Analysis
-
max time kernel
5s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2025, 07:30
Behavioral task
behavioral1
Sample
f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe
Resource
win10v2004-20241007-en
General
-
Target
f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe
-
Size
1.1MB
-
MD5
118b0cf69d8ad29222171ec229e24006
-
SHA1
f444a187dc9a5fc779506bd458c4ebaf048526fe
-
SHA256
f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc
-
SHA512
293d19c9c85a4aac89f0ad8d1f9b77b06d9c5beadbbd8e0e7bca90be814aed4bc4e250434393b498a1309ede31d0634a65c60bda3a8e8612969a1fa4746ae37b
-
SSDEEP
12288:BwG9izpJ5n46SncBH7MTX0svLv/HbHt4SpcHGAB/Kc27P5HV0HiG+uLP6njiY25P:nMxIl4
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 11 IoCs
resource yara_rule behavioral2/memory/4044-71-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades behavioral2/memory/4044-68-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades behavioral2/memory/4044-83-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades behavioral2/memory/4044-85-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades behavioral2/memory/4044-88-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades behavioral2/memory/4044-90-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades behavioral2/memory/4044-92-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades behavioral2/memory/4044-95-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades behavioral2/memory/4044-97-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades behavioral2/memory/4044-99-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades behavioral2/memory/4044-104-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe -
Executes dropped EXE 1 IoCs
pid Process 4896 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "C:\\Users\\Admin\\AppData\\Roaming\\MSSN\\svchost.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1664 set thread context of 4840 1664 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 83 PID 1664 set thread context of 4284 1664 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 84 -
resource yara_rule behavioral2/memory/1664-0-0x0000000000400000-0x0000000000521000-memory.dmp upx behavioral2/memory/1664-12-0x0000000000400000-0x0000000000521000-memory.dmp upx behavioral2/memory/4284-18-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1664-17-0x0000000000400000-0x0000000000521000-memory.dmp upx behavioral2/memory/1664-19-0x0000000000400000-0x0000000000521000-memory.dmp upx behavioral2/memory/4284-15-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4284-13-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/files/0x000a000000023b6a-35.dat upx behavioral2/memory/4896-43-0x0000000000400000-0x0000000000521000-memory.dmp upx behavioral2/memory/4896-46-0x0000000000400000-0x0000000000521000-memory.dmp upx behavioral2/memory/4896-47-0x0000000000400000-0x0000000000521000-memory.dmp upx behavioral2/memory/4284-56-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4044-71-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/4896-75-0x0000000000400000-0x0000000000521000-memory.dmp upx behavioral2/memory/4044-68-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/4044-67-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/4044-65-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/4284-78-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4944-64-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4896-63-0x0000000000400000-0x0000000000521000-memory.dmp upx behavioral2/memory/4944-80-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4044-83-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/4044-85-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/4044-88-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/4044-90-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/4044-92-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/4044-95-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/4044-97-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/4044-99-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/4044-104-0x0000000000400000-0x000000000047B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2736 reg.exe 2384 reg.exe 4200 reg.exe 4104 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1664 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 4840 svchost.exe 4284 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 4896 svchost.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1664 wrote to memory of 4840 1664 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 83 PID 1664 wrote to memory of 4840 1664 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 83 PID 1664 wrote to memory of 4840 1664 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 83 PID 1664 wrote to memory of 4840 1664 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 83 PID 1664 wrote to memory of 4840 1664 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 83 PID 1664 wrote to memory of 4840 1664 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 83 PID 1664 wrote to memory of 4840 1664 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 83 PID 1664 wrote to memory of 4840 1664 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 83 PID 1664 wrote to memory of 4840 1664 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 83 PID 1664 wrote to memory of 4284 1664 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 84 PID 1664 wrote to memory of 4284 1664 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 84 PID 1664 wrote to memory of 4284 1664 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 84 PID 1664 wrote to memory of 4284 1664 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 84 PID 1664 wrote to memory of 4284 1664 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 84 PID 1664 wrote to memory of 4284 1664 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 84 PID 1664 wrote to memory of 4284 1664 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 84 PID 1664 wrote to memory of 4284 1664 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 84 PID 4284 wrote to memory of 3708 4284 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 86 PID 4284 wrote to memory of 3708 4284 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 86 PID 4284 wrote to memory of 3708 4284 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 86 PID 3708 wrote to memory of 1600 3708 cmd.exe 90 PID 3708 wrote to memory of 1600 3708 cmd.exe 90 PID 3708 wrote to memory of 1600 3708 cmd.exe 90 PID 4284 wrote to memory of 4896 4284 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 91 PID 4284 wrote to memory of 4896 4284 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 91 PID 4284 wrote to memory of 4896 4284 f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe"C:\Users\Admin\AppData\Local\Temp\f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4840
-
-
C:\Users\Admin\AppData\Local\Temp\f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe"C:\Users\Admin\AppData\Local\Temp\f1090050fce952636a74b00964055907adcea8528ae75fec6d4aafecae77b9fc.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UTXLB.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Svchost" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1600
-
-
-
C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe"C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4896 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"4⤵PID:3496
-
-
C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe"C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe"4⤵PID:4944
-
-
C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe"C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe"4⤵PID:4044
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵PID:3092
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies registry key
PID:2736
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe:*:Enabled:Windows Messanger" /f5⤵PID:3604
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MSSN\svchost.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies registry key
PID:4104
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵PID:3524
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies registry key
PID:2384
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\NAOO.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\NAOO.exe:*:Enabled:Windows Messanger" /f5⤵PID:2800
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\NAOO.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\NAOO.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies registry key
PID:4200
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141B
MD5eedf1bdeda7a9e6d314f346ae723cef1
SHA10680703a702f23e44ca855381c8764cfb7ec406e
SHA256c8eed6be01e84beeef07e298e0db3a86e14d265f176034c1a1b6b386f3766920
SHA5125d7081569bfea250054a49efea9d444ff7af9a351b959fec6197896622d9b0af4b32711c987493a088f2068834095e57ecd7856423b61fb5b950a7b704fdb364
-
Filesize
1.1MB
MD51460ce7c5a2abf4d20529f2e7b4e8d7e
SHA11d28f1e3c9c2654d916eb3102907e9bfc4ff0d0a
SHA256fbcc8d30455eba9035f6833f7424d196aa830f4bf93d184822b6a71334bf84a0
SHA5124776f4877b4d1af069207854eaa0e911486c6b2a81bebcbdbd7bb8fb0d61b214d469763f64b1d774165631691f064fde9920f755ba69b7b2a331b180bdd44d59