blacknet | 90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320

General

Target

90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe
Size

228KB
MD5

e12000b9b526a5caff5b13d2cb2d07d0
SHA1

7f9227195996aac1d27b38d5b95a837e8c2b43c2
SHA256

90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320
SHA512

a506b0e76e72cf2e4f92e60c12ac4cee7aedcca37e3aa6c71eb3150438363122e4e880608cfde334c51de4aaf9e5677d5a7b353f1fb3ef49741ef9a3467a2643

Score

10^/10

blacknet microwave coreentity evasion rezer0 trojan

Malware Config

Extracted

Family

blacknet

Version

v3.5 Public

Botnet

Microwave

C2

http://thehacker.club/update

Mutex

BN[GBefMSlt-8433340]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
14247ae8e9bdf8a07859c46cc6c701e5
startup
false
usb_spread
false

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3164-12-0x0000000000400000-0x000000000041A000-memory.dmp	family_blacknet
behavioral2/memory/3164-13-0x0000000000412A4E-mapping.dmp	family_blacknet

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/3164-12-0x0000000000400000-0x000000000041A000-memory.dmp	disable_win_def
behavioral2/memory/3164-13-0x0000000000412A4E-mapping.dmp	disable_win_def

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral2/memory/4632-6-0x0000000004DA0000-0x0000000004DA2000-memory.dmp	coreentity

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral2/memory/4632-7-0x0000000008160000-0x000000000817C000-memory.dmp	rezer0

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe

description	pid	process	target process
PID 4632 set thread context of 3164	4632	90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4148 schtasks.exe

pid	process
4148	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exeRegSvcs.exe

pid	process
4632	90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe
3164	RegSvcs.exe
3164	RegSvcs.exe
3164	RegSvcs.exe
3164	RegSvcs.exe
3164	RegSvcs.exe
3164	RegSvcs.exe
3164	RegSvcs.exe
3164	RegSvcs.exe
3164	RegSvcs.exe
3164	RegSvcs.exe
3164	RegSvcs.exe
3164	RegSvcs.exe
3164	RegSvcs.exe
3164	RegSvcs.exe
3164	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4632	90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe
Token: SeDebugPrivilege	3164	RegSvcs.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegSvcs.exe

pid process

3164 RegSvcs.exe
3164 RegSvcs.exe

pid	process
3164	RegSvcs.exe
3164	RegSvcs.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe

description	pid	process	target process
PID 4632 wrote to memory of 4148	4632	90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe	schtasks.exe
PID 4632 wrote to memory of 4148	4632	90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe	schtasks.exe
PID 4632 wrote to memory of 4148	4632	90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe	schtasks.exe
PID 4632 wrote to memory of 3164	4632	90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe	RegSvcs.exe
PID 4632 wrote to memory of 3164	4632	90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe	RegSvcs.exe
PID 4632 wrote to memory of 3164	4632	90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe	RegSvcs.exe
PID 4632 wrote to memory of 3164	4632	90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe	RegSvcs.exe
PID 4632 wrote to memory of 3164	4632	90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe	RegSvcs.exe
PID 4632 wrote to memory of 3164	4632	90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe	RegSvcs.exe
PID 4632 wrote to memory of 3164	4632	90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe	RegSvcs.exe
PID 4632 wrote to memory of 3164	4632	90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe
"C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SneHmbYnNye" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7C2B.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7C2B.tmp

MD5
5749006af8bba46625320b8e9de360c2

SHA1
ae81696ef9e1e95ea742b2cbf133ccd6b826eb21

SHA256
e164898aa8f21a4a1bea33c5fb46c3a6b6321fa03beea5eb7dc5700cd404b4fc

SHA512
2d5ed03b1c35bd6d5a965ffb926054b43ea3672c2c17a67340add33d1574f21854e9f012ba380d528dfa29fc05dcbb6a9c3e5d561273a0c5d5dc19c05ccd0830

Download Submit
memory/3164-21-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/3164-14-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/3164-13-0x0000000000412A4E-mapping.dmp

Download
memory/3164-12-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4148-10-0x0000000000000000-mapping.dmp

Download
memory/4632-4-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/4632-8-0x0000000008220000-0x0000000008221000-memory.dmp

Filesize
4KB

Download
memory/4632-9-0x00000000064D0000-0x00000000064D1000-memory.dmp

Filesize
4KB

Download
memory/4632-7-0x0000000008160000-0x000000000817C000-memory.dmp

Filesize
112KB

Download
memory/4632-6-0x0000000004DA0000-0x0000000004DA2000-memory.dmp

Filesize
8KB

Download
memory/4632-5-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/4632-0-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/4632-3-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/4632-1-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads