Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

108a0b4451...07.exe

windows7-x64

10

108a0b4451...07.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    110s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/02/2025, 00:19 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    108a0b445192cfebeca363a3375889bc71ace1dec6fc6fafab9648e9ae4f2b07.exe

  • Size

    1.9MB

  • MD5

    c3e3d0ddbad26720ecf9d10281e02fc9

  • SHA1

    695a10dbd8a98f3865fafe0ab651e30b326713f5

  • SHA256

    108a0b445192cfebeca363a3375889bc71ace1dec6fc6fafab9648e9ae4f2b07

  • SHA512

    f201d21c5ebaff591dd022fe50cbafb41e9ae249f09acff36b2276e1903e752b905c2309b75cf4e673957a5ba70123bcce0ea6da931a85dbe9f78901edfd8743

  • SSDEEP

    49152:CLIUXQgBiI6i2KFU0yBfM7a9QDosGeo403e0CpcKYGIDlWIwRBOn5PvGYKMf/1ZS:SIUXQgBiI6i2KFU0yBfM7a9QDosGeo4l

Score
10/10
blackshadesdefense_evasiondiscoverypersistenceratupx

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

    ratblackshades
  • Blackshades family
    blackshades
  • Blackshades payload 11 IoCs
  • Modifies firewall policy service 3 TTPs 10 IoCs
    defense_evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\108a0b445192cfebeca363a3375889bc71ace1dec6fc6fafab9648e9ae4f2b07.exe
    "C:\Users\Admin\AppData\Local\Temp\108a0b445192cfebeca363a3375889bc71ace1dec6fc6fafab9648e9ae4f2b07.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Users\Admin\AppData\Local\Temp\GsAxJ.exe
      "C:\Users\Admin\AppData\Local\Temp\GsAxJ.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4364
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qJEDn.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "csrs" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2632
    • C:\Users\Admin\AppData\Roaming\csrs.exe
      "C:\Users\Admin\AppData\Roaming\csrs.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3876
      • C:\Users\Admin\AppData\Roaming\csrs.exe
        C:\Users\Admin\AppData\Roaming\csrs.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:772
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2696
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2992
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4428
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\csrs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\csrs.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2492
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1392
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:3608
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost32.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:680
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svhost32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhost32.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:4336

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    1.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    46657272617269.3utilities.com
    csrs.exe
    Remote address:
    8.8.8.8:53
    Request
    46657272617269.3utilities.com
    IN A
    Response
  • flag-gb
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    88.221.135.33:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Wed, 05 Feb 2025 00:20:02 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.3e367a5c.1738714802.a67c3ef
  • flag-us
    DNS
    33.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    33.135.221.88.in-addr.arpa
    IN PTR
    Response
    33.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-33deploystaticakamaitechnologiescom
  • flag-us
    DNS
    33.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    33.135.221.88.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    46657272617269.3utilities.com
    csrs.exe
    Remote address:
    8.8.8.8:53
    Request
    46657272617269.3utilities.com
    IN A
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    46657272617269.3utilities.com
    csrs.exe
    Remote address:
    8.8.8.8:53
    Request
    46657272617269.3utilities.com
    IN A
    Response
  • flag-us
    DNS
    46657272617269.3utilities.com
    csrs.exe
    Remote address:
    8.8.8.8:53
    Request
    46657272617269.3utilities.com
    IN A
    Response
  • flag-us
    DNS
    46657272617269.3utilities.com
    csrs.exe
    Remote address:
    8.8.8.8:53
    Request
    46657272617269.3utilities.com
    IN A
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    46657272617269.3utilities.com
    csrs.exe
    Remote address:
    8.8.8.8:53
    Request
    46657272617269.3utilities.com
    IN A
    Response
  • flag-us
    DNS
    46657272617269.3utilities.com
    csrs.exe
    Remote address:
    8.8.8.8:53
    Request
    46657272617269.3utilities.com
    IN A
    Response
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    46657272617269.3utilities.com
    csrs.exe
    Remote address:
    8.8.8.8:53
    Request
    46657272617269.3utilities.com
    IN A
    Response
  • 88.221.135.33:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.4kB
     6.4kB
     16
    13

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    1.31.126.40.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    1.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    46657272617269.3utilities.com
    dns
    csrs.exe
    75 B
     132 B
     1
    1

    DNS Request

    46657272617269.3utilities.com

  • 8.8.8.8:53
    33.135.221.88.in-addr.arpa
    dns
    144 B
     137 B
     2
    1

    DNS Request

    33.135.221.88.in-addr.arpa

    DNS Request

    33.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    46657272617269.3utilities.com
    dns
    csrs.exe
    75 B
     132 B
     1
    1

    DNS Request

    46657272617269.3utilities.com

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    46657272617269.3utilities.com
    dns
    csrs.exe
    75 B
     132 B
     1
    1

    DNS Request

    46657272617269.3utilities.com

  • 8.8.8.8:53
    46657272617269.3utilities.com
    dns
    csrs.exe
    75 B
     132 B
     1
    1

    DNS Request

    46657272617269.3utilities.com

  • 8.8.8.8:53
    46657272617269.3utilities.com
    dns
    csrs.exe
    75 B
     132 B
     1
    1

    DNS Request

    46657272617269.3utilities.com

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    46657272617269.3utilities.com
    dns
    csrs.exe
    75 B
     132 B
     1
    1

    DNS Request

    46657272617269.3utilities.com

  • 8.8.8.8:53
    46657272617269.3utilities.com
    dns
    csrs.exe
    75 B
     132 B
     1
    1

    DNS Request

    46657272617269.3utilities.com

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    46657272617269.3utilities.com
    dns
    csrs.exe
    75 B
     132 B
     1
    1

    DNS Request

    46657272617269.3utilities.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\GsAxJ.exe
    Filesize

    12KB

    MD5

    466773bfcbd01059584cdae36e3c281c

    SHA1

    81e68615ef27cf363d6fe96582433c8a7ce8043b

    SHA256

    21f0910a1d71dfc63744474b2ba6b8248d893226576ea48791dc0cef7dd52105

    SHA512

    1088e7180a7d4ed717307c03884aebd945c5f78ffd6c4a4d7e84e504dc2da0434fe4173c63f1afd5a57e83e1783b3359ce123e85bb62699fb663bc9b1c02129f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\qJEDn.txt
    Filesize

    130B

    MD5

    34a635bb69f9dc2d8e8ceba2f6b25308

    SHA1

    66bbd6b4eb975af0a799c6be7aaed6917f5df10c

    SHA256

    eb18b0e443ffb00db0eb4438c0d3ec49cf67c3b7cbc9da8e25c60298c970a59a

    SHA512

    ae355a265391afe02a37d82ffb0df6664788dc4aee975678aeb524ff47f889d1e5ecab42b073093d71494c9868276dc9794d4bebce4c967d866b189c136a9545

    Download Submit

  • C:\Users\Admin\AppData\Roaming\csrs.txt
    Filesize

    1.9MB

    MD5

    5da0c36147af06634df5e7e4db2000ff

    SHA1

    1c2059b3b590a763525300e30985d6bc89b60e66

    SHA256

    9158925af4ed31d990f12fc14eb4502494ecd366e0e56afafd717ab3ddc44d4c

    SHA512

    68cbe7a8f1944a2779b60a672e8ce455e3526ce10b167ff1f4ba083f0179e644d2f373e0b398cc6b4359287f062888b2583f36cbbb39fc74ba2be5ad90c1bec4

    Download Submit

  • memory/772-71-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/772-78-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/772-74-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/772-40-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/772-43-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/772-67-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/772-46-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/772-69-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/772-54-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/772-57-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/772-60-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/772-62-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/772-64-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/3068-39-0x0000000000400000-0x00000000005DD000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3068-0-0x0000000000400000-0x00000000005DD000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3876-44-0x0000000000400000-0x00000000005DD000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4364-52-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4364-10-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.