Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

4cb3f1c6ec...81.exe

windows7-x64

3

4cb3f1c6ec...81.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/02/2025, 11:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4cb3f1c6ec766e8a677938e45caef6db8442b4c7e5f8068005e36e7620930281.exe

  • Size

    248KB

  • MD5

    0a4b7e409a27aa973a66eba20bf662dd

  • SHA1

    4e1abafdfe6e9c0cd30161bb6b46431c3c2d15cf

  • SHA256

    4cb3f1c6ec766e8a677938e45caef6db8442b4c7e5f8068005e36e7620930281

  • SHA512

    4f07bdc3ad3c1322da1b5207eca1fd84b3f5f5d3814fd569d37281680b6524e87079e70bba295cef422b3b2e42e805d5f59b1b293cd3dcb711d8ea26458d28dc

  • SSDEEP

    3072:etsLhXr6AQuO5MRDZ5ZuI80fP1yjQUEcOMyNx80oB1WtEkdGFEk0pyyNxRmvh:fGD5MR5HZrbbxt+WtzdGGk0UyDy

Score
10/10
blackshadesdefense_evasiondiscoverypersistenceratupx

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

    ratblackshades
  • Blackshades family
    blackshades
  • Blackshades payload 9 IoCs
  • Modifies firewall policy service 3 TTPs 10 IoCs
    defense_evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4cb3f1c6ec766e8a677938e45caef6db8442b4c7e5f8068005e36e7620930281.exe
    "C:\Users\Admin\AppData\Local\Temp\4cb3f1c6ec766e8a677938e45caef6db8442b4c7e5f8068005e36e7620930281.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Users\Admin\AppData\Local\Temp\4cb3f1c6ec766e8a677938e45caef6db8442b4c7e5f8068005e36e7620930281.exe
      "C:\Users\Admin\AppData\Local\Temp\4cb3f1c6ec766e8a677938e45caef6db8442b4c7e5f8068005e36e7620930281.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1412
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BDFRS.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2200
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "winlogon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:4988
      • C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
        "C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5000
        • C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
          "C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1052
        • C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
          "C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"
          4⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4084
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:628
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              6⤵
              • Modifies firewall policy service
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:3960
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2864
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe:*:Enabled:Windows Messanger" /f
              6⤵
              • Modifies firewall policy service
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:3360
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1568
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              6⤵
              • Modifies firewall policy service
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:2056
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DJXMLHG7SI.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DJXMLHG7SI.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4148
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DJXMLHG7SI.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DJXMLHG7SI.exe:*:Enabled:Windows Messanger" /f
              6⤵
              • Modifies firewall policy service
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:2500

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BDFRS.txt
    Filesize

    149B

    MD5

    6831b89d0b8dc3e07588d733e75c122b

    SHA1

    8c70088c3224bbaf535ed19ec0f6bd5231c543be

    SHA256

    9fe102f2c6dff35f03787b85f725d12347cf491c897730a7f2e818f65177ffc2

    SHA512

    699fb44a25032ee4ad0ace1f941c826b333baddb65049c22e80b272909e85f4c8a00fef73fe2d97fa8998a0b6969b13461237bfc1e8f9bf711849d17d0cda6da

    Download Submit

  • C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
    Filesize

    248KB

    MD5

    327b770d5c00d00afccdb8404ce93a03

    SHA1

    f4af94963c46cece104eae4114ef377f16647162

    SHA256

    fef4e97c5d2a5384baa3f3083e2ec086affa363b12cdfa0b54eda7da9f991d88

    SHA512

    3d88f855592bade68d28741a553ee80438a6762595ee8bbb63171e53ac6cf3673c58f57da38961eacb43a42d1c9f23e83a1241c6cc0a5b1904bcd31292d2239f

    Download Submit

  • memory/1052-69-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1412-12-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1412-40-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1412-65-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1412-14-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1412-9-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1412-13-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2640-5-0x00000000022D0000-0x00000000022D2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2640-10-0x0000000002290000-0x0000000002292000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2640-8-0x0000000002A50000-0x0000000002A52000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2640-7-0x00000000022F0000-0x00000000022F2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2640-6-0x00000000022E0000-0x00000000022E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2640-4-0x00000000022C0000-0x00000000022C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2640-2-0x0000000002290000-0x0000000002292000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2640-3-0x00000000022A0000-0x00000000022A2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4084-70-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/4084-89-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/4084-102-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/4084-58-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/4084-55-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/4084-51-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/4084-98-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/4084-94-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/4084-76-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/4084-81-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/4084-85-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/5000-45-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5000-42-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5000-43-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5000-59-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download