Analysis
-
max time kernel
119s -
max time network
56s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
01-08-2021 18:03
Behavioral task
behavioral1
Sample
b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
Resource
win10v20210410
General
-
Target
b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
-
Size
117KB
-
MD5
b72d429d1d690165c7b0de4a074c4a58
-
SHA1
f0704d227482a80f2f90dab79ed4acd9770fe565
-
SHA256
b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae
-
SHA512
f3b565e67d5a15d5305982701bd5f0d37eec0bfe2d152556584fa1d01faf1def6e616d0addea91e0663be084450b49f99e2108cc06a9b50c9e1482f9290b6c5c
Malware Config
Extracted
blacknet
v3.7.0 Public
Bot
http://furyx.de/panel
BN[c1916af6f3a468e5b6f5c7f6b9c78982]
-
antivm
false
-
elevate_uac
false
-
install_name
WindowsUpdate.exe
-
splitter
|BN|
-
start_name
e162b1333458a713bc6916cc8ac4110c
-
startup
false
-
usb_spread
true
Signatures
-
BlackNET Payload 2 IoCs
resource yara_rule behavioral1/files/0x00030000000130db-92.dat family_blacknet behavioral1/files/0x00030000000130db-93.dat family_blacknet -
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/files/0x00030000000130db-92.dat disable_win_def behavioral1/files/0x00030000000130db-93.dat disable_win_def -
Executes dropped EXE 1 IoCs
pid Process 1292 WindowsUpdate.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Windows\\Microsoft\\MyClient\\WindowsUpdate.exe" b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Microsoft\MyClient\WindowsUpdate.exe b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe File opened for modification C:\Windows\Microsoft\MyClient\WindowsUpdate.exe b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 864 760 WerFault.exe 26 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1828 schtasks.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 1492 powershell.exe 1492 powershell.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 864 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe Token: SeDebugPrivilege 1492 powershell.exe Token: SeDebugPrivilege 864 WerFault.exe Token: SeDebugPrivilege 1292 WindowsUpdate.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 1292 WindowsUpdate.exe 1292 WindowsUpdate.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 760 wrote to memory of 1492 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 29 PID 760 wrote to memory of 1492 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 29 PID 760 wrote to memory of 1492 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 29 PID 760 wrote to memory of 1524 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 32 PID 760 wrote to memory of 1524 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 32 PID 760 wrote to memory of 1524 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 32 PID 760 wrote to memory of 1292 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 34 PID 760 wrote to memory of 1292 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 34 PID 760 wrote to memory of 1292 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 34 PID 760 wrote to memory of 1828 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 35 PID 760 wrote to memory of 1828 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 35 PID 760 wrote to memory of 1828 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 35 PID 760 wrote to memory of 864 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 37 PID 760 wrote to memory of 864 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 37 PID 760 wrote to memory of 864 760 b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe"C:\Users\Admin\AppData\Local\Temp\b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe"1⤵
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492
-
-
C:\Windows\system32\schtasks.exe"schtasks" /delete /tn "WindowsUpdate.exe" /f2⤵PID:1524
-
-
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe"C:\Windows\Microsoft\MyClient\WindowsUpdate.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1292
-
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsUpdate.exe" /sc ONLOGON /tr "C:\Windows\WindowsUpdate.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:1828
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 760 -s 10602⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:864
-