Analysis
-
max time kernel
116s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2025, 05:54
Static task
static1
Behavioral task
behavioral1
Sample
5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe
Resource
win10v2004-20241007-en
General
-
Target
5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe
-
Size
902KB
-
MD5
b999866cb6f4de38d607097d8e7498f0
-
SHA1
634494552ab4eecd3f82632d44fe2204293e0c91
-
SHA256
5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9
-
SHA512
8ac5ee137c5efe2d26e85899265abd3de09ab9a438cde7ae3bae73273d855a5fccbc6543772a621bc946c0a9151fe684a6529379b433adf757987d0337fa6716
-
SSDEEP
12288:jNuF/n3rZXFw3mBfzCUWnbW3R+7orptr6X+IxyIq984O:huF/dXFWEfWUWnih+7ofr6LyI2O
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 11 IoCs
resource yara_rule behavioral2/memory/1264-3-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/1264-5-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/1264-14-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/1264-15-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/1264-17-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/1264-18-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/1264-19-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/1264-20-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/1264-22-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/1264-23-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/1264-25-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\rundll32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\rundll32.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\WINDOWS\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jjLUgIcHfxXxJDVEbL.exe 5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jjLUgIcHfxXxJDVEbL.exe 5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4996 set thread context of 1264 4996 5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 4608 reg.exe 4032 reg.exe 3940 reg.exe 4460 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 1264 vbc.exe Token: SeCreateTokenPrivilege 1264 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1264 vbc.exe Token: SeLockMemoryPrivilege 1264 vbc.exe Token: SeIncreaseQuotaPrivilege 1264 vbc.exe Token: SeMachineAccountPrivilege 1264 vbc.exe Token: SeTcbPrivilege 1264 vbc.exe Token: SeSecurityPrivilege 1264 vbc.exe Token: SeTakeOwnershipPrivilege 1264 vbc.exe Token: SeLoadDriverPrivilege 1264 vbc.exe Token: SeSystemProfilePrivilege 1264 vbc.exe Token: SeSystemtimePrivilege 1264 vbc.exe Token: SeProfSingleProcessPrivilege 1264 vbc.exe Token: SeIncBasePriorityPrivilege 1264 vbc.exe Token: SeCreatePagefilePrivilege 1264 vbc.exe Token: SeCreatePermanentPrivilege 1264 vbc.exe Token: SeBackupPrivilege 1264 vbc.exe Token: SeRestorePrivilege 1264 vbc.exe Token: SeShutdownPrivilege 1264 vbc.exe Token: SeDebugPrivilege 1264 vbc.exe Token: SeAuditPrivilege 1264 vbc.exe Token: SeSystemEnvironmentPrivilege 1264 vbc.exe Token: SeChangeNotifyPrivilege 1264 vbc.exe Token: SeRemoteShutdownPrivilege 1264 vbc.exe Token: SeUndockPrivilege 1264 vbc.exe Token: SeSyncAgentPrivilege 1264 vbc.exe Token: SeEnableDelegationPrivilege 1264 vbc.exe Token: SeManageVolumePrivilege 1264 vbc.exe Token: SeImpersonatePrivilege 1264 vbc.exe Token: SeCreateGlobalPrivilege 1264 vbc.exe Token: 31 1264 vbc.exe Token: 32 1264 vbc.exe Token: 33 1264 vbc.exe Token: 34 1264 vbc.exe Token: 35 1264 vbc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1264 vbc.exe 1264 vbc.exe 1264 vbc.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 4996 wrote to memory of 1264 4996 5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe 83 PID 4996 wrote to memory of 1264 4996 5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe 83 PID 4996 wrote to memory of 1264 4996 5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe 83 PID 4996 wrote to memory of 1264 4996 5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe 83 PID 4996 wrote to memory of 1264 4996 5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe 83 PID 4996 wrote to memory of 1264 4996 5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe 83 PID 4996 wrote to memory of 1264 4996 5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe 83 PID 4996 wrote to memory of 1264 4996 5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe 83 PID 1264 wrote to memory of 3100 1264 vbc.exe 84 PID 1264 wrote to memory of 3100 1264 vbc.exe 84 PID 1264 wrote to memory of 3100 1264 vbc.exe 84 PID 1264 wrote to memory of 2320 1264 vbc.exe 85 PID 1264 wrote to memory of 2320 1264 vbc.exe 85 PID 1264 wrote to memory of 2320 1264 vbc.exe 85 PID 1264 wrote to memory of 4388 1264 vbc.exe 86 PID 1264 wrote to memory of 4388 1264 vbc.exe 86 PID 1264 wrote to memory of 4388 1264 vbc.exe 86 PID 1264 wrote to memory of 2272 1264 vbc.exe 87 PID 1264 wrote to memory of 2272 1264 vbc.exe 87 PID 1264 wrote to memory of 2272 1264 vbc.exe 87 PID 3100 wrote to memory of 4032 3100 cmd.exe 92 PID 3100 wrote to memory of 4032 3100 cmd.exe 92 PID 3100 wrote to memory of 4032 3100 cmd.exe 92 PID 4388 wrote to memory of 4608 4388 cmd.exe 93 PID 4388 wrote to memory of 4608 4388 cmd.exe 93 PID 4388 wrote to memory of 4608 4388 cmd.exe 93 PID 2272 wrote to memory of 3940 2272 cmd.exe 94 PID 2272 wrote to memory of 3940 2272 cmd.exe 94 PID 2272 wrote to memory of 3940 2272 cmd.exe 94 PID 2320 wrote to memory of 4460 2320 cmd.exe 95 PID 2320 wrote to memory of 4460 2320 cmd.exe 95 PID 2320 wrote to memory of 4460 2320 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe"C:\Users\Admin\AppData\Local\Temp\5feed841eeb8d847030e4dd0775aa8f189f1ab5d75c63e9b568b186beac4b3b9N.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4032
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4460
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4608
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\rundll32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rundll32.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\rundll32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rundll32.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3940
-
-
-