Malware Analysis Report

2025-04-03 09:07

Sample ID 201109-3fyklnqg4j
Target 90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320
SHA256 90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320
Tags
blacknet microwave coreentity evasion rezer0 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320

Threat Level: Known bad

The file 90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320 was found to be: Known bad.

Malicious Activity Summary

blacknet microwave coreentity evasion rezer0 trojan

BlackNET

Contains code to disable Windows Defender

BlackNET Payload

CoreEntity .NET Packer

Looks for VirtualBox Guest Additions in registry

ReZer0 packer

Looks for VMWare Tools registry key

Checks BIOS information in registry

Maps connected drives based on registry

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-08-05 15:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-09 20:45

Reported

2020-11-11 00:17

Platform

win7v20201028

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe"

Signatures

BlackNET

trojan blacknet

BlackNET Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

CoreEntity .NET Packer

coreentity
Description Indicator Process Target
N/A N/A N/A N/A

Looks for VirtualBox Guest Additions in registry

evasion

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Looks for VMWare Tools registry key

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 756 set thread context of 592 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 756 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\SysWOW64\schtasks.exe
PID 756 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\SysWOW64\schtasks.exe
PID 756 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\SysWOW64\schtasks.exe
PID 756 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\SysWOW64\schtasks.exe
PID 756 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 756 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 756 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 756 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 756 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 756 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 756 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 756 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 756 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 756 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 756 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 756 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe

"C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SneHmbYnNye" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBFE5.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"{path}"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 thehacker.club udp

Files

memory/756-0-0x00000000748C0000-0x0000000074FAE000-memory.dmp

memory/756-1-0x00000000010A0000-0x00000000010A1000-memory.dmp

memory/756-3-0x00000000004D0000-0x00000000004D2000-memory.dmp

memory/756-4-0x00000000004E0000-0x00000000004FC000-memory.dmp

memory/1500-5-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBFE5.tmp

MD5 2b8f10999c709d3a1fd33df86fc9ea89
SHA1 bb0e1b72bb3be3e544dcb02b1dfb4a527a90f834
SHA256 45637a85becc9e6033e27cd759a5f226f173265334d9c0adfb9d88ab855118fb
SHA512 52c344f82635d4f8f01cafa405dd1a3507d31949f86df9092d111b4398d3f60bd76c60a88c672d099e4482b254366431b80ff84057e1cbcf1711db58084fb590

memory/592-7-0x0000000000400000-0x000000000041A000-memory.dmp

memory/592-9-0x0000000000400000-0x000000000041A000-memory.dmp

memory/592-8-0x0000000000412A4E-mapping.dmp

memory/592-10-0x0000000000400000-0x000000000041A000-memory.dmp

memory/592-11-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-09 20:45

Reported

2020-11-11 00:18

Platform

win10v20201028

Max time kernel

144s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe"

Signatures

BlackNET

trojan blacknet

BlackNET Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

CoreEntity .NET Packer

coreentity
Description Indicator Process Target
N/A N/A N/A N/A

Looks for VirtualBox Guest Additions in registry

evasion

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Looks for VMWare Tools registry key

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4632 set thread context of 3164 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4632 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\SysWOW64\schtasks.exe
PID 4632 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\SysWOW64\schtasks.exe
PID 4632 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\SysWOW64\schtasks.exe
PID 4632 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4632 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4632 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4632 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4632 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4632 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4632 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4632 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe

"C:\Users\Admin\AppData\Local\Temp\90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SneHmbYnNye" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7C2B.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"{path}"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 thehacker.club udp
N/A 8.8.8.8:53 thehacker.club udp
N/A 8.8.8.8:53 thehacker.club udp
N/A 8.8.8.8:53 thehacker.club udp
N/A 8.8.8.8:53 thehacker.club udp
N/A 8.8.8.8:53 thehacker.club udp
N/A 8.8.8.8:53 thehacker.club udp
N/A 8.8.8.8:53 thehacker.club udp
N/A 8.8.8.8:53 thehacker.club udp
N/A 8.8.8.8:53 thehacker.club udp
N/A 8.8.8.8:53 thehacker.club udp
N/A 8.8.8.8:53 thehacker.club udp
N/A 8.8.8.8:53 thehacker.club udp
N/A 8.8.8.8:53 thehacker.club udp

Files

memory/4632-0-0x0000000073D60000-0x000000007444E000-memory.dmp

memory/4632-1-0x0000000000100000-0x0000000000101000-memory.dmp

memory/4632-3-0x0000000004E50000-0x0000000004E51000-memory.dmp

memory/4632-4-0x00000000049F0000-0x00000000049F1000-memory.dmp

memory/4632-5-0x0000000004980000-0x0000000004981000-memory.dmp

memory/4632-6-0x0000000004DA0000-0x0000000004DA2000-memory.dmp

memory/4632-7-0x0000000008160000-0x000000000817C000-memory.dmp

memory/4632-8-0x0000000008220000-0x0000000008221000-memory.dmp

memory/4632-9-0x00000000064D0000-0x00000000064D1000-memory.dmp

memory/4148-10-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7C2B.tmp

MD5 5749006af8bba46625320b8e9de360c2
SHA1 ae81696ef9e1e95ea742b2cbf133ccd6b826eb21
SHA256 e164898aa8f21a4a1bea33c5fb46c3a6b6321fa03beea5eb7dc5700cd404b4fc
SHA512 2d5ed03b1c35bd6d5a965ffb926054b43ea3672c2c17a67340add33d1574f21854e9f012ba380d528dfa29fc05dcbb6a9c3e5d561273a0c5d5dc19c05ccd0830

memory/3164-12-0x0000000000400000-0x000000000041A000-memory.dmp

memory/3164-13-0x0000000000412A4E-mapping.dmp

memory/3164-14-0x0000000073D60000-0x000000007444E000-memory.dmp

memory/3164-21-0x0000000005760000-0x0000000005761000-memory.dmp