Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/02/2025, 08:01
Static task
static1
Behavioral task
behavioral1
Sample
433e29186c927e98905a6649b507d27fc17329e6f36f2669a6d20dd9a8817e5aN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
433e29186c927e98905a6649b507d27fc17329e6f36f2669a6d20dd9a8817e5aN.exe
Resource
win10v2004-20241007-en
General
-
Target
433e29186c927e98905a6649b507d27fc17329e6f36f2669a6d20dd9a8817e5aN.exe
-
Size
1.6MB
-
MD5
a9ac1974040474510b772ac2d6699180
-
SHA1
b4659c684198702c183ffa02dccb837d35eb39a8
-
SHA256
433e29186c927e98905a6649b507d27fc17329e6f36f2669a6d20dd9a8817e5a
-
SHA512
33785f8928bb544944e9973d8e3906dd97d659690b51f4af5652b46ab6c8205d1ec2a0c73f8f0fe9d0d51db206c72b8a24459132c558abbcf110cbd0ab972c7a
-
SSDEEP
12288:WB5a3hizhz/o456rn9lkQ8rxQslgBKR1jl9RL9BVnDXLmoIY7Tm+jZFluq9wd4Uh:WkB4tpHlgGjlLHlFoq2d5h
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 10 IoCs
resource yara_rule behavioral2/memory/2724-36-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/2724-42-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/2724-44-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/2724-46-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/2724-47-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/2724-48-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/2724-50-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/2724-51-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/2724-52-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/2724-55-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\winupdt.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Updater.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Updater.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 433e29186c927e98905a6649b507d27fc17329e6f36f2669a6d20dd9a8817e5aN.exe -
Executes dropped EXE 2 IoCs
pid Process 1612 winupdt.exe 2724 winupdt.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window Updates = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\winupdt.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1612 set thread context of 2724 1612 winupdt.exe 87 -
resource yara_rule behavioral2/memory/2724-34-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/2724-36-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/2724-31-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/2724-42-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/2724-44-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/2724-46-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/2724-47-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/2724-48-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/2724-50-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/2724-51-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/2724-52-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/2724-55-0x0000000000400000-0x000000000045C000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 433e29186c927e98905a6649b507d27fc17329e6f36f2669a6d20dd9a8817e5aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 320 reg.exe 100 reg.exe 4996 reg.exe 4756 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 2724 winupdt.exe Token: SeCreateTokenPrivilege 2724 winupdt.exe Token: SeAssignPrimaryTokenPrivilege 2724 winupdt.exe Token: SeLockMemoryPrivilege 2724 winupdt.exe Token: SeIncreaseQuotaPrivilege 2724 winupdt.exe Token: SeMachineAccountPrivilege 2724 winupdt.exe Token: SeTcbPrivilege 2724 winupdt.exe Token: SeSecurityPrivilege 2724 winupdt.exe Token: SeTakeOwnershipPrivilege 2724 winupdt.exe Token: SeLoadDriverPrivilege 2724 winupdt.exe Token: SeSystemProfilePrivilege 2724 winupdt.exe Token: SeSystemtimePrivilege 2724 winupdt.exe Token: SeProfSingleProcessPrivilege 2724 winupdt.exe Token: SeIncBasePriorityPrivilege 2724 winupdt.exe Token: SeCreatePagefilePrivilege 2724 winupdt.exe Token: SeCreatePermanentPrivilege 2724 winupdt.exe Token: SeBackupPrivilege 2724 winupdt.exe Token: SeRestorePrivilege 2724 winupdt.exe Token: SeShutdownPrivilege 2724 winupdt.exe Token: SeDebugPrivilege 2724 winupdt.exe Token: SeAuditPrivilege 2724 winupdt.exe Token: SeSystemEnvironmentPrivilege 2724 winupdt.exe Token: SeChangeNotifyPrivilege 2724 winupdt.exe Token: SeRemoteShutdownPrivilege 2724 winupdt.exe Token: SeUndockPrivilege 2724 winupdt.exe Token: SeSyncAgentPrivilege 2724 winupdt.exe Token: SeEnableDelegationPrivilege 2724 winupdt.exe Token: SeManageVolumePrivilege 2724 winupdt.exe Token: SeImpersonatePrivilege 2724 winupdt.exe Token: SeCreateGlobalPrivilege 2724 winupdt.exe Token: 31 2724 winupdt.exe Token: 32 2724 winupdt.exe Token: 33 2724 winupdt.exe Token: 34 2724 winupdt.exe Token: 35 2724 winupdt.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 5008 433e29186c927e98905a6649b507d27fc17329e6f36f2669a6d20dd9a8817e5aN.exe 1612 winupdt.exe 2724 winupdt.exe 2724 winupdt.exe 2724 winupdt.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 5008 wrote to memory of 2800 5008 433e29186c927e98905a6649b507d27fc17329e6f36f2669a6d20dd9a8817e5aN.exe 82 PID 5008 wrote to memory of 2800 5008 433e29186c927e98905a6649b507d27fc17329e6f36f2669a6d20dd9a8817e5aN.exe 82 PID 5008 wrote to memory of 2800 5008 433e29186c927e98905a6649b507d27fc17329e6f36f2669a6d20dd9a8817e5aN.exe 82 PID 2800 wrote to memory of 4336 2800 cmd.exe 85 PID 2800 wrote to memory of 4336 2800 cmd.exe 85 PID 2800 wrote to memory of 4336 2800 cmd.exe 85 PID 5008 wrote to memory of 1612 5008 433e29186c927e98905a6649b507d27fc17329e6f36f2669a6d20dd9a8817e5aN.exe 86 PID 5008 wrote to memory of 1612 5008 433e29186c927e98905a6649b507d27fc17329e6f36f2669a6d20dd9a8817e5aN.exe 86 PID 5008 wrote to memory of 1612 5008 433e29186c927e98905a6649b507d27fc17329e6f36f2669a6d20dd9a8817e5aN.exe 86 PID 1612 wrote to memory of 2724 1612 winupdt.exe 87 PID 1612 wrote to memory of 2724 1612 winupdt.exe 87 PID 1612 wrote to memory of 2724 1612 winupdt.exe 87 PID 1612 wrote to memory of 2724 1612 winupdt.exe 87 PID 1612 wrote to memory of 2724 1612 winupdt.exe 87 PID 1612 wrote to memory of 2724 1612 winupdt.exe 87 PID 1612 wrote to memory of 2724 1612 winupdt.exe 87 PID 1612 wrote to memory of 2724 1612 winupdt.exe 87 PID 2724 wrote to memory of 3604 2724 winupdt.exe 88 PID 2724 wrote to memory of 3604 2724 winupdt.exe 88 PID 2724 wrote to memory of 3604 2724 winupdt.exe 88 PID 2724 wrote to memory of 4768 2724 winupdt.exe 89 PID 2724 wrote to memory of 4768 2724 winupdt.exe 89 PID 2724 wrote to memory of 4768 2724 winupdt.exe 89 PID 2724 wrote to memory of 1008 2724 winupdt.exe 90 PID 2724 wrote to memory of 1008 2724 winupdt.exe 90 PID 2724 wrote to memory of 1008 2724 winupdt.exe 90 PID 2724 wrote to memory of 1672 2724 winupdt.exe 91 PID 2724 wrote to memory of 1672 2724 winupdt.exe 91 PID 2724 wrote to memory of 1672 2724 winupdt.exe 91 PID 4768 wrote to memory of 320 4768 cmd.exe 96 PID 4768 wrote to memory of 320 4768 cmd.exe 96 PID 4768 wrote to memory of 320 4768 cmd.exe 96 PID 3604 wrote to memory of 100 3604 cmd.exe 97 PID 3604 wrote to memory of 100 3604 cmd.exe 97 PID 3604 wrote to memory of 100 3604 cmd.exe 97 PID 1008 wrote to memory of 4996 1008 cmd.exe 98 PID 1008 wrote to memory of 4996 1008 cmd.exe 98 PID 1008 wrote to memory of 4996 1008 cmd.exe 98 PID 1672 wrote to memory of 4756 1672 cmd.exe 99 PID 1672 wrote to memory of 4756 1672 cmd.exe 99 PID 1672 wrote to memory of 4756 1672 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\433e29186c927e98905a6649b507d27fc17329e6f36f2669a6d20dd9a8817e5aN.exe"C:\Users\Admin\AppData\Local\Temp\433e29186c927e98905a6649b507d27fc17329e6f36f2669a6d20dd9a8817e5aN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zpnlk.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Window Updates" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4336
-
-
-
C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:100
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:320
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4996
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4756
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
158B
MD51954c7e666c5b4d1117ef07bc0c9b8ec
SHA1559e3c0273c1463e9184027b749bdaad0a372681
SHA25635e0dbc8b455ca38976157ce9d0293fd6cdca20f46f1cb69058a1e0f0af6f693
SHA5123939de8d0ab7e67b59ff8bebed5580dafd38d8785193fd42a289728500761a68b9e6660605e19e10d4278dd106fea4b273a208f25485e7389c8f19b2958c926a
-
Filesize
1.6MB
MD55a2abf657f0b9981d1a8a754a7fb936b
SHA1fe5dc7229b95bfc940bc672462827d05701a766b
SHA25687436ca63bced89ff8e51d24648292ad279ef66b19eff96862242173fc2bd97f
SHA5121d107aabba197aa5b08108e1972049cb1dc8b4833c784e2a09d01b9f191c94d84c0aeeea9d6c6fa3f224ef036619f0d41afe2704305f6d1c6f1da056f92c2f8e