blacknet | c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868

General

Target

17e73f5c5a7ffa3797a0bdc1816d347b.exe
Size

116KB
MD5

17e73f5c5a7ffa3797a0bdc1816d347b
SHA1

1f7266ab6bd84cb14c9ea97f03260aa4cc363135
SHA256

c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868
SHA512

66eea79ef843663ef26596c56f3a98119b2aa7ed3d302ddcb56a523cd61bb392de7276a7d8a63b23d2daa3685ab87d1910e4c5e35ace1458fa74c8b1baf8afd3

Score

10^/10

blacknet 94qf3s persistence trojan

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

94qF3s

C2

http://www.rtmmodz.a2hosted.com/

Mutex

BN[dbdb82ae7c8fe0]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
e162b1333458a713bc6916cc8ac4110c
startup
false
usb_spread
false

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe	family_blacknet
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe	family_blacknet

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe	disable_win_def

Executes dropped EXE 1 IoCs

Processes:

WindowsUpdate.exe

pid process

3496 WindowsUpdate.exe

pid	process
3496	WindowsUpdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

17e73f5c5a7ffa3797a0bdc1816d347b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe"	17e73f5c5a7ffa3797a0bdc1816d347b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

17e73f5c5a7ffa3797a0bdc1816d347b.exeWindowsUpdate.exe

pid	process
2820	17e73f5c5a7ffa3797a0bdc1816d347b.exe
2820	17e73f5c5a7ffa3797a0bdc1816d347b.exe
2820	17e73f5c5a7ffa3797a0bdc1816d347b.exe
2820	17e73f5c5a7ffa3797a0bdc1816d347b.exe
2820	17e73f5c5a7ffa3797a0bdc1816d347b.exe
2820	17e73f5c5a7ffa3797a0bdc1816d347b.exe
2820	17e73f5c5a7ffa3797a0bdc1816d347b.exe
2820	17e73f5c5a7ffa3797a0bdc1816d347b.exe
2820	17e73f5c5a7ffa3797a0bdc1816d347b.exe
2820	17e73f5c5a7ffa3797a0bdc1816d347b.exe
2820	17e73f5c5a7ffa3797a0bdc1816d347b.exe
2820	17e73f5c5a7ffa3797a0bdc1816d347b.exe
2820	17e73f5c5a7ffa3797a0bdc1816d347b.exe
2820	17e73f5c5a7ffa3797a0bdc1816d347b.exe
2820	17e73f5c5a7ffa3797a0bdc1816d347b.exe
2820	17e73f5c5a7ffa3797a0bdc1816d347b.exe
3496	WindowsUpdate.exe
3496	WindowsUpdate.exe
3496	WindowsUpdate.exe
3496	WindowsUpdate.exe
3496	WindowsUpdate.exe
3496	WindowsUpdate.exe
3496	WindowsUpdate.exe
3496	WindowsUpdate.exe
3496	WindowsUpdate.exe
3496	WindowsUpdate.exe
3496	WindowsUpdate.exe
3496	WindowsUpdate.exe
3496	WindowsUpdate.exe
3496	WindowsUpdate.exe
3496	WindowsUpdate.exe
3496	WindowsUpdate.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

17e73f5c5a7ffa3797a0bdc1816d347b.exeWindowsUpdate.exe

description pid process

Token: SeDebugPrivilege 2820 17e73f5c5a7ffa3797a0bdc1816d347b.exe
Token: SeDebugPrivilege 3496 WindowsUpdate.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

17e73f5c5a7ffa3797a0bdc1816d347b.exeWindowsUpdate.exe

pid process

2820 17e73f5c5a7ffa3797a0bdc1816d347b.exe
2820 17e73f5c5a7ffa3797a0bdc1816d347b.exe
3496 WindowsUpdate.exe
3496 WindowsUpdate.exe

description	pid	process
Token: SeDebugPrivilege	2820	17e73f5c5a7ffa3797a0bdc1816d347b.exe
Token: SeDebugPrivilege	3496	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

17e73f5c5a7ffa3797a0bdc1816d347b.exe

description	pid	process	target process
PID 2820 wrote to memory of 3496	2820	17e73f5c5a7ffa3797a0bdc1816d347b.exe	WindowsUpdate.exe
PID 2820 wrote to memory of 3496	2820	17e73f5c5a7ffa3797a0bdc1816d347b.exe	WindowsUpdate.exe

C:\Users\Admin\AppData\Local\Temp\17e73f5c5a7ffa3797a0bdc1816d347b.exe
"C:\Users\Admin\AppData\Local\Temp\17e73f5c5a7ffa3797a0bdc1816d347b.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
MD5
17e73f5c5a7ffa3797a0bdc1816d347b

SHA1
1f7266ab6bd84cb14c9ea97f03260aa4cc363135

SHA256
c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868

SHA512
66eea79ef843663ef26596c56f3a98119b2aa7ed3d302ddcb56a523cd61bb392de7276a7d8a63b23d2daa3685ab87d1910e4c5e35ace1458fa74c8b1baf8afd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
MD5
17e73f5c5a7ffa3797a0bdc1816d347b

SHA1
1f7266ab6bd84cb14c9ea97f03260aa4cc363135

SHA256
c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868

SHA512
66eea79ef843663ef26596c56f3a98119b2aa7ed3d302ddcb56a523cd61bb392de7276a7d8a63b23d2daa3685ab87d1910e4c5e35ace1458fa74c8b1baf8afd3

Download Submit
memory/2820-114-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/2820-116-0x000000001BD60000-0x000000001BD62000-memory.dmp

Filesize
8KB

Download
memory/2820-118-0x000000001BD62000-0x000000001BD63000-memory.dmp

Filesize
4KB

Download
memory/2820-117-0x000000001BD63000-0x000000001BD64000-memory.dmp

Filesize
4KB

Download
memory/2820-124-0x000000001BD65000-0x000000001BD67000-memory.dmp

Filesize
8KB

Download
memory/3496-119-0x0000000000000000-mapping.dmp

Download
memory/3496-125-0x000000001AD60000-0x000000001AD62000-memory.dmp

Filesize
8KB

Download
memory/3496-126-0x000000001AD63000-0x000000001AD64000-memory.dmp

Filesize
4KB

Download
memory/3496-127-0x000000001AD62000-0x000000001AD63000-memory.dmp

Filesize
4KB

Download
memory/3496-128-0x000000001AD65000-0x000000001AD67000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads