Analysis
-
max time kernel
3s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 07:30
Behavioral task
behavioral1
Sample
f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe
Resource
win10v2004-20241007-en
General
-
Target
f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe
-
Size
1.1MB
-
MD5
118b0cf69d8ad29222171ec229e24006
-
SHA1
f444a187dc9a5fc779506bd458c4ebaf048526fe
-
SHA256
f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc
-
SHA512
293d19c9c85a4aac89f0ad8d1f9b77b06d9c5beadbbd8e0e7bca90be814aed4bc4e250434393b498a1309ede31d0634a65c60bda3a8e8612969a1fa4746ae37b
-
SSDEEP
12288:BwG9izpJ5n46SncBH7MTX0svLv/HbHt4SpcHGAB/Kc27P5HV0HiG+uLP6njiY25P:nMxIl4
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 2 IoCs
resource yara_rule behavioral1/memory/2424-308-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades behavioral1/memory/2424-318-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1992 set thread context of 2596 1992 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 31 PID 1992 set thread context of 3032 1992 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 32 -
resource yara_rule behavioral1/memory/1992-0-0x0000000000400000-0x0000000000521000-memory.dmp upx behavioral1/memory/1992-96-0x0000000000400000-0x0000000000521000-memory.dmp upx behavioral1/memory/1992-117-0x0000000000400000-0x0000000000521000-memory.dmp upx behavioral1/memory/1992-105-0x0000000000400000-0x0000000000521000-memory.dmp upx behavioral1/memory/1992-134-0x0000000000400000-0x0000000000521000-memory.dmp upx behavioral1/memory/3032-140-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1992-139-0x0000000000400000-0x0000000000521000-memory.dmp upx behavioral1/memory/3032-132-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/3032-130-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/files/0x0009000000016ab9-165.dat upx behavioral1/memory/1304-186-0x0000000000400000-0x0000000000521000-memory.dmp upx behavioral1/memory/1304-309-0x0000000000400000-0x0000000000521000-memory.dmp upx behavioral1/memory/1636-299-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/3032-312-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2424-308-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral1/memory/1636-315-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2424-318-0x0000000000400000-0x000000000047B000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 1648 reg.exe 996 reg.exe 2096 reg.exe 2500 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1992 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 2596 svchost.exe 3032 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2596 1992 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 31 PID 1992 wrote to memory of 2596 1992 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 31 PID 1992 wrote to memory of 2596 1992 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 31 PID 1992 wrote to memory of 2596 1992 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 31 PID 1992 wrote to memory of 2596 1992 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 31 PID 1992 wrote to memory of 2596 1992 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 31 PID 1992 wrote to memory of 2596 1992 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 31 PID 1992 wrote to memory of 2596 1992 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 31 PID 1992 wrote to memory of 2596 1992 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 31 PID 1992 wrote to memory of 2596 1992 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 31 PID 1992 wrote to memory of 3032 1992 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 32 PID 1992 wrote to memory of 3032 1992 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 32 PID 1992 wrote to memory of 3032 1992 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 32 PID 1992 wrote to memory of 3032 1992 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 32 PID 1992 wrote to memory of 3032 1992 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 32 PID 1992 wrote to memory of 3032 1992 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 32 PID 1992 wrote to memory of 3032 1992 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 32 PID 1992 wrote to memory of 3032 1992 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe"C:\Users\Admin\AppData\Local\Temp\f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2596
-
-
C:\Users\Admin\AppData\Local\Temp\f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe"C:\Users\Admin\AppData\Local\Temp\f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3032 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\KPLMX.bat" "3⤵PID:2916
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Svchost" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe" /f4⤵PID:1608
-
-
-
C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe"C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe"3⤵PID:1304
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"4⤵PID:304
-
-
C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe"C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe"4⤵PID:1636
-
-
C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe"C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe"4⤵PID:2424
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵PID:1292
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies registry key
PID:996
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe:*:Enabled:Windows Messanger" /f5⤵PID:2428
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies registry key
PID:2096
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵PID:1740
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies registry key
PID:2500
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\NAOO.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\NAOO.exe:*:Enabled:Windows Messanger" /f5⤵PID:1752
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\NAOO.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\NAOO.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies registry key
PID:1648
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141B
MD5eedf1bdeda7a9e6d314f346ae723cef1
SHA10680703a702f23e44ca855381c8764cfb7ec406e
SHA256c8eed6be01e84beeef07e298e0db3a86e14d265f176034c1a1b6b386f3766920
SHA5125d7081569bfea250054a49efea9d444ff7af9a351b959fec6197896622d9b0af4b32711c987493a088f2068834095e57ecd7856423b61fb5b950a7b704fdb364
-
Filesize
1.1MB
MD5bbcca58f982b6546cbb799f3e7e65567
SHA17f6e122112c174c2dfaead365a1ef4654264ed3d
SHA2560f7f4ad2b38d06b070154b754cd3b675199065321cf383d5297e5425495ed830
SHA5121698e5cd665e476fe0be4242fc911ec57ef125d2e826a97cdbd7779e2ca5154e3b93379d4b2fb595ff956c9a0c73dbef9ff6ae72f74658e34d585317ddbafe02