Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 09:12
Static task
static1
Behavioral task
behavioral1
Sample
4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe
Resource
win10v2004-20241007-en
General
-
Target
4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe
-
Size
532KB
-
MD5
ca7d764e5f88e8bfb426d4b263c854b0
-
SHA1
570dae348b8962af4899968d9447c65730076127
-
SHA256
4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7
-
SHA512
b887f41bc68c0c5241964eb4229d6c189401bc6bbc68298f2c7d4b9bc5c52e524b9c55010ea29e7d23c3d602f44b6de52da6a83521c51504d9edc5fb869302d7
-
SSDEEP
6144:qtPBoZ8OLmxerIMMusDZSPipg4tJF9jiclBOsdsg/YruNZqSmH9PJqCK/Nif8B0J:qwZ8WQMMzZHg4PqyvdTWuNL3ly8y7mm
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 13 IoCs
resource yara_rule behavioral1/memory/2844-29-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral1/memory/2844-32-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral1/memory/2844-43-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral1/memory/2844-44-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral1/memory/2844-46-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral1/memory/2844-47-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral1/memory/2844-48-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral1/memory/2844-49-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral1/memory/2844-50-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral1/memory/2844-51-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral1/memory/2844-52-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral1/memory/2844-53-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades behavioral1/memory/2844-54-0x0000000000400000-0x0000000000459000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\smithy4.exe = "C:\\Users\\Admin\\AppData\\Roaming\\smithy4.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" reg.exe -
Executes dropped EXE 1 IoCs
pid Process 2360 4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe -
Loads dropped DLL 5 IoCs
pid Process 692 4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe 692 4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe 2360 4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe 2360 4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe 2360 4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe = "C:\\Users\\Admin\\AppData\\Roaming\\VwevhlMlwq\\JGdyXQMXoD\\3.10.26.5186\\4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe" 4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2360 set thread context of 2844 2360 4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2204 reg.exe 2556 reg.exe 2468 reg.exe 1796 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 2844 vbc.exe Token: SeCreateTokenPrivilege 2844 vbc.exe Token: SeAssignPrimaryTokenPrivilege 2844 vbc.exe Token: SeLockMemoryPrivilege 2844 vbc.exe Token: SeIncreaseQuotaPrivilege 2844 vbc.exe Token: SeMachineAccountPrivilege 2844 vbc.exe Token: SeTcbPrivilege 2844 vbc.exe Token: SeSecurityPrivilege 2844 vbc.exe Token: SeTakeOwnershipPrivilege 2844 vbc.exe Token: SeLoadDriverPrivilege 2844 vbc.exe Token: SeSystemProfilePrivilege 2844 vbc.exe Token: SeSystemtimePrivilege 2844 vbc.exe Token: SeProfSingleProcessPrivilege 2844 vbc.exe Token: SeIncBasePriorityPrivilege 2844 vbc.exe Token: SeCreatePagefilePrivilege 2844 vbc.exe Token: SeCreatePermanentPrivilege 2844 vbc.exe Token: SeBackupPrivilege 2844 vbc.exe Token: SeRestorePrivilege 2844 vbc.exe Token: SeShutdownPrivilege 2844 vbc.exe Token: SeDebugPrivilege 2844 vbc.exe Token: SeAuditPrivilege 2844 vbc.exe Token: SeSystemEnvironmentPrivilege 2844 vbc.exe Token: SeChangeNotifyPrivilege 2844 vbc.exe Token: SeRemoteShutdownPrivilege 2844 vbc.exe Token: SeUndockPrivilege 2844 vbc.exe Token: SeSyncAgentPrivilege 2844 vbc.exe Token: SeEnableDelegationPrivilege 2844 vbc.exe Token: SeManageVolumePrivilege 2844 vbc.exe Token: SeImpersonatePrivilege 2844 vbc.exe Token: SeCreateGlobalPrivilege 2844 vbc.exe Token: 31 2844 vbc.exe Token: 32 2844 vbc.exe Token: 33 2844 vbc.exe Token: 34 2844 vbc.exe Token: 35 2844 vbc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2844 vbc.exe 2844 vbc.exe 2844 vbc.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 692 wrote to memory of 2360 692 4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe 31 PID 692 wrote to memory of 2360 692 4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe 31 PID 692 wrote to memory of 2360 692 4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe 31 PID 692 wrote to memory of 2360 692 4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe 31 PID 2360 wrote to memory of 2844 2360 4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe 32 PID 2360 wrote to memory of 2844 2360 4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe 32 PID 2360 wrote to memory of 2844 2360 4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe 32 PID 2360 wrote to memory of 2844 2360 4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe 32 PID 2360 wrote to memory of 2844 2360 4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe 32 PID 2360 wrote to memory of 2844 2360 4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe 32 PID 2360 wrote to memory of 2844 2360 4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe 32 PID 2360 wrote to memory of 2844 2360 4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe 32 PID 2844 wrote to memory of 3064 2844 vbc.exe 33 PID 2844 wrote to memory of 3064 2844 vbc.exe 33 PID 2844 wrote to memory of 3064 2844 vbc.exe 33 PID 2844 wrote to memory of 3064 2844 vbc.exe 33 PID 2844 wrote to memory of 2908 2844 vbc.exe 34 PID 2844 wrote to memory of 2908 2844 vbc.exe 34 PID 2844 wrote to memory of 2908 2844 vbc.exe 34 PID 2844 wrote to memory of 2908 2844 vbc.exe 34 PID 2844 wrote to memory of 276 2844 vbc.exe 35 PID 2844 wrote to memory of 276 2844 vbc.exe 35 PID 2844 wrote to memory of 276 2844 vbc.exe 35 PID 2844 wrote to memory of 276 2844 vbc.exe 35 PID 2844 wrote to memory of 1556 2844 vbc.exe 37 PID 2844 wrote to memory of 1556 2844 vbc.exe 37 PID 2844 wrote to memory of 1556 2844 vbc.exe 37 PID 2844 wrote to memory of 1556 2844 vbc.exe 37 PID 276 wrote to memory of 2468 276 cmd.exe 43 PID 276 wrote to memory of 2468 276 cmd.exe 43 PID 276 wrote to memory of 2468 276 cmd.exe 43 PID 276 wrote to memory of 2468 276 cmd.exe 43 PID 3064 wrote to memory of 1796 3064 cmd.exe 42 PID 3064 wrote to memory of 1796 3064 cmd.exe 42 PID 3064 wrote to memory of 1796 3064 cmd.exe 42 PID 3064 wrote to memory of 1796 3064 cmd.exe 42 PID 1556 wrote to memory of 2204 1556 cmd.exe 41 PID 1556 wrote to memory of 2204 1556 cmd.exe 41 PID 1556 wrote to memory of 2204 1556 cmd.exe 41 PID 1556 wrote to memory of 2204 1556 cmd.exe 41 PID 2908 wrote to memory of 2556 2908 cmd.exe 44 PID 2908 wrote to memory of 2556 2908 cmd.exe 44 PID 2908 wrote to memory of 2556 2908 cmd.exe 44 PID 2908 wrote to memory of 2556 2908 cmd.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe"C:\Users\Admin\AppData\Local\Temp\4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Users\Admin\AppData\Roaming\VwevhlMlwq\JGdyXQMXoD\3.10.26.5186\4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exeC:\Users\Admin\AppData\Roaming\VwevhlMlwq\JGdyXQMXoD\3.10.26.5186\4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1796
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2556
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2468
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\smithy4.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\smithy4.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\smithy4.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\smithy4.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2204
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD55fa07d6c6384d703766d7935de68850e
SHA162f28a572b4d1d359db7017235912ad2599b8c1d
SHA256120e15dcc4a957649553cd92a5477db9dcbfd9a2cd821e1c904044b5a92d726f
SHA5127775375f44e0cb00f9bffc023d797dbdb01ebe8429ccfacd7df57beb04427ef309c192d571051242aad1bc400f721f449f86deeb1e5f5d64b6f516bf24e92cc4
-
\Users\Admin\AppData\Roaming\VwevhlMlwq\JGdyXQMXoD\3.10.26.5186\4ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7N.exe
Filesize532KB
MD5ca7d764e5f88e8bfb426d4b263c854b0
SHA1570dae348b8962af4899968d9447c65730076127
SHA2564ed6baca32396f0b76dc02d002ec2a9d13b0b6a7446453fc569f13bf27580ba7
SHA512b887f41bc68c0c5241964eb4229d6c189401bc6bbc68298f2c7d4b9bc5c52e524b9c55010ea29e7d23c3d602f44b6de52da6a83521c51504d9edc5fb869302d7