Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:45
General
-
Target
90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe
-
Size
228KB
-
MD5
e12000b9b526a5caff5b13d2cb2d07d0
-
SHA1
7f9227195996aac1d27b38d5b95a837e8c2b43c2
-
SHA256
90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320
-
SHA512
a506b0e76e72cf2e4f92e60c12ac4cee7aedcca37e3aa6c71eb3150438363122e4e880608cfde334c51de4aaf9e5677d5a7b353f1fb3ef49741ef9a3467a2643
Malware Config
Extracted
blacknet
v3.5 Public
Microwave
http://thehacker.club/update
BN[GBefMSlt-8433340]
-
antivm
false
-
elevate_uac
false
-
install_name
WindowsUpdate.exe
-
splitter
|BN|
-
start_name
14247ae8e9bdf8a07859c46cc6c701e5
-
startup
false
-
usb_spread
false
Signatures
-
BlackNET
BlackNET is an open source remote access tool written in VB.NET.
-
BlackNET Payload 2 IoCs
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe"C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SneHmbYnNye" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7C2B.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
104KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB