Overview

overview

10

Static

static

3

24217d6374...91.exe

windows7-x64

10

24217d6374...91.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2025 15:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    24217d63742343a17b813350bfdcc0dccd91be2ed9a65d9ca0e0415065fe8d91.exe

  • Size

    3.1MB

  • MD5

    71f261fe0ab0cca422bc60d71e18fdaf

  • SHA1

    f37118da5d843ff34beef2870f6cfd9965f7d50e

  • SHA256

    24217d63742343a17b813350bfdcc0dccd91be2ed9a65d9ca0e0415065fe8d91

  • SHA512

    eabc35e19b96c6655d76703e8a9fb469508c26d124acec99fee819e449b7c55a5c8025f9c1a215f06977eece8b8e6843039a1dae24a81904e21dcd32ec0695e6

  • SSDEEP

    24576:yKGLlxj3f/tXkbAivCy+u2QXQJLWw/GBQyVQVz81:y//tXvuKW7QV2

Score
10/10
blackshadesdefense_evasiondiscoverypersistencerattrojanupx

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

    ratblackshades
  • Blackshades family
    blackshades
  • Blackshades payload 11 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 10 IoCs
    defense_evasion
  • UAC bypass 3 TTPs 1 IoCs
    defense_evasiontrojan
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    defense_evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24217d63742343a17b813350bfdcc0dccd91be2ed9a65d9ca0e0415065fe8d91.exe
    "C:\Users\Admin\AppData\Local\Temp\24217d63742343a17b813350bfdcc0dccd91be2ed9a65d9ca0e0415065fe8d91.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4768
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOPLXA.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3680
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center /v UACDisableNotify /t REG_DWORD /d 0 /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1416
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • System Location Discovery: System Language Discovery
        PID:1860
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gTSnr.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:912
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "msconfig32" /t REG_SZ /d "C:\Windows\msconfig32\msconfig32.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2608
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAxhZ.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "msconfig32" /t REG_SZ /d "C:\Windows\msconfig32\msconfig32.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:4696
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\leHdB.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2328
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "Explorer.exe, C:\Windows\msconfig32\msconfig32.exe" /f
        3⤵
        • Modifies WinLogon for persistence
        • System Location Discovery: System Language Discovery
        PID:5084
    • C:\Windows\msconfig32\msconfig32.exe
      "C:\Windows\msconfig32\msconfig32.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4356
      • C:\Windows\msconfig32\msconfig32.exe
        C:\Windows\msconfig32\msconfig32.exe
        3⤵
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4912
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3272
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2336
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\msconfig32\msconfig32.exe" /t REG_SZ /d "C:\Windows\msconfig32\msconfig32.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2880
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\msconfig32\msconfig32.exe" /t REG_SZ /d "C:\Windows\msconfig32\msconfig32.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1796
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2920
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1780
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lsoss32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lsoss32.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4208
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lsoss32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lsoss32.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2112
      • C:\Windows\msconfig32\msconfig32.exe
        C:\Windows\msconfig32\msconfig32.exe
        3⤵
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

6
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BAxhZ.bat
    Filesize

    133B

    MD5

    5c5f6bd3f5ab15437a8d5a452f236cc7

    SHA1

    43dc4c4bcee42f7975f0027e2734c57115e5d7ce

    SHA256

    8f96e1c2750dc729faf255eb4df3f1e501d3394d8043f69dc56036a03b9ed947

    SHA512

    eed35f38654e1c5b4c1ea010f93d6be03250b77bd0e6f79ce12aaaa7333b9346afbd328f4de21e3fa6948d252cb9203a8bd103e0058c129d3130e7399e18b08f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ZOPLXA.txt
    Filesize

    255B

    MD5

    180e420d8578c4341546b0f2676f52c5

    SHA1

    3683c541fe1ad96c37fcfa91f3d819f2c43ccf84

    SHA256

    27bad6b003d19c5063cfc49ee5828c5ebb82659ee5c89ed2df20ae1c4917ba28

    SHA512

    5bbcdd40178a399dd4e879e39328824c47edc39a040b7d1eed90368bbdab0d51d9cb187357cc3a223ed22086ff650c10f3841fc9bb50469eb9a72ca343c77ed9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gTSnr.bat
    Filesize

    133B

    MD5

    4e99d945ca61ed0b261a73d985f5420e

    SHA1

    ce08b5c3939572703ae753bfa72c0224400d7bb2

    SHA256

    ddcc7514a0ca6c4c261d55a5c818136cb6035676d1a56dbb224734c5db1a3064

    SHA512

    988b5bab81311ca5efd773fdd8c872173b42bebce79467615c7ad5ffdb3a0f670300b1d39ab86f62b2a6bea2aa140abfaca211b2c868c4a412a6d5a4c4a8fb8a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\leHdB.bat
    Filesize

    164B

    MD5

    0af5f35091719d8ee61893a158b66625

    SHA1

    1f81728601f8714bfa7e2ca92f9d6a8f6aa89700

    SHA256

    ceac3aee5e97d760c72b18d62c3dfc7d73904366e230c2362c49e8ed700d46f9

    SHA512

    f01c7ecbb9682c2469628f7d1c7e38891b1b9352a27eed50e3597b281fc136f18a6deb4ca04843f632cce295dd8f194ff8c37d31d7167a7a25734d0789bf9baa

    Download Submit

  • C:\Windows\msconfig32\msconfig32.txt
    Filesize

    3.1MB

    MD5

    d7a03d5cfe207d957a0e0cdb7d7f5eca

    SHA1

    7f9bbbe09544241131e7bcd233bc5fb60e508c83

    SHA256

    7c262ae85c7be87a4345427fa2d9717737b63165003501bf98bc490b866a429f

    SHA512

    ce2676358c4dc39f0d86e020bb4287ef5cf5302c14f3cb94accbc2ef83e06ed102d02f65c3f4a1d8c1b731a79909759178ae2f9489815636669265a67f201053

    Download Submit

  • memory/2648-63-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2648-70-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2648-64-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2648-60-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/4768-0-0x0000000000400000-0x0000000000723000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4912-55-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/4912-69-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/4912-57-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/4912-71-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/4912-74-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/4912-76-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/4912-81-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/4912-83-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/4912-85-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/4912-88-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/4912-92-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download