Analysis Overview
SHA256
c720da1885457b604f1b62871985d20302d67bd3bd0556d4b1f419d309d69103
Threat Level: Known bad
The file c720da1885457b604f1b62871985d20302d67bd3bd0556d4b1f419d309d69103.exe was found to be: Known bad.
Malicious Activity Summary
Blackshades
Modifies firewall policy service
Blackshades family
Blackshades payload
Adds policy Run key to start application
Boot or Logon Autostart Execution: Active Setup
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
UPX packed file
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Modifies registry key
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-24 12:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-24 12:08
Reported
2025-01-24 12:10
Platform
win7-20240903-en
Max time kernel
75s
Max time network
123s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c720da1885457b604f1b62871985d20302d67bd3bd0556d4b1f419d309d69103.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c720da1885457b604f1b62871985d20302d67bd3bd0556d4b1f419d309d69103.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c720da1885457b604f1b62871985d20302d67bd3bd0556d4b1f419d309d69103.exe
"C:\Users\Admin\AppData\Local\Temp\c720da1885457b604f1b62871985d20302d67bd3bd0556d4b1f419d309d69103.exe"
Network
Files
memory/2692-10-0x0000000000320000-0x0000000000321000-memory.dmp
memory/2692-20-0x0000000000370000-0x0000000000371000-memory.dmp
memory/2692-8-0x0000000000320000-0x0000000000321000-memory.dmp
memory/2692-2-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/2692-44-0x0000000000470000-0x0000000000471000-memory.dmp
memory/2692-54-0x00000000004B0000-0x00000000004B1000-memory.dmp
memory/2692-64-0x00000000023E0000-0x00000000023E1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-24 12:08
Reported
2025-01-24 12:10
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\test2.exe = "C:\\Users\\Admin\\AppData\\Roaming\\test2.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe = "C:\\Users\\Admin\\AppData\\Roaming\\wrinlogon\\winlogron.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\java = "C:\\Users\\Admin\\AppData\\Roaming\\test2.exe" | C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103CE0EA-65DC-FFFC-FEF1-AEA59BADFA21} | C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103CE0EA-65DC-FFFC-FEF1-AEA59BADFA21}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\test2.exe" | C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{103CE0EA-65DC-FFFC-FEF1-AEA59BADFA21} | C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{103CE0EA-65DC-FFFC-FEF1-AEA59BADFA21}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\test2.exe" | C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c720da1885457b604f1b62871985d20302d67bd3bd0556d4b1f419d309d69103.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winrlogon = "C:\\Users\\Admin\\AppData\\Roaming\\wrinlogon\\winlogron.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Roaming\\test2.exe" | C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Roaming\\test2.exe" | C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4620 set thread context of 5104 | N/A | C:\Users\Admin\AppData\Local\Temp\c720da1885457b604f1b62871985d20302d67bd3bd0556d4b1f419d309d69103.exe | C:\Users\Admin\AppData\Local\Temp\c720da1885457b604f1b62871985d20302d67bd3bd0556d4b1f419d309d69103.exe |
| PID 3692 set thread context of 4028 | N/A | C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe | C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe |
| PID 3692 set thread context of 2228 | N/A | C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe | C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c720da1885457b604f1b62871985d20302d67bd3bd0556d4b1f419d309d69103.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c720da1885457b604f1b62871985d20302d67bd3bd0556d4b1f419d309d69103.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c720da1885457b604f1b62871985d20302d67bd3bd0556d4b1f419d309d69103.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c720da1885457b604f1b62871985d20302d67bd3bd0556d4b1f419d309d69103.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c720da1885457b604f1b62871985d20302d67bd3bd0556d4b1f419d309d69103.exe
"C:\Users\Admin\AppData\Local\Temp\c720da1885457b604f1b62871985d20302d67bd3bd0556d4b1f419d309d69103.exe"
C:\Users\Admin\AppData\Local\Temp\c720da1885457b604f1b62871985d20302d67bd3bd0556d4b1f419d309d69103.exe
"C:\Users\Admin\AppData\Local\Temp\c720da1885457b604f1b62871985d20302d67bd3bd0556d4b1f419d309d69103.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JKHPB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "winrlogon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe" /f
C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe
"C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe"
C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe
"C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe"
C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe
"C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\test2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\test2.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\test2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\test2.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.51.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| N/A | 192.168.1.100:81 | tcp | |
| US | 8.8.8.8:53 | 139.136.73.23.in-addr.arpa | udp |
| N/A | 192.168.1.100:81 | tcp | |
| N/A | 192.168.1.100:81 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| N/A | 192.168.1.100:81 | tcp | |
| N/A | 192.168.1.100:81 | tcp | |
| N/A | 192.168.1.100:81 | tcp | |
| N/A | 192.168.1.100:81 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/4620-2-0x0000000002B20000-0x0000000002B21000-memory.dmp
memory/5104-3-0x0000000000400000-0x000000000040B000-memory.dmp
memory/5104-5-0x0000000000400000-0x000000000040B000-memory.dmp
memory/5104-6-0x0000000000400000-0x000000000040B000-memory.dmp
memory/5104-7-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JKHPB.txt
| MD5 | c231f3f30f5c8bbf79482522b3111d30 |
| SHA1 | fe756875d599c611238ed3a7befa301cc24d7c08 |
| SHA256 | 73f1db2a91e026e8a93ceca863926ed66352cf21315fd5348b92e52147a69dc6 |
| SHA512 | 744604a8db08ee73482b371a41712d2e6a624c5d86be3a8e5187366886869819486f0f2857280f6840f707509ca1cce3867ab2470862419797ea61c62936549a |
C:\Users\Admin\AppData\Roaming\wrinlogon\winlogron.exe
| MD5 | 6a78c883bbb1d881cdd344c0ba44e18c |
| SHA1 | 00727e58e6018d4740c8ade45d4f275537a9a09e |
| SHA256 | 5749ed399144882b64221659616837bb62fe5c28c00d0e7eeb9577db5452ef57 |
| SHA512 | 7dec17502da37686684c69ee1f0d6dff4530d3089333012364f4c3ce2d228071a4e4642f9118280902912204eaba4c79fb2ec2a8bef128c9c4d32d19e9e5c410 |
memory/5104-33-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3692-35-0x0000000000400000-0x0000000000467000-memory.dmp
memory/3692-47-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2228-46-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2228-39-0x0000000000400000-0x000000000045A000-memory.dmp
memory/5104-57-0x0000000000400000-0x000000000040B000-memory.dmp
memory/4028-58-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2228-59-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2228-63-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2228-66-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2228-68-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2228-70-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2228-73-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2228-75-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2228-80-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2228-82-0x0000000000400000-0x000000000045A000-memory.dmp