBfzCUWnbW3R+7orptr6X+IxyIq984O:huF/dXFWEfWUWnih+7ofr6LyI2O

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 11 IoCs
  • Modifies firewall policy service 3 TTPs 10 IoCs
  • Drops startup file 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe
    "C:\Users\Admin\AppData\Local\Temp\5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4996
    • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1264
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3100
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:4032
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2320
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:4460
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4388
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:4608
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\rundll32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rundll32.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2272
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\rundll32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rundll32.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:3940

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1264-14-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/1264-19-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/1264-25-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/1264-3-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/1264-5-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/1264-23-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/1264-22-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/1264-17-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/1264-20-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/1264-18-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/1264-15-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/4996-0-0x0000000075522000-0x0000000075523000-memory.dmp

    Filesize

    4KB

  • memory/4996-1-0x0000000075520000-0x0000000075AD1000-memory.dmp

    Filesize

    5.7MB

  • memory/4996-13-0x0000000075520000-0x0000000075AD1000-memory.dmp

    Filesize

    5.7MB

  • memory/4996-2-0x0000000075520000-0x0000000075AD1000-memory.dmp

    Filesize

    5.7MB