Analysis
-
max time kernel
119s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2025, 13:23
Behavioral task
behavioral1
Sample
5ac621a1620ff52d65b6e7e9743a6cee2c081e03fcd25a76fd03470ab387a494N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5ac621a1620ff52d65b6e7e9743a6cee2c081e03fcd25a76fd03470ab387a494N.exe
Resource
win10v2004-20241007-en
General
-
Target
5ac621a1620ff52d65b6e7e9743a6cee2c081e03fcd25a76fd03470ab387a494N.exe
-
Size
285KB
-
MD5
1a78b19f76a98622679be739e2daabd0
-
SHA1
14bbe7569197ed2b5f969be09fd05465cc02ae9d
-
SHA256
5ac621a1620ff52d65b6e7e9743a6cee2c081e03fcd25a76fd03470ab387a494
-
SHA512
c734608e9aad31f0086987d2d3ba55939be73a60a21b260e6a2a12c4d9ac976f4ee5fae47ff013b41c6a707de0e15a33f0923990cd99c57a8ed04d8bf15bc3be
-
SSDEEP
6144:+ZyKE4FBg+XHnZYkQGmzRrOEg0q/vjLm1AHkUm1Ys8xiV4DvtsJRlVDqa8GzNHLQ:NBaBnmtOwq/+1MkU68raJRHua8G9LcoK
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 11 IoCs
resource yara_rule behavioral2/memory/8-37-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/8-54-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/8-55-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/8-59-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/8-62-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/8-64-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/8-66-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/8-69-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/8-71-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/8-73-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/8-78-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bot.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe:*:Enabled:Windows Messanger" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe = "C:\\Users\\Admin\\AppData\\Roaming\\JavaWeb\\jusched.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 5ac621a1620ff52d65b6e7e9743a6cee2c081e03fcd25a76fd03470ab387a494N.exe -
Executes dropped EXE 3 IoCs
pid Process 1020 jusched.exe 8 jusched.exe 3952 jusched.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Machine = "C:\\Users\\Admin\\AppData\\Roaming\\JavaWeb\\jusched.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1020 set thread context of 8 1020 jusched.exe 87 PID 1020 set thread context of 3952 1020 jusched.exe 88 -
resource yara_rule behavioral2/memory/3984-0-0x0000000000400000-0x00000000005A8000-memory.dmp upx behavioral2/files/0x0007000000023c9d-16.dat upx behavioral2/memory/3984-28-0x0000000000400000-0x00000000005A8000-memory.dmp upx behavioral2/memory/8-32-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/8-35-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/8-37-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3952-40-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/3952-45-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/3952-47-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/1020-51-0x0000000000400000-0x00000000005A8000-memory.dmp upx behavioral2/memory/8-54-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/8-55-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3952-56-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/8-59-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/8-62-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/8-64-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/8-66-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/8-69-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/8-71-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/8-73-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/8-78-0x0000000000400000-0x000000000045C000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jusched.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jusched.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jusched.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ac621a1620ff52d65b6e7e9743a6cee2c081e03fcd25a76fd03470ab387a494N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2280 reg.exe 3464 reg.exe 4960 reg.exe 3288 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 8 jusched.exe Token: SeCreateTokenPrivilege 8 jusched.exe Token: SeAssignPrimaryTokenPrivilege 8 jusched.exe Token: SeLockMemoryPrivilege 8 jusched.exe Token: SeIncreaseQuotaPrivilege 8 jusched.exe Token: SeMachineAccountPrivilege 8 jusched.exe Token: SeTcbPrivilege 8 jusched.exe Token: SeSecurityPrivilege 8 jusched.exe Token: SeTakeOwnershipPrivilege 8 jusched.exe Token: SeLoadDriverPrivilege 8 jusched.exe Token: SeSystemProfilePrivilege 8 jusched.exe Token: SeSystemtimePrivilege 8 jusched.exe Token: SeProfSingleProcessPrivilege 8 jusched.exe Token: SeIncBasePriorityPrivilege 8 jusched.exe Token: SeCreatePagefilePrivilege 8 jusched.exe Token: SeCreatePermanentPrivilege 8 jusched.exe Token: SeBackupPrivilege 8 jusched.exe Token: SeRestorePrivilege 8 jusched.exe Token: SeShutdownPrivilege 8 jusched.exe Token: SeDebugPrivilege 8 jusched.exe Token: SeAuditPrivilege 8 jusched.exe Token: SeSystemEnvironmentPrivilege 8 jusched.exe Token: SeChangeNotifyPrivilege 8 jusched.exe Token: SeRemoteShutdownPrivilege 8 jusched.exe Token: SeUndockPrivilege 8 jusched.exe Token: SeSyncAgentPrivilege 8 jusched.exe Token: SeEnableDelegationPrivilege 8 jusched.exe Token: SeManageVolumePrivilege 8 jusched.exe Token: SeImpersonatePrivilege 8 jusched.exe Token: SeCreateGlobalPrivilege 8 jusched.exe Token: 31 8 jusched.exe Token: 32 8 jusched.exe Token: 33 8 jusched.exe Token: 34 8 jusched.exe Token: 35 8 jusched.exe Token: SeDebugPrivilege 3952 jusched.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3984 5ac621a1620ff52d65b6e7e9743a6cee2c081e03fcd25a76fd03470ab387a494N.exe 1020 jusched.exe 8 jusched.exe 8 jusched.exe 3952 jusched.exe 8 jusched.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 3984 wrote to memory of 4140 3984 5ac621a1620ff52d65b6e7e9743a6cee2c081e03fcd25a76fd03470ab387a494N.exe 82 PID 3984 wrote to memory of 4140 3984 5ac621a1620ff52d65b6e7e9743a6cee2c081e03fcd25a76fd03470ab387a494N.exe 82 PID 3984 wrote to memory of 4140 3984 5ac621a1620ff52d65b6e7e9743a6cee2c081e03fcd25a76fd03470ab387a494N.exe 82 PID 4140 wrote to memory of 1176 4140 cmd.exe 85 PID 4140 wrote to memory of 1176 4140 cmd.exe 85 PID 4140 wrote to memory of 1176 4140 cmd.exe 85 PID 3984 wrote to memory of 1020 3984 5ac621a1620ff52d65b6e7e9743a6cee2c081e03fcd25a76fd03470ab387a494N.exe 86 PID 3984 wrote to memory of 1020 3984 5ac621a1620ff52d65b6e7e9743a6cee2c081e03fcd25a76fd03470ab387a494N.exe 86 PID 3984 wrote to memory of 1020 3984 5ac621a1620ff52d65b6e7e9743a6cee2c081e03fcd25a76fd03470ab387a494N.exe 86 PID 1020 wrote to memory of 8 1020 jusched.exe 87 PID 1020 wrote to memory of 8 1020 jusched.exe 87 PID 1020 wrote to memory of 8 1020 jusched.exe 87 PID 1020 wrote to memory of 8 1020 jusched.exe 87 PID 1020 wrote to memory of 8 1020 jusched.exe 87 PID 1020 wrote to memory of 8 1020 jusched.exe 87 PID 1020 wrote to memory of 8 1020 jusched.exe 87 PID 1020 wrote to memory of 8 1020 jusched.exe 87 PID 1020 wrote to memory of 3952 1020 jusched.exe 88 PID 1020 wrote to memory of 3952 1020 jusched.exe 88 PID 1020 wrote to memory of 3952 1020 jusched.exe 88 PID 1020 wrote to memory of 3952 1020 jusched.exe 88 PID 1020 wrote to memory of 3952 1020 jusched.exe 88 PID 1020 wrote to memory of 3952 1020 jusched.exe 88 PID 1020 wrote to memory of 3952 1020 jusched.exe 88 PID 1020 wrote to memory of 3952 1020 jusched.exe 88 PID 8 wrote to memory of 4956 8 jusched.exe 89 PID 8 wrote to memory of 4956 8 jusched.exe 89 PID 8 wrote to memory of 4956 8 jusched.exe 89 PID 8 wrote to memory of 3524 8 jusched.exe 90 PID 8 wrote to memory of 3524 8 jusched.exe 90 PID 8 wrote to memory of 3524 8 jusched.exe 90 PID 8 wrote to memory of 2728 8 jusched.exe 91 PID 8 wrote to memory of 2728 8 jusched.exe 91 PID 8 wrote to memory of 2728 8 jusched.exe 91 PID 8 wrote to memory of 2744 8 jusched.exe 92 PID 8 wrote to memory of 2744 8 jusched.exe 92 PID 8 wrote to memory of 2744 8 jusched.exe 92 PID 4956 wrote to memory of 3464 4956 cmd.exe 97 PID 4956 wrote to memory of 3464 4956 cmd.exe 97 PID 4956 wrote to memory of 3464 4956 cmd.exe 97 PID 2744 wrote to memory of 4960 2744 cmd.exe 98 PID 2744 wrote to memory of 4960 2744 cmd.exe 98 PID 2744 wrote to memory of 4960 2744 cmd.exe 98 PID 3524 wrote to memory of 3288 3524 cmd.exe 99 PID 3524 wrote to memory of 3288 3524 cmd.exe 99 PID 3524 wrote to memory of 3288 3524 cmd.exe 99 PID 2728 wrote to memory of 2280 2728 cmd.exe 100 PID 2728 wrote to memory of 2280 2728 cmd.exe 100 PID 2728 wrote to memory of 2280 2728 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ac621a1620ff52d65b6e7e9743a6cee2c081e03fcd25a76fd03470ab387a494N.exe"C:\Users\Admin\AppData\Local\Temp\5ac621a1620ff52d65b6e7e9743a6cee2c081e03fcd25a76fd03470ab387a494N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAxhg.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Java Machine" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1176
-
-
-
C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe"C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exeC:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3464
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3288
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2280
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4960
-
-
-
-
C:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exeC:\Users\Admin\AppData\Roaming\JavaWeb\jusched.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3952
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149B
MD5976ffa9a304b234c039c8739d97bb893
SHA1f70f7ede8b6e5d1b8a9b53c9bf43882485b55bd6
SHA2562b77cf051bb584aada8b9e5e07cba06e2077b42f009c33d10e31994ceec10384
SHA5121bd398b968736efbab740c81776781023a4ef0dc1c0191d6393a7582bd79b452666163691d82a27ee8989a1e293e6d6df57c303aa9b34497ae52be417f9e269c
-
Filesize
285KB
MD51fed9645e6ec3384d3e1b02cdb4d5ee7
SHA1356bc70fc15b2357d383ce041af9435c8fcf45e8
SHA256cd6d9f95af7db48fd404a000ef6780fb868191b09062cf32346b5ef1fbda60bf
SHA512e4621a9bfd652ddad6f754591b34a9d24bec1c732f0f58f924315c4a1f14ed341d8194afda50dc838d670876a0089276bb6be05e0b400065bc6fd8c511f61d60