blacknet | e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a

Resubmissions

23-12-2021 07:30

211223-jb58sahcb8 10

01-08-2021 06:01

210801-6cpqcbz1gx 10

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-en-20211208
submitted
23-12-2021 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe
Size

220KB
MD5

97cb3fda3cff430377a866d6b437de8f
SHA1

2359c8459c1e1dd133c2842b51d2982e63016f92
SHA256

e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a
SHA512

e192d3afaa093b5b11643aafefa8192cfeb79e5f284e6c757532fd3e2a4a93970f5f8d54b0e983b4c406ced46aee04a99c186f31ff321f9292c51587603c630f

Score

10^/10

blacknet bot evasion persistence trojan

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

Bot

http://furyx.de/panel

Mutex

BN[c1916af6f3a468e5b6f5c7f6b9c78982]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
e162b1333458a713bc6916cc8ac4110c
startup
false
usb_spread
true

aes.plain

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET Payload 9 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\furz.exe	family_blacknet
C:\Users\Admin\AppData\Local\Temp\furz.exe	family_blacknet
C:\Users\Admin\AppData\Local\Temp\furz.exe	family_blacknet
behavioral1/memory/1496-82-0x00000000011C0000-0x00000000011E2000-memory.dmp	family_blacknet
behavioral1/memory/1496-83-0x00000000011C0000-0x00000000011E2000-memory.dmp	family_blacknet
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	family_blacknet
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	family_blacknet
behavioral1/memory/1168-120-0x00000000010B0000-0x00000000010D2000-memory.dmp	family_blacknet
behavioral1/memory/1168-121-0x00000000010B0000-0x00000000010D2000-memory.dmp	family_blacknet

Contains code to disable Windows Defender 9 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\furz.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\furz.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\furz.exe	disable_win_def
behavioral1/memory/1496-82-0x00000000011C0000-0x00000000011E2000-memory.dmp	disable_win_def
behavioral1/memory/1496-83-0x00000000011C0000-0x00000000011E2000-memory.dmp	disable_win_def
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	disable_win_def
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	disable_win_def
behavioral1/memory/1168-120-0x00000000010B0000-0x00000000010D2000-memory.dmp	disable_win_def
behavioral1/memory/1168-121-0x00000000010B0000-0x00000000010D2000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 5 IoCs

Processes:

furz.exeUacTest.exeInpwdja.exeMnrjvryib.exeWindowsUpdate.exe

pid process

1496 furz.exe
1936 UacTest.exe
1772 Inpwdja.exe
880 Mnrjvryib.exe
1168 WindowsUpdate.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1268 cmd.exe

pid	process
1496	furz.exe
1936	UacTest.exe
1772	Inpwdja.exe
880	Mnrjvryib.exe
1168	WindowsUpdate.exe

pid	process
1268	cmd.exe

Loads dropped DLL 6 IoCs

Processes:

e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exeUacTest.exe

pid	process
760	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe
760	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe
1936	UacTest.exe
1936	UacTest.exe
1936	UacTest.exe
1936	UacTest.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

furz.exeWindowsUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	furz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	WindowsUpdate.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exefurz.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update Folder\\Windows Update.exe"	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Windows\\Microsoft\\MyClient\\WindowsUpdate.exe"	furz.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe

description	pid	process	target process
PID 1576 set thread context of 760	1576	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe

Drops file in Windows directory 3 IoCs

Processes:

furz.exeWindowsUpdate.exe

description	ioc	process
File created	C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	furz.exe
File opened for modification	C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	furz.exe
File created	C:\Windows\Microsoft\MyClient\svchosts.exe	WindowsUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1692 1496 WerFault.exe furz.exe
956 1168 WerFault.exe WindowsUpdate.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

552 schtasks.exe
668 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1484 taskkill.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1744 reg.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

328 PING.EXE
1528 PING.EXE

pid	pid_target	process	target process
1692	1496	WerFault.exe	furz.exe
956	1168	WerFault.exe	WindowsUpdate.exe

pid	process
552	schtasks.exe
668	schtasks.exe

pid	process
1484	taskkill.exe

pid	process
1744	reg.exe

pid	process
328	PING.EXE
1528	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exefurz.exepowershell.exe

pid	process
760	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe
760	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1264	powershell.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe
1496	furz.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exetaskkill.exefurz.exepowershell.exeWerFault.exeWindowsUpdate.exepowershell.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	760	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	1496	furz.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	1692	WerFault.exe
Token: SeDebugPrivilege	1168	WindowsUpdate.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	956	WerFault.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

furz.exeWindowsUpdate.exe

pid process

1496 furz.exe
1496 furz.exe
1496 furz.exe
1168 WindowsUpdate.exe
1168 WindowsUpdate.exe
1168 WindowsUpdate.exe

pid	process
1496	furz.exe
1496	furz.exe
1496	furz.exe
1168	WindowsUpdate.exe
1168	WindowsUpdate.exe
1168	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exee6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.execmd.exeUacTest.exeInpwdja.exeMnrjvryib.execmd.execmd.execmd.exefurz.exe

description	pid	process	target process
PID 1576 wrote to memory of 760	1576	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe
PID 1576 wrote to memory of 760	1576	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe
PID 1576 wrote to memory of 760	1576	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe
PID 1576 wrote to memory of 760	1576	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe
PID 1576 wrote to memory of 760	1576	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe
PID 1576 wrote to memory of 760	1576	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe
PID 1576 wrote to memory of 760	1576	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe
PID 1576 wrote to memory of 760	1576	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe
PID 1576 wrote to memory of 760	1576	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe
PID 760 wrote to memory of 1496	760	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe	furz.exe
PID 760 wrote to memory of 1496	760	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe	furz.exe
PID 760 wrote to memory of 1496	760	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe	furz.exe
PID 760 wrote to memory of 1496	760	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe	furz.exe
PID 760 wrote to memory of 1936	760	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe	UacTest.exe
PID 760 wrote to memory of 1936	760	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe	UacTest.exe
PID 760 wrote to memory of 1936	760	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe	UacTest.exe
PID 760 wrote to memory of 1936	760	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe	UacTest.exe
PID 760 wrote to memory of 1268	760	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe	cmd.exe
PID 760 wrote to memory of 1268	760	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe	cmd.exe
PID 760 wrote to memory of 1268	760	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe	cmd.exe
PID 760 wrote to memory of 1268	760	e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe	cmd.exe
PID 1268 wrote to memory of 328	1268	cmd.exe	PING.EXE
PID 1268 wrote to memory of 328	1268	cmd.exe	PING.EXE
PID 1268 wrote to memory of 328	1268	cmd.exe	PING.EXE
PID 1268 wrote to memory of 328	1268	cmd.exe	PING.EXE
PID 1268 wrote to memory of 1528	1268	cmd.exe	PING.EXE
PID 1268 wrote to memory of 1528	1268	cmd.exe	PING.EXE
PID 1268 wrote to memory of 1528	1268	cmd.exe	PING.EXE
PID 1268 wrote to memory of 1528	1268	cmd.exe	PING.EXE
PID 1936 wrote to memory of 1772	1936	UacTest.exe	Inpwdja.exe
PID 1936 wrote to memory of 1772	1936	UacTest.exe	Inpwdja.exe
PID 1936 wrote to memory of 1772	1936	UacTest.exe	Inpwdja.exe
PID 1936 wrote to memory of 1772	1936	UacTest.exe	Inpwdja.exe
PID 1936 wrote to memory of 880	1936	UacTest.exe	Mnrjvryib.exe
PID 1936 wrote to memory of 880	1936	UacTest.exe	Mnrjvryib.exe
PID 1936 wrote to memory of 880	1936	UacTest.exe	Mnrjvryib.exe
PID 1936 wrote to memory of 880	1936	UacTest.exe	Mnrjvryib.exe
PID 1772 wrote to memory of 1404	1772	Inpwdja.exe	cmd.exe
PID 1772 wrote to memory of 1404	1772	Inpwdja.exe	cmd.exe
PID 1772 wrote to memory of 1404	1772	Inpwdja.exe	cmd.exe
PID 1772 wrote to memory of 1404	1772	Inpwdja.exe	cmd.exe
PID 880 wrote to memory of 1096	880	Mnrjvryib.exe	cmd.exe
PID 880 wrote to memory of 1096	880	Mnrjvryib.exe	cmd.exe
PID 880 wrote to memory of 1096	880	Mnrjvryib.exe	cmd.exe
PID 880 wrote to memory of 1096	880	Mnrjvryib.exe	cmd.exe
PID 1404 wrote to memory of 964	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 964	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 964	1404	cmd.exe	cmd.exe
PID 1096 wrote to memory of 1484	1096	cmd.exe	taskkill.exe
PID 1096 wrote to memory of 1484	1096	cmd.exe	taskkill.exe
PID 1096 wrote to memory of 1484	1096	cmd.exe	taskkill.exe
PID 964 wrote to memory of 1744	964	cmd.exe	reg.exe
PID 964 wrote to memory of 1744	964	cmd.exe	reg.exe
PID 964 wrote to memory of 1744	964	cmd.exe	reg.exe
PID 1496 wrote to memory of 1264	1496	furz.exe	powershell.exe
PID 1496 wrote to memory of 1264	1496	furz.exe	powershell.exe
PID 1496 wrote to memory of 1264	1496	furz.exe	powershell.exe
PID 1496 wrote to memory of 1900	1496	furz.exe	schtasks.exe
PID 1496 wrote to memory of 1900	1496	furz.exe	schtasks.exe
PID 1496 wrote to memory of 1900	1496	furz.exe	schtasks.exe
PID 1496 wrote to memory of 1168	1496	furz.exe	WindowsUpdate.exe
PID 1496 wrote to memory of 1168	1496	furz.exe	WindowsUpdate.exe
PID 1496 wrote to memory of 1168	1496	furz.exe	WindowsUpdate.exe
PID 1496 wrote to memory of 552	1496	furz.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe
"C:\Users\Admin\AppData\Local\Temp\e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1576

C:\Users\Admin\AppData\Local\Temp\e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe
"C:\Users\Admin\AppData\Local\Temp\e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760

C:\Users\Admin\AppData\Local\Temp\furz.exe
"C:\Users\Admin\AppData\Local\Temp\furz.exe"
3⤵
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\system32\schtasks.exe
"schtasks" /delete /tn "WindowsUpdate.exe" /f
4⤵
PID:1900

C:\Windows\Microsoft\MyClient\WindowsUpdate.exe
"C:\Windows\Microsoft\MyClient\WindowsUpdate.exe"
4⤵
- Executes dropped EXE
- Windows security modification
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\system32\schtasks.exe
"schtasks" /delete /tn "WindowsUpdate.exe" /f
5⤵
PID:676

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1168 -s 940
5⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WindowsUpdate.exe" /sc ONLOGON /tr "C:\Windows\WindowsUpdate.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:668

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WindowsUpdate.exe" /sc ONLOGON /tr "C:\Windows\WindowsUpdate.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:552

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1496 -s 2308
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Users\Admin\AppData\Local\Temp\UacTest.exe
"C:\Users\Admin\AppData\Local\Temp\UacTest.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe
"C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F151.tmp\F162.tmp\F163.bat C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /k C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\System32\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
7⤵
- Modifies registry key
PID:1744

C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe
"C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F1CE.tmp\F1DF.tmp\F1E0.bat C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\system32\taskkill.exe
Taskkill /IM cmd.exe /F
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe"
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 100
4⤵
- Runs ping.exe
PID:328

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 900
4⤵
- Runs ping.exe
PID:1528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Bypass User Account Control

T1088

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
33a34db4007f69df5d6e78a0ea99dc41

SHA1
7979366b84b80ad016faff29680e1631b10aa131

SHA256
419f893fea92b73c181d2d72942364ff5b645068c11f2213c87cdba00a02185f

SHA512
53f50c3454be96b6b3673f15c37efa81fcf8f4414fd4ab0fede4920f527598fb2c84b0a9f8a8b36557121c9482ed106e4cad7802aa640b7d29924a54111ad83a

Download Submit
C:\Users\Admin\AppData\Local\Temp\F151.tmp\F162.tmp\F163.bat
MD5
befbbfdadeef80e445fdd152a121a6d1

SHA1
67019f2a12662f2ff92dc7977769b0debdbf564e

SHA256
0848f1ac65974856844e59ff3b8d492c88acf43f0fd64505d5bf3fd4e43d9da6

SHA512
867c4ee6cb22ba7ba0d5aa9c16d321f36013588b6057e3f3f0e6de670481ab1f7d46c1553b9410ff753de7e923d1b774db0c8297091fd9c852bdc96fee43ee32

