Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/02/2025, 03:56
Static task
static1
Behavioral task
behavioral1
Sample
cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe
Resource
win10v2004-20241007-en
General
-
Target
cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe
-
Size
1.5MB
-
MD5
e46e8605c7dd4927f00173e2a587726d
-
SHA1
37dd89538130146fdbde3f9ef7790ee9b5cee32e
-
SHA256
cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3
-
SHA512
ed32a8efad799a0ad17faa13aa885e52a05b36c844425e7aece0007c1e3bc6ed22f90cc17dc32759ad97007e3ec8460ae082c51dad8f9911a72bd698c5a684da
-
SSDEEP
12288:z+Qf9NxkERr1JzrDTzz7wHxhW88KH6Yn77TCNp8jToZGrhR0Zr:Dx0j8KaYnfTYp8/oZMGZr
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 9 IoCs
resource yara_rule behavioral2/memory/4824-35-0x0000000000400000-0x000000000045D000-memory.dmp family_blackshades behavioral2/memory/4824-40-0x0000000000400000-0x000000000045D000-memory.dmp family_blackshades behavioral2/memory/4824-39-0x0000000000400000-0x000000000045D000-memory.dmp family_blackshades behavioral2/memory/4824-51-0x0000000000400000-0x000000000045D000-memory.dmp family_blackshades behavioral2/memory/4824-52-0x0000000000400000-0x000000000045D000-memory.dmp family_blackshades behavioral2/memory/4824-54-0x0000000000400000-0x000000000045D000-memory.dmp family_blackshades behavioral2/memory/4824-57-0x0000000000400000-0x000000000045D000-memory.dmp family_blackshades behavioral2/memory/4824-59-0x0000000000400000-0x000000000045D000-memory.dmp family_blackshades behavioral2/memory/4824-75-0x0000000000400000-0x000000000045D000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\winlogon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe:*:Enabled:Windows Messanger" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe = "C:\\Users\\Admin\\AppData\\Roaming\\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe -
Executes dropped EXE 3 IoCs
pid Process 4316 winlogon.exe 4824 winlogon.exe 4448 winlogon.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4316 set thread context of 4824 4316 winlogon.exe 87 PID 4316 set thread context of 4448 4316 winlogon.exe 88 -
resource yara_rule behavioral2/memory/4824-34-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4824-35-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4448-41-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/4448-50-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/4448-46-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/4448-47-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/4824-40-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4824-39-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4824-31-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4824-51-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4824-52-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4824-54-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4824-57-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4824-59-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/4824-75-0x0000000000400000-0x000000000045D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2004 reg.exe 4984 reg.exe 3220 reg.exe 1036 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 4824 winlogon.exe Token: SeCreateTokenPrivilege 4824 winlogon.exe Token: SeAssignPrimaryTokenPrivilege 4824 winlogon.exe Token: SeLockMemoryPrivilege 4824 winlogon.exe Token: SeIncreaseQuotaPrivilege 4824 winlogon.exe Token: SeMachineAccountPrivilege 4824 winlogon.exe Token: SeTcbPrivilege 4824 winlogon.exe Token: SeSecurityPrivilege 4824 winlogon.exe Token: SeTakeOwnershipPrivilege 4824 winlogon.exe Token: SeLoadDriverPrivilege 4824 winlogon.exe Token: SeSystemProfilePrivilege 4824 winlogon.exe Token: SeSystemtimePrivilege 4824 winlogon.exe Token: SeProfSingleProcessPrivilege 4824 winlogon.exe Token: SeIncBasePriorityPrivilege 4824 winlogon.exe Token: SeCreatePagefilePrivilege 4824 winlogon.exe Token: SeCreatePermanentPrivilege 4824 winlogon.exe Token: SeBackupPrivilege 4824 winlogon.exe Token: SeRestorePrivilege 4824 winlogon.exe Token: SeShutdownPrivilege 4824 winlogon.exe Token: SeDebugPrivilege 4824 winlogon.exe Token: SeAuditPrivilege 4824 winlogon.exe Token: SeSystemEnvironmentPrivilege 4824 winlogon.exe Token: SeChangeNotifyPrivilege 4824 winlogon.exe Token: SeRemoteShutdownPrivilege 4824 winlogon.exe Token: SeUndockPrivilege 4824 winlogon.exe Token: SeSyncAgentPrivilege 4824 winlogon.exe Token: SeEnableDelegationPrivilege 4824 winlogon.exe Token: SeManageVolumePrivilege 4824 winlogon.exe Token: SeImpersonatePrivilege 4824 winlogon.exe Token: SeCreateGlobalPrivilege 4824 winlogon.exe Token: 31 4824 winlogon.exe Token: 32 4824 winlogon.exe Token: 33 4824 winlogon.exe Token: 34 4824 winlogon.exe Token: 35 4824 winlogon.exe Token: SeDebugPrivilege 4448 winlogon.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3948 cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe 4316 winlogon.exe 4824 winlogon.exe 4824 winlogon.exe 4448 winlogon.exe 4824 winlogon.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 3948 wrote to memory of 3808 3948 cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe 82 PID 3948 wrote to memory of 3808 3948 cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe 82 PID 3948 wrote to memory of 3808 3948 cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe 82 PID 3808 wrote to memory of 2080 3808 cmd.exe 85 PID 3808 wrote to memory of 2080 3808 cmd.exe 85 PID 3808 wrote to memory of 2080 3808 cmd.exe 85 PID 3948 wrote to memory of 4316 3948 cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe 86 PID 3948 wrote to memory of 4316 3948 cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe 86 PID 3948 wrote to memory of 4316 3948 cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe 86 PID 4316 wrote to memory of 4824 4316 winlogon.exe 87 PID 4316 wrote to memory of 4824 4316 winlogon.exe 87 PID 4316 wrote to memory of 4824 4316 winlogon.exe 87 PID 4316 wrote to memory of 4824 4316 winlogon.exe 87 PID 4316 wrote to memory of 4824 4316 winlogon.exe 87 PID 4316 wrote to memory of 4824 4316 winlogon.exe 87 PID 4316 wrote to memory of 4824 4316 winlogon.exe 87 PID 4316 wrote to memory of 4824 4316 winlogon.exe 87 PID 4316 wrote to memory of 4448 4316 winlogon.exe 88 PID 4316 wrote to memory of 4448 4316 winlogon.exe 88 PID 4316 wrote to memory of 4448 4316 winlogon.exe 88 PID 4824 wrote to memory of 4288 4824 winlogon.exe 89 PID 4824 wrote to memory of 4288 4824 winlogon.exe 89 PID 4824 wrote to memory of 4288 4824 winlogon.exe 89 PID 4316 wrote to memory of 4448 4316 winlogon.exe 88 PID 4316 wrote to memory of 4448 4316 winlogon.exe 88 PID 4316 wrote to memory of 4448 4316 winlogon.exe 88 PID 4316 wrote to memory of 4448 4316 winlogon.exe 88 PID 4316 wrote to memory of 4448 4316 winlogon.exe 88 PID 4824 wrote to memory of 3124 4824 winlogon.exe 90 PID 4824 wrote to memory of 3124 4824 winlogon.exe 90 PID 4824 wrote to memory of 3124 4824 winlogon.exe 90 PID 4824 wrote to memory of 3932 4824 winlogon.exe 91 PID 4824 wrote to memory of 3932 4824 winlogon.exe 91 PID 4824 wrote to memory of 3932 4824 winlogon.exe 91 PID 4824 wrote to memory of 896 4824 winlogon.exe 92 PID 4824 wrote to memory of 896 4824 winlogon.exe 92 PID 4824 wrote to memory of 896 4824 winlogon.exe 92 PID 3124 wrote to memory of 2004 3124 cmd.exe 97 PID 3124 wrote to memory of 2004 3124 cmd.exe 97 PID 3124 wrote to memory of 2004 3124 cmd.exe 97 PID 4288 wrote to memory of 4984 4288 cmd.exe 98 PID 4288 wrote to memory of 4984 4288 cmd.exe 98 PID 4288 wrote to memory of 4984 4288 cmd.exe 98 PID 3932 wrote to memory of 3220 3932 cmd.exe 99 PID 3932 wrote to memory of 3220 3932 cmd.exe 99 PID 3932 wrote to memory of 3220 3932 cmd.exe 99 PID 896 wrote to memory of 1036 896 cmd.exe 100 PID 896 wrote to memory of 1036 896 cmd.exe 100 PID 896 wrote to memory of 1036 896 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe"C:\Users\Admin\AppData\Local\Temp\cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nreXV.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Winlogon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2080
-
-
-
C:\Users\Admin\AppData\Roaming\winlogon.exe"C:\Users\Admin\AppData\Roaming\winlogon.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Users\Admin\AppData\Roaming\winlogon.exeC:\Users\Admin\AppData\Roaming\winlogon.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4984
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2004
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3220
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1036
-
-
-
-
C:\Users\Admin\AppData\Roaming\winlogon.exeC:\Users\Admin\AppData\Roaming\winlogon.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4448
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138B
MD54da6717f2c70f4bd32ad33a227a2ff47
SHA13d7f7159e1f695bd469287d1ad4ffa0841b407a8
SHA256a12bb2e5d2fb0b3c400ce311fae72995a00b57a97d23e4b9effec47cff189d07
SHA5126765314054ad9bf2164058248f3d3a17775176925abbe4376aec030dca3a5e59be8b9e96139941fec2b2e1a9bff38f87abdb29ea09a299d8ab7e23ecec4083df
-
Filesize
1.5MB
MD533566ed958b31e87d83f2e02c8f15128
SHA131c3ace47d1d48213b88408450b34c92dcfd42bb
SHA256094397f192ab0e9554388b61101805d54ee849d7b20605482820cf397c8dca5e
SHA512df265f65d05ad9b023823de00ad843f738348f759cf8c31e9e942fa7d855e9a6aa6f0e15b298f33c9c32fe389e319274b6c00f438d40de516072a8f09732e635