Overview

overview

10

Static

static

3

24217d6374...91.exe

windows7-x64

10

24217d6374...91.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2025 15:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    24217d63742343a17b813350bfdcc0dccd91be2ed9a65d9ca0e0415065fe8d91.exe

  • Size

    3.1MB

  • MD5

    71f261fe0ab0cca422bc60d71e18fdaf

  • SHA1

    f37118da5d843ff34beef2870f6cfd9965f7d50e

  • SHA256

    24217d63742343a17b813350bfdcc0dccd91be2ed9a65d9ca0e0415065fe8d91

  • SHA512

    eabc35e19b96c6655d76703e8a9fb469508c26d124acec99fee819e449b7c55a5c8025f9c1a215f06977eece8b8e6843039a1dae24a81904e21dcd32ec0695e6

  • SSDEEP

    24576:yKGLlxj3f/tXkbAivCy+u2QXQJLWw/GBQyVQVz81:y//tXvuKW7QV2

Score
10/10
blackshadesdefense_evasiondiscoverypersistencerattrojanupx

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

    ratblackshades
  • Blackshades family
    blackshades
  • Blackshades payload 9 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 8 IoCs
    defense_evasion
  • UAC bypass 3 TTPs 1 IoCs
    defense_evasiontrojan
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    defense_evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24217d63742343a17b813350bfdcc0dccd91be2ed9a65d9ca0e0415065fe8d91.exe
    "C:\Users\Admin\AppData\Local\Temp\24217d63742343a17b813350bfdcc0dccd91be2ed9a65d9ca0e0415065fe8d91.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZOPLXA.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center /v UACDisableNotify /t REG_DWORD /d 0 /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3060
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • System Location Discovery: System Language Discovery
        PID:1368
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\UaETp.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "msconfig32" /t REG_SZ /d "C:\Windows\msconfig32\msconfig32.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2904
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\efdBR.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "msconfig32" /t REG_SZ /d "C:\Windows\msconfig32\msconfig32.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2700
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\gpDSo.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "Explorer.exe, C:\Windows\msconfig32\msconfig32.exe" /f
        3⤵
        • Modifies WinLogon for persistence
        • System Location Discovery: System Language Discovery
        PID:2848
    • C:\Windows\msconfig32\msconfig32.exe
      "C:\Windows\msconfig32\msconfig32.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1540
      • C:\Windows\msconfig32\msconfig32.exe
        C:\Windows\msconfig32\msconfig32.exe
        3⤵
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:788
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1760
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2876
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\msconfig32\msconfig32.exe" /t REG_SZ /d "C:\Windows\msconfig32\msconfig32.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1672
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\msconfig32\msconfig32.exe" /t REG_SZ /d "C:\Windows\msconfig32\msconfig32.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2748
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1944
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2620
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lsoss32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lsoss32.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1284
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lsoss32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lsoss32.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2728
      • C:\Windows\msconfig32\msconfig32.exe
        C:\Windows\msconfig32\msconfig32.exe
        3⤵
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

6
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\UaETp.bat
    Filesize

    133B

    MD5

    4e99d945ca61ed0b261a73d985f5420e

    SHA1

    ce08b5c3939572703ae753bfa72c0224400d7bb2

    SHA256

    ddcc7514a0ca6c4c261d55a5c818136cb6035676d1a56dbb224734c5db1a3064

    SHA512

    988b5bab81311ca5efd773fdd8c872173b42bebce79467615c7ad5ffdb3a0f670300b1d39ab86f62b2a6bea2aa140abfaca211b2c868c4a412a6d5a4c4a8fb8a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ZOPLXA.bat
    Filesize

    255B

    MD5

    180e420d8578c4341546b0f2676f52c5

    SHA1

    3683c541fe1ad96c37fcfa91f3d819f2c43ccf84

    SHA256

    27bad6b003d19c5063cfc49ee5828c5ebb82659ee5c89ed2df20ae1c4917ba28

    SHA512

    5bbcdd40178a399dd4e879e39328824c47edc39a040b7d1eed90368bbdab0d51d9cb187357cc3a223ed22086ff650c10f3841fc9bb50469eb9a72ca343c77ed9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\efdBR.bat
    Filesize

    133B

    MD5

    5c5f6bd3f5ab15437a8d5a452f236cc7

    SHA1

    43dc4c4bcee42f7975f0027e2734c57115e5d7ce

    SHA256

    8f96e1c2750dc729faf255eb4df3f1e501d3394d8043f69dc56036a03b9ed947

    SHA512

    eed35f38654e1c5b4c1ea010f93d6be03250b77bd0e6f79ce12aaaa7333b9346afbd328f4de21e3fa6948d252cb9203a8bd103e0058c129d3130e7399e18b08f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gpDSo.bat
    Filesize

    164B

    MD5

    0af5f35091719d8ee61893a158b66625

    SHA1

    1f81728601f8714bfa7e2ca92f9d6a8f6aa89700

    SHA256

    ceac3aee5e97d760c72b18d62c3dfc7d73904366e230c2362c49e8ed700d46f9

    SHA512

    f01c7ecbb9682c2469628f7d1c7e38891b1b9352a27eed50e3597b281fc136f18a6deb4ca04843f632cce295dd8f194ff8c37d31d7167a7a25734d0789bf9baa

    Download Submit

  • C:\Windows\msconfig32\msconfig32.exe
    Filesize

    3.1MB

    MD5

    7b36ba7d71abb40e90490133e4bd6b1e

    SHA1

    72f0efc0eef9cd7815b949664a66b56a47e002b4

    SHA256

    837f29a7a5fcbcf58dd8853d75d79a355177454cdf0dac9bbfd768a2bf1224de

    SHA512

    5762c3a87cc7e982c17a542a08d2dfc67db71a963f7722cad53c464a8d54f654af2732b6543f4966049851d988a15435b576f57e452ed176d4548cc0b935a101

    Download Submit

  • memory/788-117-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/788-122-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/788-138-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/788-136-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/788-127-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/788-115-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/788-124-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/788-98-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/788-120-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/1768-0-0x0000000000400000-0x0000000000723000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1932-116-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1932-106-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1932-110-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1932-112-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download