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1CE.tmp\F1DF.tmp\F1E0.bat
MD5
4f4ecd10fc86be6be730390c06be67c8

SHA1
4c59c25907109fd48d8d94caaa8b8266ffa3c7c3

SHA256
a9bf329ec3514d7d5698851137d508b763b1a627747b1ce40ddd5c524538459c

SHA512
b4e89c807071e770b9327693032c8d1ebc06811dfeccfe0892e00deb449b75cb5d921ed2f7ae53d3fae00837bd6eed3fcb0bfc7168cad0f0c44997e51e4365f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe
MD5
d1082e6ae11fecd45ebe0f2b3d32230d

SHA1
c070a8395ccb984f5bcd8f22629ffa1b41ea14c1

SHA256
dce696122649ef915c08645cf53e6b118977ce476b076f72d00e3b6f3e309c77

SHA512
d712276a263e77617838a709e4a8d6b18a676832e909f0ab5547d22a128c309c92dc0f1044c62c0782c3f9f3e2103c08dd9eaf6166f17fd7f0165490e17c0ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe
MD5
d1082e6ae11fecd45ebe0f2b3d32230d

SHA1
c070a8395ccb984f5bcd8f22629ffa1b41ea14c1

SHA256
dce696122649ef915c08645cf53e6b118977ce476b076f72d00e3b6f3e309c77

SHA512
d712276a263e77617838a709e4a8d6b18a676832e909f0ab5547d22a128c309c92dc0f1044c62c0782c3f9f3e2103c08dd9eaf6166f17fd7f0165490e17c0ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe
MD5
5303046dacbdfcb013ff016a72311e22

SHA1
deaef4843f0bfcb1bf57a93a9e5ed1c4a7a1e009

SHA256
46618b299010b375a3be43493d14de102180a042f03bdfa1d3290d04feba587a

SHA512
261f76a0c02366ca31ec4e964bb414bf6c42587eea79079beb4b6c66875f565ff925d45722b40c84fdd6ac844dad1d878381f87d8b28af75a98310f534af2b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe
MD5
5303046dacbdfcb013ff016a72311e22

SHA1
deaef4843f0bfcb1bf57a93a9e5ed1c4a7a1e009

SHA256
46618b299010b375a3be43493d14de102180a042f03bdfa1d3290d04feba587a

SHA512
261f76a0c02366ca31ec4e964bb414bf6c42587eea79079beb4b6c66875f565ff925d45722b40c84fdd6ac844dad1d878381f87d8b28af75a98310f534af2b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UacTest.exe
MD5
7c011f0ea2387f0124c959e3f663cb4d

SHA1
12e668079661c557963236786bb821af4628ee1b

SHA256
6b69a8fd83ca150642a20128f84cdd2e91aaa6852e705e55e4116caa487903c4

SHA512
f5770246c943a997c96713a721d512fc0eaf530f3b7d22abe56f50d35b582af4b9f86a65113dee0f09aa7766d257ac0b29a9a56348891339399a2923b399925e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UacTest.exe
MD5
7c011f0ea2387f0124c959e3f663cb4d

SHA1
12e668079661c557963236786bb821af4628ee1b

SHA256
6b69a8fd83ca150642a20128f84cdd2e91aaa6852e705e55e4116caa487903c4

SHA512
f5770246c943a997c96713a721d512fc0eaf530f3b7d22abe56f50d35b582af4b9f86a65113dee0f09aa7766d257ac0b29a9a56348891339399a2923b399925e

Download Submit
C:\Users\Admin\AppData\Local\Temp\furz.exe
MD5
b72d429d1d690165c7b0de4a074c4a58

SHA1
f0704d227482a80f2f90dab79ed4acd9770fe565

SHA256
b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae

SHA512
f3b565e67d5a15d5305982701bd5f0d37eec0bfe2d152556584fa1d01faf1def6e616d0addea91e0663be084450b49f99e2108cc06a9b50c9e1482f9290b6c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\furz.exe
MD5
b72d429d1d690165c7b0de4a074c4a58

