Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    13/03/2025, 00:59

General

  • Target

    Pool Builder.exe

  • Size

    350KB

  • MD5

    e7ba77b1626b62ae11789ee4e9c2ca31

  • SHA1

    201b5222e5c6d5a59b473be60ec2b1e4536ffb2a

  • SHA256

    5998a91c4e967de42d8576ae037cc9679df136561696efc0a865a61bb735e675

  • SHA512

    fbeaa1c73c5619ffdf05e03df186f2c2a20ce9c7007e6a2789e6ddcdd029e5e5c9c504222b84127a19556b1bdfa2b0eced96663d5e3f3486c5cdd923a0a2e422

  • SSDEEP

    6144:oPxwiPCiY9u9U6mBAQhJpCGLLh2crljStyuqJA2zGFQRH6/2hD:oZY6OAwCYBrRaPqJAIGFQB6+t

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 3 IoCs
  • Modifies firewall policy service 3 TTPs 8 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Pool Builder.exe
    "C:\Users\Admin\AppData\Local\Temp\Pool Builder.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2304
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2732
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2612
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2148
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2604
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1312
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\nezdep.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\nezdep.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\nezdep.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\nezdep.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2600
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\bootres.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\bootres.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1256
      • C:\Users\Admin\AppData\Local\Temp\SharedReg.exe
        "C:\Users\Admin\AppData\Local\Temp\SharedReg.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2772
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1120
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\bootres.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\bootres.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1252

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SharedReg.exe

    Filesize

    350KB

    MD5

    e7ba77b1626b62ae11789ee4e9c2ca31

    SHA1

    201b5222e5c6d5a59b473be60ec2b1e4536ffb2a

    SHA256

    5998a91c4e967de42d8576ae037cc9679df136561696efc0a865a61bb735e675

    SHA512

    fbeaa1c73c5619ffdf05e03df186f2c2a20ce9c7007e6a2789e6ddcdd029e5e5c9c504222b84127a19556b1bdfa2b0eced96663d5e3f3486c5cdd923a0a2e422

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\bootres.exe

    Filesize

    14KB

    MD5

    ecf0286c6ea1a29540bdde5cf350d2b1

    SHA1

    03d6dbdb321c341f3943c15c6548368d58a3301f

    SHA256

    4accbeb6371b134cd0d97d6cd15c22270beb3a4aeaf5c261df50c8f6e8fc1ac0

    SHA512

    62e6730c276b35820c8d6b917b6dfd4c9559e3baa329983a33b7370da6a05816c00ecfe9fc03b503187270fee9b4b5fc044bbaa200d0c1cbf3b5f3533158b6a5

  • memory/1872-0-0x00000000742E1000-0x00000000742E2000-memory.dmp

    Filesize

    4KB

  • memory/1872-1-0x00000000742E0000-0x000000007488B000-memory.dmp

    Filesize

    5.7MB

  • memory/1872-2-0x00000000742E0000-0x000000007488B000-memory.dmp

    Filesize

    5.7MB

  • memory/1872-40-0x00000000742E0000-0x000000007488B000-memory.dmp

    Filesize

    5.7MB

  • memory/1872-35-0x00000000742E0000-0x000000007488B000-memory.dmp

    Filesize

    5.7MB

  • memory/1872-34-0x00000000742E0000-0x000000007488B000-memory.dmp

    Filesize

    5.7MB

  • memory/2304-11-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

  • memory/2304-19-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

  • memory/2304-20-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

  • memory/2304-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2304-26-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

  • memory/2304-17-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

  • memory/2304-15-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

  • memory/2304-36-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

  • memory/2304-7-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

  • memory/2304-9-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB