Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/01/2025, 18:38
Static task
static1
Behavioral task
behavioral1
Sample
ImageSet.rar.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
ImageSet.rar.exe
Resource
win10v2004-20250129-en
General
-
Target
ImageSet.rar.exe
-
Size
3.9MB
-
MD5
8b29c8e0c54701385c7ab1dd271cf2fd
-
SHA1
ce2d93e7aeba8b51f2f0588ad88b4df7f6c72e92
-
SHA256
6cedc49e0f8f8db512d9b6083c9bbe1111b923407d549950b18c199d77844d6c
-
SHA512
c4e7ae6cef11622b6a4ace291dd5d1cfbbd257cd2491a98507575d273a35c29f504644d80899b78d1436f521d34da7ab05414abaf29ad6e17ce759314ce12f19
-
SSDEEP
49152:yP8AfXrXjya0Ft1LlhToBbAWGseTwX0eNtOSnZTA4ZDwK082dX6:08evyT3hToB0WGszX0ejjZTAWjp2d
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 14 IoCs
resource yara_rule behavioral1/memory/2412-15-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/2412-13-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/2412-22-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/2412-33-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/2412-35-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/2412-36-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/2412-37-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/2412-38-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/2412-40-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/2412-41-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/2412-42-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/2412-44-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/2412-45-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral1/memory/2412-46-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Defender\30F9K7K8LG.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender\\30F9K7K8LG.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 2292 ThreeTimesTwo.exe -
Loads dropped DLL 1 IoCs
pid Process 1712 ImageSet.rar.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1712 set thread context of 2412 1712 ImageSet.rar.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ThreeTimesTwo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ImageSet.rar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main ThreeTimesTwo.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 1988 reg.exe 2840 reg.exe 2704 reg.exe 2916 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 2412 vbc.exe Token: SeCreateTokenPrivilege 2412 vbc.exe Token: SeAssignPrimaryTokenPrivilege 2412 vbc.exe Token: SeLockMemoryPrivilege 2412 vbc.exe Token: SeIncreaseQuotaPrivilege 2412 vbc.exe Token: SeMachineAccountPrivilege 2412 vbc.exe Token: SeTcbPrivilege 2412 vbc.exe Token: SeSecurityPrivilege 2412 vbc.exe Token: SeTakeOwnershipPrivilege 2412 vbc.exe Token: SeLoadDriverPrivilege 2412 vbc.exe Token: SeSystemProfilePrivilege 2412 vbc.exe Token: SeSystemtimePrivilege 2412 vbc.exe Token: SeProfSingleProcessPrivilege 2412 vbc.exe Token: SeIncBasePriorityPrivilege 2412 vbc.exe Token: SeCreatePagefilePrivilege 2412 vbc.exe Token: SeCreatePermanentPrivilege 2412 vbc.exe Token: SeBackupPrivilege 2412 vbc.exe Token: SeRestorePrivilege 2412 vbc.exe Token: SeShutdownPrivilege 2412 vbc.exe Token: SeDebugPrivilege 2412 vbc.exe Token: SeAuditPrivilege 2412 vbc.exe Token: SeSystemEnvironmentPrivilege 2412 vbc.exe Token: SeChangeNotifyPrivilege 2412 vbc.exe Token: SeRemoteShutdownPrivilege 2412 vbc.exe Token: SeUndockPrivilege 2412 vbc.exe Token: SeSyncAgentPrivilege 2412 vbc.exe Token: SeEnableDelegationPrivilege 2412 vbc.exe Token: SeManageVolumePrivilege 2412 vbc.exe Token: SeImpersonatePrivilege 2412 vbc.exe Token: SeCreateGlobalPrivilege 2412 vbc.exe Token: 31 2412 vbc.exe Token: 32 2412 vbc.exe Token: 33 2412 vbc.exe Token: 34 2412 vbc.exe Token: 35 2412 vbc.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2292 ThreeTimesTwo.exe 2292 ThreeTimesTwo.exe 2412 vbc.exe 2412 vbc.exe 2412 vbc.exe 2412 vbc.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 1712 wrote to memory of 2292 1712 ImageSet.rar.exe 31 PID 1712 wrote to memory of 2292 1712 ImageSet.rar.exe 31 PID 1712 wrote to memory of 2292 1712 ImageSet.rar.exe 31 PID 1712 wrote to memory of 2292 1712 ImageSet.rar.exe 31 PID 1712 wrote to memory of 2292 1712 ImageSet.rar.exe 31 PID 1712 wrote to memory of 2292 1712 ImageSet.rar.exe 31 PID 1712 wrote to memory of 2292 1712 ImageSet.rar.exe 31 PID 1712 wrote to memory of 2412 1712 ImageSet.rar.exe 32 PID 1712 wrote to memory of 2412 1712 ImageSet.rar.exe 32 PID 1712 wrote to memory of 2412 1712 ImageSet.rar.exe 32 PID 1712 wrote to memory of 2412 1712 ImageSet.rar.exe 32 PID 1712 wrote to memory of 2412 1712 ImageSet.rar.exe 32 PID 1712 wrote to memory of 2412 1712 ImageSet.rar.exe 32 PID 1712 wrote to memory of 2412 1712 ImageSet.rar.exe 32 PID 1712 wrote to memory of 2412 1712 ImageSet.rar.exe 32 PID 2412 wrote to memory of 2884 2412 vbc.exe 33 PID 2412 wrote to memory of 2884 2412 vbc.exe 33 PID 2412 wrote to memory of 2884 2412 vbc.exe 33 PID 2412 wrote to memory of 2884 2412 vbc.exe 33 PID 2412 wrote to memory of 2896 2412 vbc.exe 34 PID 2412 wrote to memory of 2896 2412 vbc.exe 34 PID 2412 wrote to memory of 2896 2412 vbc.exe 34 PID 2412 wrote to memory of 2896 2412 vbc.exe 34 PID 2412 wrote to memory of 2904 2412 vbc.exe 35 PID 2412 wrote to memory of 2904 2412 vbc.exe 35 PID 2412 wrote to memory of 2904 2412 vbc.exe 35 PID 2412 wrote to memory of 2904 2412 vbc.exe 35 PID 2412 wrote to memory of 2156 2412 vbc.exe 36 PID 2412 wrote to memory of 2156 2412 vbc.exe 36 PID 2412 wrote to memory of 2156 2412 vbc.exe 36 PID 2412 wrote to memory of 2156 2412 vbc.exe 36 PID 2156 wrote to memory of 2916 2156 cmd.exe 41 PID 2156 wrote to memory of 2916 2156 cmd.exe 41 PID 2156 wrote to memory of 2916 2156 cmd.exe 41 PID 2156 wrote to memory of 2916 2156 cmd.exe 41 PID 2896 wrote to memory of 1988 2896 cmd.exe 42 PID 2896 wrote to memory of 1988 2896 cmd.exe 42 PID 2896 wrote to memory of 1988 2896 cmd.exe 42 PID 2896 wrote to memory of 1988 2896 cmd.exe 42 PID 2884 wrote to memory of 2704 2884 cmd.exe 43 PID 2884 wrote to memory of 2704 2884 cmd.exe 43 PID 2884 wrote to memory of 2704 2884 cmd.exe 43 PID 2884 wrote to memory of 2704 2884 cmd.exe 43 PID 2904 wrote to memory of 2840 2904 cmd.exe 44 PID 2904 wrote to memory of 2840 2904 cmd.exe 44 PID 2904 wrote to memory of 2840 2904 cmd.exe 44 PID 2904 wrote to memory of 2840 2904 cmd.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\ImageSet.rar.exe"C:\Users\Admin\AppData\Local\Temp\ImageSet.rar.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\ThreeTimesTwo.exe"C:\Users\Admin\AppData\Local\Temp\ThreeTimesTwo.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2292
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2704
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1988
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2840
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Defender\30F9K7K8LG.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Defender\30F9K7K8LG.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Defender\30F9K7K8LG.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Defender\30F9K7K8LG.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2916
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD500011da90a63f3853dbd2cc80409b502
SHA1492973ffd67a232fe8e6f778566ce3856868f213
SHA256b169c4edff2b181d14f76d47fd978aad0b9eb0e7069ea11467fafc1960133cb5
SHA512b71b01bf322118f495c6e0f24c4e503f783d76d7a39dfe17ec5b939f094dcb495c47f7234a94d0149940ddd41735c6e453afe63dded35ba7c5f2503c8592e05e