SHA1
f0704d227482a80f2f90dab79ed4acd9770fe565

SHA256
b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae

SHA512
f3b565e67d5a15d5305982701bd5f0d37eec0bfe2d152556584fa1d01faf1def6e616d0addea91e0663be084450b49f99e2108cc06a9b50c9e1482f9290b6c5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
e47aaa1877c36e3176e8b4824912e604

SHA1
e581dd26dc534048d52d119ee793fe44ed9e9a17

SHA256
c74a53edb48d436949ac8ad725e5891eb073c0f644b33c28c06221839d70a31e

SHA512
28c80d1d74c8b9bdce7694ddcd3b63d703afa80ce7a270ea37314202c36edb70fcdbcc0d645c304fef1568c4ea5b6611fed644373496cf427b1ca48d9ed2972c

Download Submit
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe
MD5
b72d429d1d690165c7b0de4a074c4a58

SHA1
f0704d227482a80f2f90dab79ed4acd9770fe565

SHA256
b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae

SHA512
f3b565e67d5a15d5305982701bd5f0d37eec0bfe2d152556584fa1d01faf1def6e616d0addea91e0663be084450b49f99e2108cc06a9b50c9e1482f9290b6c5c

Download Submit
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe
MD5
b72d429d1d690165c7b0de4a074c4a58

SHA1
f0704d227482a80f2f90dab79ed4acd9770fe565

SHA256
b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae

SHA512
f3b565e67d5a15d5305982701bd5f0d37eec0bfe2d152556584fa1d01faf1def6e616d0addea91e0663be084450b49f99e2108cc06a9b50c9e1482f9290b6c5c

Download Submit
\Users\Admin\AppData\Local\Temp\Inpwdja.exe
MD5
d1082e6ae11fecd45ebe0f2b3d32230d

SHA1
c070a8395ccb984f5bcd8f22629ffa1b41ea14c1

SHA256
dce696122649ef915c08645cf53e6b118977ce476b076f72d00e3b6f3e309c77

SHA512
d712276a263e77617838a709e4a8d6b18a676832e909f0ab5547d22a128c309c92dc0f1044c62c0782c3f9f3e2103c08dd9eaf6166f17fd7f0165490e17c0ca3

Download Submit
\Users\Admin\AppData\Local\Temp\Inpwdja.exe
MD5
d1082e6ae11fecd45ebe0f2b3d32230d

SHA1
c070a8395ccb984f5bcd8f22629ffa1b41ea14c1

SHA256
dce696122649ef915c08645cf53e6b118977ce476b076f72d00e3b6f3e309c77

SHA512
d712276a263e77617838a709e4a8d6b18a676832e909f0ab5547d22a128c309c92dc0f1044c62c0782c3f9f3e2103c08dd9eaf6166f17fd7f0165490e17c0ca3

Download Submit
\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe
MD5
5303046dacbdfcb013ff016a72311e22

SHA1
deaef4843f0bfcb1bf57a93a9e5ed1c4a7a1e009

SHA256
46618b299010b375a3be43493d14de102180a042f03bdfa1d3290d04feba587a

SHA512
261f76a0c02366ca31ec4e964bb414bf6c42587eea79079beb4b6c66875f565ff925d45722b40c84fdd6ac844dad1d878381f87d8b28af75a98310f534af2b1b

Download Submit
\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe
MD5
5303046dacbdfcb013ff016a72311e22

SHA1
deaef4843f0bfcb1bf57a93a9e5ed1c4a7a1e009

SHA256
46618b299010b375a3be43493d14de102180a042f03bdfa1d3290d04feba587a

SHA512
261f76a0c02366ca31ec4e964bb414bf6c42587eea79079beb4b6c66875f565ff925d45722b40c84fdd6ac844dad1d878381f87d8b28af75a98310f534af2b1b

Download Submit
\Users\Admin\AppData\Local\Temp\UacTest.exe
MD5
7c011f0ea2387f0124c959e3f663cb4d

SHA1
12e668079661c557963236786bb821af4628ee1b

SHA256
6b69a8fd83ca150642a20128f84cdd2e91aaa6852e705e55e4116caa487903c4

SHA512
f5770246c943a997c96713a721d512fc0eaf530f3b7d22abe56f50d35b582af4b9f86a65113dee0f09aa7766d257ac0b29a9a56348891339399a2923b399925e

Download Submit
\Users\Admin\AppData\Local\Temp\furz.exe
MD5
b72d429d1d690165c7b0de4a074c4a58

SHA1
f0704d227482a80f2f90dab79ed4acd9770fe565

SHA256
b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae

SHA512
f3b565e67d5a15d5305982701bd5f0d37eec0bfe2d152556584fa1d01faf1def6e616d0addea91e0663be084450b49f99e2108cc06a9b50c9e1482f9290b6c5c

Download Submit
memory/328-80-0x0000000000000000-mapping.dmp

Download
memory/552-122-0x0000000000000000-mapping.dmp

Download
memory/668-156-0x0000000000000000-mapping.dmp

Download
memory/676-153-0x0000000000000000-mapping.dmp

Download
memory/760-63-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/760-59-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/760-60-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/760-61-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/760-62-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/760-66-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/760-64-0x000000000042C00E-mapping.dmp

Download
memory/760-65-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/760-67-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/760-68-0x00000000048D5000-0x00000000048E6000-memory.dmp

Filesize
68KB

Download
memory/880-94-0x0000000000000000-mapping.dmp

Download
memory/956-169-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/956-154-0x0000000000000000-mapping.dmp

Download
memory/964-101-0x0000000000000000-mapping.dmp

Download
memory/1044-151-0x000000000257B000-0x000000000259A000-memory.dmp

Filesize
124KB

Download
memory/1044-142-0x0000000000000000-mapping.dmp

Download
memory/1044-145-0x000007FEEB580000-0x000007FEEC0DD000-memory.dmp

Filesize
11.4MB

Download
memory/1044-147-0x0000000002570000-0x0000000002572000-memory.dmp

Filesize
8KB

Download
memory/1044-148-0x0000000002572000-0x0000000002574000-memory.dmp

Filesize
8KB

Download
memory/1044-149-0x0000000002574000-0x0000000002577000-memory.dmp

Filesize
12KB

Download
memory/1044-150-0x000000001B800000-0x000000001BAFF000-memory.dmp

Filesize
3.0MB

Download
memory/1096-98-0x0000000000000000-mapping.dmp

Download
memory/1168-159-0x000000001B63A000-0x000000001B63B000-memory.dmp

Filesize
4KB

Download
memory/1168-139-0x000000001B614000-0x000000001B615000-memory.dmp

Filesize
4KB

Download
memory/1168-165-0x000000001B640000-0x000000001B641000-memory.dmp

Filesize
4KB

Download
memory/1168-160-0x000000001B63B000-0x000000001B63C000-memory.dmp

Filesize
4KB

Download
memory/1168-163-0x000000001B63E000-0x000000001B63F000-memory.dmp

Filesize
4KB

Download
memory/1168-157-0x000000001B638000-0x000000001B639000-memory.dmp

Filesize
4KB

Download
memory/1168-158-0x000000001B639000-0x000000001B63A000-memory.dmp

Filesize
4KB

Download
memory/1168-166-0x000000001B641000-0x000000001B642000-memory.dmp

Filesize
4KB

Download
memory/1168-121-0x00000000010B0000-0x00000000010D2000-memory.dmp

Filesize
136KB

Download
memory/1168-162-0x000000001B63D000-0x000000001B63E000-memory.dmp

Filesize
4KB

Download
memory/1168-140-0x000000001B619000-0x000000001B638000-memory.dmp

Filesize
124KB

Download
memory/1168-137-0x000000001B610000-0x000000001B612000-memory.dmp

Filesize
8KB

Download
memory/1168-138-0x000000001B612000-0x000000001B613000-memory.dmp

Filesize
4KB

Download
memory/1168-161-0x000000001B63C000-0x000000001B63D000-memory.dmp

Filesize
4KB

Download
memory/1168-168-0x000000001B643000-0x000000001B644000-memory.dmp

Filesize
4KB

Download
memory/1168-117-0x0000000000000000-mapping.dmp

Download
memory/1168-167-0x000000001B642000-0x000000001B643000-memory.dmp

Filesize
4KB

Download
memory/1168-164-0x000000001B63F000-0x000000001B640000-memory.dmp

Filesize
4KB

Download
memory/1168-120-0x00000000010B0000-0x00000000010D2000-memory.dmp

