Malware Analysis Report

2025-04-03 09:07

Sample ID 210422-wy9th7msz6
Target c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe
SHA256 c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868
Tags
blacknet 94qf3s persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868

Threat Level: Known bad

The file c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe was found to be: Known bad.

Malicious Activity Summary

blacknet 94qf3s persistence trojan

Blacknet family

BlackNET

Contains code to disable Windows Defender

BlackNET Payload

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-08-05 15:39

Signatures

BlackNET Payload

Description Indicator Process Target
N/A N/A N/A N/A

Blacknet family

blacknet

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-04-22 00:02

Reported

2021-04-22 00:05

Platform

win7v20210410

Max time kernel

122s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe"

Signatures

BlackNET

trojan blacknet

BlackNET Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" C:\Users\Admin\AppData\Local\Temp\c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe

"C:\Users\Admin\AppData\Local\Temp\c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.rtmmodz.a2hosted.com udp
N/A 70.32.23.82:80 www.rtmmodz.a2hosted.com tcp

Files

memory/1888-59-0x0000000001020000-0x0000000001021000-memory.dmp

memory/1888-61-0x000000001B220000-0x000000001B222000-memory.dmp

memory/1888-62-0x000000001B222000-0x000000001B223000-memory.dmp

memory/1888-63-0x000000001B224000-0x000000001B225000-memory.dmp

memory/1888-64-0x000000001B229000-0x000000001B248000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe

MD5 17e73f5c5a7ffa3797a0bdc1816d347b
SHA1 1f7266ab6bd84cb14c9ea97f03260aa4cc363135
SHA256 c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868
SHA512 66eea79ef843663ef26596c56f3a98119b2aa7ed3d302ddcb56a523cd61bb392de7276a7d8a63b23d2daa3685ab87d1910e4c5e35ace1458fa74c8b1baf8afd3

memory/756-65-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe

MD5 17e73f5c5a7ffa3797a0bdc1816d347b
SHA1 1f7266ab6bd84cb14c9ea97f03260aa4cc363135
SHA256 c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868
SHA512 66eea79ef843663ef26596c56f3a98119b2aa7ed3d302ddcb56a523cd61bb392de7276a7d8a63b23d2daa3685ab87d1910e4c5e35ace1458fa74c8b1baf8afd3

memory/756-68-0x0000000001300000-0x0000000001301000-memory.dmp

memory/756-71-0x000000001B162000-0x000000001B163000-memory.dmp

memory/756-70-0x000000001B160000-0x000000001B162000-memory.dmp

memory/756-72-0x000000001B164000-0x000000001B165000-memory.dmp

memory/756-73-0x000000001B169000-0x000000001B188000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-04-22 00:02

Reported

2021-04-22 00:05

Platform

win10v20210408

Max time kernel

18s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe"

Signatures

BlackNET

trojan blacknet

BlackNET Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" C:\Users\Admin\AppData\Local\Temp\c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe

"C:\Users\Admin\AppData\Local\Temp\c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.rtmmodz.a2hosted.com udp
N/A 70.32.23.82:80 www.rtmmodz.a2hosted.com tcp

Files

memory/640-114-0x0000000000380000-0x0000000000381000-memory.dmp

memory/640-116-0x000000001AF10000-0x000000001AF12000-memory.dmp

memory/640-117-0x000000001AF13000-0x000000001AF14000-memory.dmp

memory/640-118-0x000000001AF12000-0x000000001AF13000-memory.dmp

memory/3684-119-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe

MD5 17e73f5c5a7ffa3797a0bdc1816d347b
SHA1 1f7266ab6bd84cb14c9ea97f03260aa4cc363135
SHA256 c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868
SHA512 66eea79ef843663ef26596c56f3a98119b2aa7ed3d302ddcb56a523cd61bb392de7276a7d8a63b23d2daa3685ab87d1910e4c5e35ace1458fa74c8b1baf8afd3

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe

MD5 17e73f5c5a7ffa3797a0bdc1816d347b
SHA1 1f7266ab6bd84cb14c9ea97f03260aa4cc363135
SHA256 c3cad420d5e8e63d11b2b00d198db8cdf12018ab7080f870b21e29f89a897868
SHA512 66eea79ef843663ef26596c56f3a98119b2aa7ed3d302ddcb56a523cd61bb392de7276a7d8a63b23d2daa3685ab87d1910e4c5e35ace1458fa74c8b1baf8afd3

memory/3684-125-0x000000001B110000-0x000000001B112000-memory.dmp

memory/640-124-0x000000001AF15000-0x000000001AF17000-memory.dmp

memory/3684-127-0x000000001B112000-0x000000001B113000-memory.dmp

memory/3684-126-0x000000001B113000-0x000000001B114000-memory.dmp