Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/02/2025, 03:56

General

  • Target

    cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe

  • Size

    1.5MB

  • MD5

    e46e8605c7dd4927f00173e2a587726d

  • SHA1

    37dd89538130146fdbde3f9ef7790ee9b5cee32e

  • SHA256

    cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3

  • SHA512

    ed32a8efad799a0ad17faa13aa885e52a05b36c844425e7aece0007c1e3bc6ed22f90cc17dc32759ad97007e3ec8460ae082c51dad8f9911a72bd698c5a684da

  • SSDEEP

    12288:z+Qf9NxkERr1JzrDTzz7wHxhW88KH6Yn77TCNp8jToZGrhR0Zr:Dx0j8KaYnfTYp8/oZMGZr

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 9 IoCs
  • Modifies firewall policy service 3 TTPs 10 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe
    "C:\Users\Admin\AppData\Local\Temp\cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3948
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nreXV.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3808
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Winlogon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2080
    • C:\Users\Admin\AppData\Roaming\winlogon.exe
      "C:\Users\Admin\AppData\Roaming\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4316
      • C:\Users\Admin\AppData\Roaming\winlogon.exe
        C:\Users\Admin\AppData\Roaming\winlogon.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4824
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4288
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:4984
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3124
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2004
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3932
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:3220
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:896
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1036
      • C:\Users\Admin\AppData\Roaming\winlogon.exe
        C:\Users\Admin\AppData\Roaming\winlogon.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nreXV.txt

    Filesize

    138B

    MD5

    4da6717f2c70f4bd32ad33a227a2ff47

    SHA1

    3d7f7159e1f695bd469287d1ad4ffa0841b407a8

    SHA256

    a12bb2e5d2fb0b3c400ce311fae72995a00b57a97d23e4b9effec47cff189d07

    SHA512

    6765314054ad9bf2164058248f3d3a17775176925abbe4376aec030dca3a5e59be8b9e96139941fec2b2e1a9bff38f87abdb29ea09a299d8ab7e23ecec4083df

  • C:\Users\Admin\AppData\Roaming\winlogon.txt

    Filesize

    1.5MB

    MD5

    33566ed958b31e87d83f2e02c8f15128

    SHA1

    31c3ace47d1d48213b88408450b34c92dcfd42bb

    SHA256

    094397f192ab0e9554388b61101805d54ee849d7b20605482820cf397c8dca5e

    SHA512

    df265f65d05ad9b023823de00ad843f738348f759cf8c31e9e942fa7d855e9a6aa6f0e15b298f33c9c32fe389e319274b6c00f438d40de516072a8f09732e635

  • memory/3948-0-0x0000000000400000-0x000000000058A000-memory.dmp

    Filesize

    1.5MB

  • memory/4448-46-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/4448-47-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/4448-41-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/4448-50-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/4824-35-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/4824-34-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/4824-40-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/4824-39-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/4824-31-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/4824-51-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/4824-52-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/4824-54-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/4824-57-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/4824-59-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/4824-75-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB