Overview

overview

10

Static

static

10

244334e578...6e.exe

windows7_x64

10

244334e578...6e.exe

windows10_x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    27-11-2021 06:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    244334e5785b37a3968287bf88eb6ac6ab2715126af65c4797aeb4cb5e11906e.exe

  • Size

    99KB

  • MD5

    a0ac9c83e1bc5eaa9b38110495271fca

  • SHA1

    1b97e08bd3c91554b3c06335bbc6dc352c46854e

  • SHA256

    244334e5785b37a3968287bf88eb6ac6ab2715126af65c4797aeb4cb5e11906e

  • SHA512

    881ec13b3333313d955f2c64a9dc3a5c6a8ae8b456c525a406bf25b00dc68b1cce683c4ca513b4a215ea6674df03c5957b8ea742cd9d96a1aa7e381ddd9e64dd

Score
10/10
suricata

Malware Config

Signatures

  • suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive

    suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive

    suricata
  • Deletes itself 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\244334e5785b37a3968287bf88eb6ac6ab2715126af65c4797aeb4cb5e11906e.exe
    "C:\Users\Admin\AppData\Local\Temp\244334e5785b37a3968287bf88eb6ac6ab2715126af65c4797aeb4cb5e11906e.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 5 -w 5000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\244334e5785b37a3968287bf88eb6ac6ab2715126af65c4797aeb4cb5e11906e.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:436
      • C:\Windows\system32\PING.EXE
        ping 1.1.1.1 -n 5 -w 5000
        3⤵
        • Runs ping.exe
        PID:1336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/436-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1336-62-0x0000000000000000-mapping.dmp
    Download
  • memory/1736-55-0x00000000003C0000-0x00000000003C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1736-57-0x000000001AA10000-0x000000001AA12000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1736-58-0x000000001AA12000-0x000000001AA13000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1736-59-0x000000001AA14000-0x000000001AA15000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1736-60-0x000000001AA19000-0x000000001AA38000-memory.dmp
    Filesize

    124KB

    Download