Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/02/2025, 07:59

General

  • Target

    e731d64922ba04a6c0ca2112ea6add8640ad8d92993531bc03b93340b37ebb6bN.exe

  • Size

    295KB

  • MD5

    9bd0b6f30d4706be26014d748b4443a0

  • SHA1

    64277e545d5e3db5d4a7d0a5ea9ae670c2dad779

  • SHA256

    e731d64922ba04a6c0ca2112ea6add8640ad8d92993531bc03b93340b37ebb6b

  • SHA512

    aef4ec64145af773b3c262b437ff0342ea50cf361febde4fd4f779bc772712642376974acd17334c6cb6e1b89ee827e35788405305a98477aa93414fce9cc97c

  • SSDEEP

    6144:Hg2hTSrKvmpwAHx8ADA1epmoI+zwOLoxZq2djzpqbTYDmwihkoSI:HxhTS64R8UAemBO0xZq2dzpqmmthkoSI

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 13 IoCs
  • Modifies firewall policy service 3 TTPs 10 IoCs
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 23 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e731d64922ba04a6c0ca2112ea6add8640ad8d92993531bc03b93340b37ebb6bN.exe
    "C:\Users\Admin\AppData\Local\Temp\e731d64922ba04a6c0ca2112ea6add8640ad8d92993531bc03b93340b37ebb6bN.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BuPxq.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3944
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Registry" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Registry\svchost.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2760
    • C:\Users\Admin\AppData\Roaming\Windows Registry\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Windows Registry\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4084
      • C:\Users\Admin\AppData\Roaming\Windows Registry\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Windows Registry\svchost.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3308
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4360
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1980
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Registry\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Registry\svchost.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2228
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Registry\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Registry\svchost.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2916
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4300
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2488
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1028
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:4124
      • C:\Users\Admin\AppData\Roaming\Windows Registry\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Windows Registry\svchost.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4468
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkY1QkQ0NDktNUQ4Ny00MDlCLUFBRDktNTE3OUYzMkFCOUM4fSIgdXNlcmlkPSJ7OTRBMjQyMjYtMzFEMC00MjgyLUEwRjMtMkYzRTQ0MkI4NTU1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OUYxNkUxNkEtODU3Ri00Mjg0LTkwMEQtODkxRDc4NUI5NUI0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDQ5MjgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxNzQzMjM4OTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjI0NTYxNTUwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:1336

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BuPxq.txt

    Filesize

    162B

    MD5

    5e4140832887cea8efa834f831b17558

    SHA1

    25c6e383330404805daf29d39a28109e97e3b702

    SHA256

    d0a24ea90a7d31cecf370b8d43d5be23b6875e1cf2edbde0dfb4ef869108749c

    SHA512

    68d4c5f5b70e12bebdd92b8c615ac0d640bc8761ec89800eff6da57e72083ba496301ff8248700d0d73bdfb6846678ea9692f816ef9473e45766b5f5b605720f

  • C:\Users\Admin\AppData\Local\Temp\TDnrM.exe

    Filesize

    114B

    MD5

    e89f75f918dbdcee28604d4e09dd71d7

    SHA1

    f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

    SHA256

    6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

    SHA512

    8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

  • C:\Users\Admin\AppData\Roaming\Windows Registry\svchost.txt

    Filesize

    295KB

    MD5

    bca87acc58affda9e617de32883d3d57

    SHA1

    193bdd3b8035998ea5cc18bf5f00a45f68205c6a

    SHA256

    83677088ba00c1fcb6eaeead7dba89295018d02f32591a4aa4804ac3ebbbbcb3

    SHA512

    a458a995ae7c9dc0fc18441a2026028e66b67f89baeb0eb7e82889d0bb7bad4fbbe17471ae2f7ebc46ca12fd6f79bcef896dbc3e1b0ed10cd9e33bcad3c42a23

  • memory/1700-0-0x0000000000400000-0x00000000005A8000-memory.dmp

    Filesize

    1.7MB

  • memory/1700-39-0x0000000000400000-0x00000000005A8000-memory.dmp

    Filesize

    1.7MB

  • memory/3308-78-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/3308-42-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/3308-92-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/3308-90-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/3308-88-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/3308-46-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/3308-48-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/3308-65-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/3308-66-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/3308-85-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/3308-70-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/3308-73-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/3308-76-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/3308-83-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/3308-81-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/4084-64-0x0000000000400000-0x00000000005A8000-memory.dmp

    Filesize

    1.7MB

  • memory/4468-58-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/4468-67-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/4468-54-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/4468-60-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB