Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 22:02
Behavioral task
behavioral1
Sample
17e73f5c5a7ffa3797a0bdc1816d347b.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
17e73f5c5a7ffa3797a0bdc1816d347b.exe
Resource
win10v20210410
General
-
Target
17e73f5c5a7ffa3797a0bdc1816d347b.exe
-
Size
116KB
-
MD5
17e73f5c5a7ffa3797a0bdc1816d347b
-
SHA1
1f7266ab6bd84cb14c9ea97f03260aa4cc363135
-
SHA256
c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868
-
SHA512
66eea79ef843663ef26596c56f3a98119b2aa7ed3d302ddcb56a523cd61bb392de7276a7d8a63b23d2daa3685ab87d1910e4c5e35ace1458fa74c8b1baf8afd3
Malware Config
Extracted
blacknet
v3.7.0 Public
94qF3s
http://www.rtmmodz.a2hosted.com/
BN[dbdb82ae7c8fe0]
-
antivm
false
-
elevate_uac
false
-
install_name
WindowsUpdate.exe
-
splitter
|BN|
-
start_name
e162b1333458a713bc6916cc8ac4110c
-
startup
false
-
usb_spread
false
Signatures
-
BlackNET Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe family_blacknet C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe family_blacknet -
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe disable_win_def C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe disable_win_def -
Executes dropped EXE 1 IoCs
Processes:
WindowsUpdate.exepid process 3496 WindowsUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17e73f5c5a7ffa3797a0bdc1816d347b.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" 17e73f5c5a7ffa3797a0bdc1816d347b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
17e73f5c5a7ffa3797a0bdc1816d347b.exeWindowsUpdate.exepid process 2820 17e73f5c5a7ffa3797a0bdc1816d347b.exe 2820 17e73f5c5a7ffa3797a0bdc1816d347b.exe 2820 17e73f5c5a7ffa3797a0bdc1816d347b.exe 2820 17e73f5c5a7ffa3797a0bdc1816d347b.exe 2820 17e73f5c5a7ffa3797a0bdc1816d347b.exe 2820 17e73f5c5a7ffa3797a0bdc1816d347b.exe 2820 17e73f5c5a7ffa3797a0bdc1816d347b.exe 2820 17e73f5c5a7ffa3797a0bdc1816d347b.exe 2820 17e73f5c5a7ffa3797a0bdc1816d347b.exe 2820 17e73f5c5a7ffa3797a0bdc1816d347b.exe 2820 17e73f5c5a7ffa3797a0bdc1816d347b.exe 2820 17e73f5c5a7ffa3797a0bdc1816d347b.exe 2820 17e73f5c5a7ffa3797a0bdc1816d347b.exe 2820 17e73f5c5a7ffa3797a0bdc1816d347b.exe 2820 17e73f5c5a7ffa3797a0bdc1816d347b.exe 2820 17e73f5c5a7ffa3797a0bdc1816d347b.exe 3496 WindowsUpdate.exe 3496 WindowsUpdate.exe 3496 WindowsUpdate.exe 3496 WindowsUpdate.exe 3496 WindowsUpdate.exe 3496 WindowsUpdate.exe 3496 WindowsUpdate.exe 3496 WindowsUpdate.exe 3496 WindowsUpdate.exe 3496 WindowsUpdate.exe 3496 WindowsUpdate.exe 3496 WindowsUpdate.exe 3496 WindowsUpdate.exe 3496 WindowsUpdate.exe 3496 WindowsUpdate.exe 3496 WindowsUpdate.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
17e73f5c5a7ffa3797a0bdc1816d347b.exeWindowsUpdate.exedescription pid process Token: SeDebugPrivilege 2820 17e73f5c5a7ffa3797a0bdc1816d347b.exe Token: SeDebugPrivilege 3496 WindowsUpdate.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
17e73f5c5a7ffa3797a0bdc1816d347b.exeWindowsUpdate.exepid process 2820 17e73f5c5a7ffa3797a0bdc1816d347b.exe 2820 17e73f5c5a7ffa3797a0bdc1816d347b.exe 3496 WindowsUpdate.exe 3496 WindowsUpdate.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
17e73f5c5a7ffa3797a0bdc1816d347b.exedescription pid process target process PID 2820 wrote to memory of 3496 2820 17e73f5c5a7ffa3797a0bdc1816d347b.exe WindowsUpdate.exe PID 2820 wrote to memory of 3496 2820 17e73f5c5a7ffa3797a0bdc1816d347b.exe WindowsUpdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17e73f5c5a7ffa3797a0bdc1816d347b.exe"C:\Users\Admin\AppData\Local\Temp\17e73f5c5a7ffa3797a0bdc1816d347b.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exeMD5
17e73f5c5a7ffa3797a0bdc1816d347b
SHA11f7266ab6bd84cb14c9ea97f03260aa4cc363135
SHA256c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868
SHA51266eea79ef843663ef26596c56f3a98119b2aa7ed3d302ddcb56a523cd61bb392de7276a7d8a63b23d2daa3685ab87d1910e4c5e35ace1458fa74c8b1baf8afd3
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exeMD5
17e73f5c5a7ffa3797a0bdc1816d347b
SHA11f7266ab6bd84cb14c9ea97f03260aa4cc363135
SHA256c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868
SHA51266eea79ef843663ef26596c56f3a98119b2aa7ed3d302ddcb56a523cd61bb392de7276a7d8a63b23d2daa3685ab87d1910e4c5e35ace1458fa74c8b1baf8afd3
-
memory/2820-114-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/2820-116-0x000000001BD60000-0x000000001BD62000-memory.dmpFilesize
8KB
-
memory/2820-118-0x000000001BD62000-0x000000001BD63000-memory.dmpFilesize
4KB
-
memory/2820-117-0x000000001BD63000-0x000000001BD64000-memory.dmpFilesize
4KB
-
memory/2820-124-0x000000001BD65000-0x000000001BD67000-memory.dmpFilesize
8KB
-
memory/3496-119-0x0000000000000000-mapping.dmp
-
memory/3496-125-0x000000001AD60000-0x000000001AD62000-memory.dmpFilesize
8KB
-
memory/3496-126-0x000000001AD63000-0x000000001AD64000-memory.dmpFilesize
4KB
-
memory/3496-127-0x000000001AD62000-0x000000001AD63000-memory.dmpFilesize
4KB
-
memory/3496-128-0x000000001AD65000-0x000000001AD67000-memory.dmpFilesize
8KB