Analysis
-
max time kernel
27s -
max time network
69s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-08-2021 22:48
Behavioral task
behavioral1
Sample
4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
Resource
win10v20210408
General
-
Target
4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe
-
Size
76KB
-
MD5
bc15770f9c1c0735cb5cc9d800476ab0
-
SHA1
7700f53b4de7abcd0aa28a1989f73aad394b49bb
-
SHA256
4054ee21cbfc210489f119c2d717ca1ae43129fc0d07aefe322fabb3b61d079f
-
SHA512
1073a97fbd39f6d96b05d8a52f8d1e9759b879d9fcf4089f1159a3cbed55e0ca6b3da529df09bae0f1c37c259c482c7e56d279e7c0afa58c6f3cbaff615762d4
Malware Config
Extracted
blacknet
v3.6.0 Public
HaCk
http://gpay-safe.ru/x/
BN[vSqieqIW-9794388]
-
antivm
true
-
elevate_uac
false
-
install_name
winhost.exe
-
splitter
|BN|
-
start_name
a5b002eacf54590ec8401ff6d3f920ee
-
startup
true
-
usb_spread
false
Signatures
-
BlackNET Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\winhost.exe family_blacknet C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\winhost.exe family_blacknet -
Executes dropped EXE 1 IoCs
Processes:
winhost.exepid process 3044 winhost.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exewinhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe" 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\winhost.exe" 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\winhost.exe" winhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exewinhost.exepid process 672 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe 672 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe 672 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe 672 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe 672 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe 672 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe 672 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe 672 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe 672 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe 672 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe 672 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe 672 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe 672 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe 672 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe 672 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe 3044 winhost.exe 3044 winhost.exe 3044 winhost.exe 3044 winhost.exe 3044 winhost.exe 3044 winhost.exe 3044 winhost.exe 3044 winhost.exe 3044 winhost.exe 3044 winhost.exe 3044 winhost.exe 3044 winhost.exe 3044 winhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exewinhost.exedescription pid process Token: SeDebugPrivilege 672 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe Token: SeDebugPrivilege 3044 winhost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exewinhost.exepid process 672 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe 672 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe 3044 winhost.exe 3044 winhost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.execmd.exewinhost.execmd.exedescription pid process target process PID 672 wrote to memory of 3316 672 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe cmd.exe PID 672 wrote to memory of 3316 672 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe cmd.exe PID 672 wrote to memory of 3044 672 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe winhost.exe PID 672 wrote to memory of 3044 672 4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe winhost.exe PID 3316 wrote to memory of 2172 3316 cmd.exe PING.EXE PID 3316 wrote to memory of 2172 3316 cmd.exe PING.EXE PID 3044 wrote to memory of 3744 3044 winhost.exe cmd.exe PID 3044 wrote to memory of 3744 3044 winhost.exe cmd.exe PID 3744 wrote to memory of 3792 3744 cmd.exe PING.EXE PID 3744 wrote to memory of 3792 3744 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe"C:\Users\Admin\AppData\Local\Temp\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\4054EE21CBFC210489F119C2D717CA1AE43129FC0D07A.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 40003⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\winhost.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\winhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\winhost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 40004⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\winhost.exeMD5
bc15770f9c1c0735cb5cc9d800476ab0
SHA17700f53b4de7abcd0aa28a1989f73aad394b49bb
SHA2564054ee21cbfc210489f119c2d717ca1ae43129fc0d07aefe322fabb3b61d079f
SHA5121073a97fbd39f6d96b05d8a52f8d1e9759b879d9fcf4089f1159a3cbed55e0ca6b3da529df09bae0f1c37c259c482c7e56d279e7c0afa58c6f3cbaff615762d4
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\winhost.exeMD5
bc15770f9c1c0735cb5cc9d800476ab0
SHA17700f53b4de7abcd0aa28a1989f73aad394b49bb
SHA2564054ee21cbfc210489f119c2d717ca1ae43129fc0d07aefe322fabb3b61d079f
SHA5121073a97fbd39f6d96b05d8a52f8d1e9759b879d9fcf4089f1159a3cbed55e0ca6b3da529df09bae0f1c37c259c482c7e56d279e7c0afa58c6f3cbaff615762d4
-
memory/672-117-0x0000000002739000-0x000000000273A000-memory.dmpFilesize
4KB
-
memory/672-116-0x0000000002736000-0x0000000002737000-memory.dmpFilesize
4KB
-
memory/672-114-0x0000000002730000-0x0000000002732000-memory.dmpFilesize
8KB
-
memory/672-118-0x000000000273A000-0x000000000273F000-memory.dmpFilesize
20KB
-
memory/672-115-0x0000000002734000-0x0000000002735000-memory.dmpFilesize
4KB
-
memory/2172-123-0x0000000000000000-mapping.dmp
-
memory/3044-120-0x0000000000000000-mapping.dmp
-
memory/3044-124-0x0000000002C30000-0x0000000002C32000-memory.dmpFilesize
8KB
-
memory/3044-125-0x0000000002C34000-0x0000000002C35000-memory.dmpFilesize
4KB
-
memory/3044-127-0x0000000002C39000-0x0000000002C3A000-memory.dmpFilesize
4KB
-
memory/3044-126-0x0000000002C36000-0x0000000002C37000-memory.dmpFilesize
4KB
-
memory/3044-128-0x0000000002C3A000-0x0000000002C3F000-memory.dmpFilesize
20KB
-
memory/3316-119-0x0000000000000000-mapping.dmp
-
memory/3744-129-0x0000000000000000-mapping.dmp
-
memory/3792-130-0x0000000000000000-mapping.dmp