Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/03/2025, 00:59

General

  • Target

    Pool Builder.exe

  • Size

    350KB

  • MD5

    e7ba77b1626b62ae11789ee4e9c2ca31

  • SHA1

    201b5222e5c6d5a59b473be60ec2b1e4536ffb2a

  • SHA256

    5998a91c4e967de42d8576ae037cc9679df136561696efc0a865a61bb735e675

  • SHA512

    fbeaa1c73c5619ffdf05e03df186f2c2a20ce9c7007e6a2789e6ddcdd029e5e5c9c504222b84127a19556b1bdfa2b0eced96663d5e3f3486c5cdd923a0a2e422

  • SSDEEP

    6144:oPxwiPCiY9u9U6mBAQhJpCGLLh2crljStyuqJA2zGFQRH6/2hD:oZY6OAwCYBrRaPqJAIGFQB6+t

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 2 IoCs
  • Modifies firewall policy service 3 TTPs 10 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Pool Builder.exe
    "C:\Users\Admin\AppData\Local\Temp\Pool Builder.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1120
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4996
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:228
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:4644
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2292
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2964
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5820
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2700
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\nezdep.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\nezdep.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3096
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\nezdep.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\nezdep.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:5972
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\bootres.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\bootres.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5016
      • C:\Users\Admin\AppData\Local\Temp\SharedReg.exe
        "C:\Users\Admin\AppData\Local\Temp\SharedReg.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5264
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:5908
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\bootres.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\bootres.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1268

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\bootres.exe.log

    Filesize

    128B

    MD5

    a5dcc7c9c08af7dddd82be5b036a4416

    SHA1

    4f998ca1526d199e355ffb435bae111a2779b994

    SHA256

    e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

    SHA512

    56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

  • C:\Users\Admin\AppData\Local\Temp\SharedReg.exe

    Filesize

    350KB

    MD5

    e7ba77b1626b62ae11789ee4e9c2ca31

    SHA1

    201b5222e5c6d5a59b473be60ec2b1e4536ffb2a

    SHA256

    5998a91c4e967de42d8576ae037cc9679df136561696efc0a865a61bb735e675

    SHA512

    fbeaa1c73c5619ffdf05e03df186f2c2a20ce9c7007e6a2789e6ddcdd029e5e5c9c504222b84127a19556b1bdfa2b0eced96663d5e3f3486c5cdd923a0a2e422

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\bootres.exe

    Filesize

    14KB

    MD5

    ecf0286c6ea1a29540bdde5cf350d2b1

    SHA1

    03d6dbdb321c341f3943c15c6548368d58a3301f

    SHA256

    4accbeb6371b134cd0d97d6cd15c22270beb3a4aeaf5c261df50c8f6e8fc1ac0

    SHA512

    62e6730c276b35820c8d6b917b6dfd4c9559e3baa329983a33b7370da6a05816c00ecfe9fc03b503187270fee9b4b5fc044bbaa200d0c1cbf3b5f3533158b6a5

  • memory/1120-23-0x00000000751E0000-0x0000000075791000-memory.dmp

    Filesize

    5.7MB

  • memory/1120-21-0x00000000751E2000-0x00000000751E3000-memory.dmp

    Filesize

    4KB

  • memory/1120-22-0x00000000751E0000-0x0000000075791000-memory.dmp

    Filesize

    5.7MB

  • memory/1120-0-0x00000000751E2000-0x00000000751E3000-memory.dmp

    Filesize

    4KB

  • memory/1120-2-0x00000000751E0000-0x0000000075791000-memory.dmp

    Filesize

    5.7MB

  • memory/1120-28-0x00000000751E0000-0x0000000075791000-memory.dmp

    Filesize

    5.7MB

  • memory/1120-1-0x00000000751E0000-0x0000000075791000-memory.dmp

    Filesize

    5.7MB

  • memory/4996-9-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

  • memory/4996-11-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

  • memory/4996-7-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

  • memory/4996-24-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB