Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/02/2025, 10:25

General

  • Target

    773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe

  • Size

    604KB

  • MD5

    55cca528a03ec3a98137c46271f3f657

  • SHA1

    49a044a803a4e3c0887971b212ca69552b72275f

  • SHA256

    773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc

  • SHA512

    c3cbad0c4401ea966d9f10cff5ccc3ddceca69d95afc81183c5abc57fffcca46c5f28d7daf0d99ec8275289a82b1f2e7946e899d0971348934eac07fec780d66

  • SSDEEP

    12288:NcHg+OMkYnx+ZkeeUE9EylqAUB7ftCwYTJ0Q+iK:NJ86eUyEQ/OtI1c

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 3 IoCs
  • Modifies firewall policy service 3 TTPs 10 IoCs
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe
    "C:\Users\Admin\AppData\Local\Temp\773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5048
    • C:\Users\Admin\AppData\Local\Temp\773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe
      "C:\Users\Admin\AppData\Local\Temp\773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3452
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAWVM.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1076
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Jload" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Jload\Jload.exe" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:1276
      • C:\Users\Admin\AppData\Roaming\Jload\Jload.exe
        "C:\Users\Admin\AppData\Roaming\Jload\Jload.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4768
        • C:\Users\Admin\AppData\Roaming\Jload\Jload.exe
          "C:\Users\Admin\AppData\Roaming\Jload\Jload.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2256
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Windows\system32\svchost.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2376
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3780
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              6⤵
              • Modifies firewall policy service
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:4016
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\svchost.exe" /t REG_SZ /d "C:\Windows\SysWOW64\svchost.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4572
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\svchost.exe" /t REG_SZ /d "C:\Windows\SysWOW64\svchost.exe:*:Enabled:Windows Messanger" /f
              6⤵
              • Modifies firewall policy service
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:2708
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1680
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              6⤵
              • Modifies firewall policy service
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:3052
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RUNE.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RUNE.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1068
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RUNE.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RUNE.exe:*:Enabled:Windows Messanger" /f
              6⤵
              • Modifies firewall policy service
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:2984
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0M0N0Y2OTItNDg5Qi00MENBLUEwNUUtNTUyOTRDRjhBN0IzfSIgdXNlcmlkPSJ7M0UzRENFMDktMjAwQi00MkQxLTk5NzMtMkYwRDFGQkY1MjhEfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NTc0NEE4NDItNkY2MC00OTQzLUE1MTgtNEJEQjlDOURBRTc3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5MjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE5ODA3NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1Mzk5NTgwNzMzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:4332

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\EAWVM.txt

    Filesize

    138B

    MD5

    bc18986a524cd5015b00135cbf312330

    SHA1

    65c0fa726aa3b129e2d94a5518186c3cd866f3c0

    SHA256

    f27d92575749ef19cccc68a524662607f5be5ed2fb415fe7de4f4927f521709c

    SHA512

    afae8a27a1c64fedd75e9786bbeb4fc8c21795bb2cfd23a749e8de3f102977b391186597d8892cce7be71360b264b22c38a2eaf9507375c1d4e75a5586e8db2e

  • C:\Users\Admin\AppData\Roaming\Jload\Jload.exe

    Filesize

    604KB

    MD5

    20e51c3b9b0bbbfc4d993cc77cfd9a26

    SHA1

    fdeadda494c899b3daef0f78416014da89b62b91

    SHA256

    9eab0ac0b9c7aedbf98853f0e0b91396610439890e9ccd53b3f335f0567a1ff7

    SHA512

    c60acb4abcdc6a0f257028dd34946cad570a357fec2150ad42475b85557e6ab3650a9d39a10b45f92b9529c84e7069b89ded4ed3007a51ae556f42a034ecdcff

  • memory/2256-57-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/2376-46-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/2376-59-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/2376-49-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/3452-6-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/3452-8-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/3452-10-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/3452-52-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/4768-37-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

  • memory/4768-38-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

  • memory/4768-36-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

  • memory/4768-48-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

  • memory/5048-3-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

    Filesize

    4KB

  • memory/5048-5-0x0000000002B80000-0x0000000002B81000-memory.dmp

    Filesize

    4KB

  • memory/5048-2-0x0000000002220000-0x0000000002221000-memory.dmp

    Filesize

    4KB

  • memory/5048-4-0x0000000002B40000-0x0000000002B41000-memory.dmp

    Filesize

    4KB