Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
27-11-2021 06:02
Behavioral task
behavioral1
Sample
244334e5785b37a3968287bf88eb6ac6ab2715126af65c4797aeb4cb5e11906e.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
244334e5785b37a3968287bf88eb6ac6ab2715126af65c4797aeb4cb5e11906e.exe
Resource
win10-en-20211104
General
-
Target
244334e5785b37a3968287bf88eb6ac6ab2715126af65c4797aeb4cb5e11906e.exe
-
Size
99KB
-
MD5
a0ac9c83e1bc5eaa9b38110495271fca
-
SHA1
1b97e08bd3c91554b3c06335bbc6dc352c46854e
-
SHA256
244334e5785b37a3968287bf88eb6ac6ab2715126af65c4797aeb4cb5e11906e
-
SHA512
881ec13b3333313d955f2c64a9dc3a5c6a8ae8b456c525a406bf25b00dc68b1cce683c4ca513b4a215ea6674df03c5957b8ea742cd9d96a1aa7e381ddd9e64dd
Malware Config
Signatures
-
suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive
suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 436 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
244334e5785b37a3968287bf88eb6ac6ab2715126af65c4797aeb4cb5e11906e.exepid process 1736 244334e5785b37a3968287bf88eb6ac6ab2715126af65c4797aeb4cb5e11906e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
244334e5785b37a3968287bf88eb6ac6ab2715126af65c4797aeb4cb5e11906e.exedescription pid process Token: SeDebugPrivilege 1736 244334e5785b37a3968287bf88eb6ac6ab2715126af65c4797aeb4cb5e11906e.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
244334e5785b37a3968287bf88eb6ac6ab2715126af65c4797aeb4cb5e11906e.exepid process 1736 244334e5785b37a3968287bf88eb6ac6ab2715126af65c4797aeb4cb5e11906e.exe 1736 244334e5785b37a3968287bf88eb6ac6ab2715126af65c4797aeb4cb5e11906e.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
244334e5785b37a3968287bf88eb6ac6ab2715126af65c4797aeb4cb5e11906e.execmd.exedescription pid process target process PID 1736 wrote to memory of 436 1736 244334e5785b37a3968287bf88eb6ac6ab2715126af65c4797aeb4cb5e11906e.exe cmd.exe PID 1736 wrote to memory of 436 1736 244334e5785b37a3968287bf88eb6ac6ab2715126af65c4797aeb4cb5e11906e.exe cmd.exe PID 1736 wrote to memory of 436 1736 244334e5785b37a3968287bf88eb6ac6ab2715126af65c4797aeb4cb5e11906e.exe cmd.exe PID 436 wrote to memory of 1336 436 cmd.exe PING.EXE PID 436 wrote to memory of 1336 436 cmd.exe PING.EXE PID 436 wrote to memory of 1336 436 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\244334e5785b37a3968287bf88eb6ac6ab2715126af65c4797aeb4cb5e11906e.exe"C:\Users\Admin\AppData\Local\Temp\244334e5785b37a3968287bf88eb6ac6ab2715126af65c4797aeb4cb5e11906e.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 5 -w 5000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\244334e5785b37a3968287bf88eb6ac6ab2715126af65c4797aeb4cb5e11906e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 5 -w 50003⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/436-61-0x0000000000000000-mapping.dmp
-
memory/1336-62-0x0000000000000000-mapping.dmp
-
memory/1736-55-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB
-
memory/1736-57-0x000000001AA10000-0x000000001AA12000-memory.dmpFilesize
8KB
-
memory/1736-58-0x000000001AA12000-0x000000001AA13000-memory.dmpFilesize
4KB
-
memory/1736-59-0x000000001AA14000-0x000000001AA15000-memory.dmpFilesize
4KB
-
memory/1736-60-0x000000001AA19000-0x000000001AA38000-memory.dmpFilesize
124KB