Filesize
136KB

Download
memory/1168-170-0x000000001B644000-0x000000001B645000-memory.dmp

Filesize
4KB

Download
memory/1264-112-0x000000001B830000-0x000000001BB2F000-memory.dmp

Filesize
3.0MB

Download
memory/1264-113-0x00000000025DB000-0x00000000025FA000-memory.dmp

Filesize
124KB

Download
memory/1264-106-0x0000000000000000-mapping.dmp

Download
memory/1264-107-0x000007FEFC0E1000-0x000007FEFC0E3000-memory.dmp

Filesize
8KB

Download
memory/1264-109-0x00000000025D0000-0x00000000025D2000-memory.dmp

Filesize
8KB

Download
memory/1264-110-0x00000000025D2000-0x00000000025D4000-memory.dmp

Filesize
8KB

Download
memory/1264-111-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/1264-108-0x000007FEEBA40000-0x000007FEEC59D000-memory.dmp

Filesize
11.4MB

Download
memory/1268-79-0x0000000000000000-mapping.dmp

Download
memory/1404-96-0x0000000000000000-mapping.dmp

Download
memory/1484-102-0x0000000000000000-mapping.dmp

Download
memory/1496-135-0x000000001B2B2000-0x000000001B2B3000-memory.dmp

Filesize
4KB

Download
memory/1496-128-0x000000001B2AB000-0x000000001B2AC000-memory.dmp

Filesize
4KB

Download
memory/1496-133-0x000000001B2B0000-0x000000001B2B1000-memory.dmp

Filesize
4KB

Download
memory/1496-70-0x0000000000000000-mapping.dmp

Download
memory/1496-136-0x000000001B2B3000-0x000000001B2B4000-memory.dmp

Filesize
4KB

Download
memory/1496-125-0x000000001B2A8000-0x000000001B2A9000-memory.dmp

Filesize
4KB

Download
memory/1496-134-0x000000001B2B1000-0x000000001B2B2000-memory.dmp

Filesize
4KB

Download
memory/1496-141-0x000000001B2B4000-0x000000001B2B5000-memory.dmp

Filesize
4KB

Download
memory/1496-131-0x000000001B2AE000-0x000000001B2AF000-memory.dmp

Filesize
4KB

Download
memory/1496-132-0x000000001B2AF000-0x000000001B2B0000-memory.dmp

Filesize
4KB

Download
memory/1496-129-0x000000001B2AC000-0x000000001B2AD000-memory.dmp

Filesize
4KB

Download
memory/1496-82-0x00000000011C0000-0x00000000011E2000-memory.dmp

Filesize
136KB

Download
memory/1496-130-0x000000001B2AD000-0x000000001B2AE000-memory.dmp

Filesize
4KB

Download
memory/1496-127-0x000000001B2AA000-0x000000001B2AB000-memory.dmp

Filesize
4KB

Download
memory/1496-104-0x000000001B284000-0x000000001B285000-memory.dmp

Filesize
4KB

Download
memory/1496-105-0x000000001B289000-0x000000001B2A8000-memory.dmp

Filesize
124KB

Download
memory/1496-83-0x00000000011C0000-0x00000000011E2000-memory.dmp

Filesize
136KB

Download
memory/1496-85-0x000000001B280000-0x000000001B282000-memory.dmp

Filesize
8KB

Download
memory/1496-126-0x000000001B2A9000-0x000000001B2AA000-memory.dmp

Filesize
4KB

Download
memory/1496-86-0x000000001B282000-0x000000001B283000-memory.dmp

Filesize
4KB

Download
memory/1528-81-0x0000000000000000-mapping.dmp

Download
memory/1576-58-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/1576-55-0x00000000013A0000-0x00000000013DE000-memory.dmp

Filesize
248KB

Download
memory/1576-56-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/1576-54-0x00000000013A0000-0x00000000013DE000-memory.dmp

Filesize
248KB

Download
memory/1576-57-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download
memory/1692-123-0x0000000000000000-mapping.dmp

Download
memory/1692-146-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1744-103-0x0000000000000000-mapping.dmp

Download
memory/1772-89-0x0000000000000000-mapping.dmp

Download
memory/1900-114-0x0000000000000000-mapping.dmp

Download
memory/1936-74-0x0000000000000000-mapping.dmp

Download
memory/1936-77-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1936-78-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1936-84-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download