Malware Analysis Report

2025-04-03 09:07

Sample ID 200917-w2zxh52ls6
Target Windows-1.exe
SHA256 cc5d048942af05983d2f2495d36c63164ac1ef6eeca86ce7835eae706dab476b
Tags
hacked_atid blacknet persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cc5d048942af05983d2f2495d36c63164ac1ef6eeca86ce7835eae706dab476b

Threat Level: Known bad

The file Windows-1.exe was found to be: Known bad.

Malicious Activity Summary

hacked_atid blacknet persistence trojan

BlackNET Payload

Blacknet family

Contains code to disable Windows Defender

BlackNET

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-08-05 15:39

Signatures

BlackNET Payload

Description Indicator Process Target
N/A N/A N/A N/A

Blacknet family

blacknet

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-09-17 14:15

Reported

2020-09-17 14:17

Platform

win7v200722

Max time kernel

13s

Max time network

13s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Windows-1.exe"

Signatures

BlackNET

trojan blacknet

BlackNET Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Windows\CurrentVersion\Run\df7427b5e05183e625345c3c37ef31c0 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows-1.exe" C:\Users\Admin\AppData\Local\Temp\Windows-1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Windows\CurrentVersion\Run\df7427b5e05183e625345c3c37ef31c0 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" C:\Users\Admin\AppData\Local\Temp\Windows-1.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows-1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Windows-1.exe

"C:\Users\Admin\AppData\Local\Temp\Windows-1.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 nicurb.com udp
N/A 104.27.134.41:443 nicurb.com tcp

Files

memory/1056-0-0x000007FEF6760000-0x000007FEF70FD000-memory.dmp

memory/1056-1-0x000007FEF6760000-0x000007FEF70FD000-memory.dmp

memory/1892-3-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe

MD5 cb4edb342a3da971a69d4a1cf39175d0
SHA1 eff2200d4301abae9e4b17f35bd5fab150f6cce1
SHA256 cc5d048942af05983d2f2495d36c63164ac1ef6eeca86ce7835eae706dab476b
SHA512 5bc82c1c2fdf88f0e93c0bb4825058c8e2f7316b506dece23c70fc2f9b7c2b3eacddc82682cbaae028dcfd4851b0c37322a7bf513bf30411eb2bcc4ee4abaecf

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe

MD5 cb4edb342a3da971a69d4a1cf39175d0
SHA1 eff2200d4301abae9e4b17f35bd5fab150f6cce1
SHA256 cc5d048942af05983d2f2495d36c63164ac1ef6eeca86ce7835eae706dab476b
SHA512 5bc82c1c2fdf88f0e93c0bb4825058c8e2f7316b506dece23c70fc2f9b7c2b3eacddc82682cbaae028dcfd4851b0c37322a7bf513bf30411eb2bcc4ee4abaecf

memory/1892-6-0x000007FEF6760000-0x000007FEF70FD000-memory.dmp

memory/1892-7-0x000007FEF6760000-0x000007FEF70FD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-09-17 14:15

Reported

2020-09-17 14:17

Platform

win10v200722

Max time kernel

37s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Windows-1.exe"

Signatures

BlackNET

trojan blacknet

BlackNET Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\df7427b5e05183e625345c3c37ef31c0 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows-1.exe" C:\Users\Admin\AppData\Local\Temp\Windows-1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\df7427b5e05183e625345c3c37ef31c0 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" C:\Users\Admin\AppData\Local\Temp\Windows-1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\df7427b5e05183e625345c3c37ef31c0 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows-1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows-1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows-1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows-1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows-1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows-1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows-1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows-1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows-1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows-1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows-1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows-1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows-1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows-1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Windows-1.exe

"C:\Users\Admin\AppData\Local\Temp\Windows-1.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 nicurb.com udp
N/A 104.27.134.41:443 nicurb.com tcp
N/A 104.27.134.41:443 nicurb.com tcp
N/A 104.27.134.41:443 nicurb.com tcp

Files

memory/3816-0-0x00007FF9A7D00000-0x00007FF9A86A0000-memory.dmp

memory/292-1-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe

MD5 cb4edb342a3da971a69d4a1cf39175d0
SHA1 eff2200d4301abae9e4b17f35bd5fab150f6cce1
SHA256 cc5d048942af05983d2f2495d36c63164ac1ef6eeca86ce7835eae706dab476b
SHA512 5bc82c1c2fdf88f0e93c0bb4825058c8e2f7316b506dece23c70fc2f9b7c2b3eacddc82682cbaae028dcfd4851b0c37322a7bf513bf30411eb2bcc4ee4abaecf

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe

MD5 cb4edb342a3da971a69d4a1cf39175d0
SHA1 eff2200d4301abae9e4b17f35bd5fab150f6cce1
SHA256 cc5d048942af05983d2f2495d36c63164ac1ef6eeca86ce7835eae706dab476b
SHA512 5bc82c1c2fdf88f0e93c0bb4825058c8e2f7316b506dece23c70fc2f9b7c2b3eacddc82682cbaae028dcfd4851b0c37322a7bf513bf30411eb2bcc4ee4abaecf

memory/292-4-0x00007FF9A7D00000-0x00007FF9A86A0000-memory.dmp