Malware Analysis Report

2024-11-30 23:19

Sample ID 220410-x1wbrscabq
Target 2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe
SHA256 2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19
Tags
cn32mx blacknet suricata trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19

Threat Level: Known bad

The file 2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe was found to be: Known bad.

Malicious Activity Summary

cn32mx blacknet suricata trojan persistence

Contains code to disable Windows Defender

suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive

Blacknet family

BlackNET

BlackNET Payload

Adds Run key to start application

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-10 19:19

Signatures

BlackNET Payload

Description Indicator Process Target
N/A N/A N/A N/A

Blacknet family

blacknet

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-10 19:19

Reported

2022-04-10 19:35

Platform

win7-20220331-en

Max time kernel

106s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe"

Signatures

BlackNET

trojan blacknet

BlackNET Payload

Description Indicator Process Target
N/A N/A N/A N/A

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive

suricata

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe

"C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 theblogreader-blog.wtf udp
CA 172.105.27.61:80 theblogreader-blog.wtf tcp
CA 172.105.27.61:80 theblogreader-blog.wtf tcp

Files

memory/336-54-0x00000000012B0000-0x00000000012D2000-memory.dmp

memory/336-55-0x0000000000590000-0x0000000000592000-memory.dmp

memory/336-56-0x0000000000599000-0x00000000005B8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-10 19:19

Reported

2022-04-10 19:35

Platform

win10v2004-20220331-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe"

Signatures

BlackNET

trojan blacknet

BlackNET Payload

Description Indicator Process Target
N/A N/A N/A N/A

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive

suricata

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe" C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe

"C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe"

Network

Country Destination Domain Proto
IE 20.190.159.74:443 tcp
IE 20.190.159.74:443 tcp
IE 52.109.76.32:443 tcp
IE 20.190.159.74:443 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 theblogreader-blog.wtf udp
CA 172.105.27.61:80 theblogreader-blog.wtf tcp
US 93.184.221.240:80 tcp
IE 20.50.80.210:443 tcp
CA 172.105.27.61:80 theblogreader-blog.wtf tcp
US 93.184.221.240:80 tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 93.184.221.240:36320 ctldl.windowsupdate.com tcp
US 93.184.221.240:2837 ctldl.windowsupdate.com tcp
US 93.184.221.240:12535 ctldl.windowsupdate.com tcp
US 93.184.221.240:31363 ctldl.windowsupdate.com tcp
US 93.184.221.240:57096 ctldl.windowsupdate.com tcp
US 93.184.221.240:23437 ctldl.windowsupdate.com tcp
US 93.184.221.240:323 ctldl.windowsupdate.com tcp
US 93.184.221.240:28224 ctldl.windowsupdate.com tcp
US 93.184.221.240:6334 ctldl.windowsupdate.com tcp
US 93.184.221.240:2226 ctldl.windowsupdate.com tcp
US 93.184.221.240:17802 ctldl.windowsupdate.com tcp
US 93.184.221.240:56711 ctldl.windowsupdate.com tcp
US 93.184.221.240:6998 ctldl.windowsupdate.com tcp
US 93.184.221.240:17451 ctldl.windowsupdate.com tcp
US 93.184.221.240:8557 ctldl.windowsupdate.com tcp
US 93.184.221.240:17555 ctldl.windowsupdate.com tcp
US 93.184.221.240:55795 ctldl.windowsupdate.com tcp
US 93.184.221.240:16999 ctldl.windowsupdate.com tcp
US 93.184.221.240:59074 ctldl.windowsupdate.com tcp
US 93.184.221.240:4801 ctldl.windowsupdate.com tcp
US 93.184.221.240:5277 ctldl.windowsupdate.com tcp
US 93.184.221.240:53432 ctldl.windowsupdate.com tcp
US 93.184.221.240:9810 ctldl.windowsupdate.com tcp
US 93.184.221.240:58483 ctldl.windowsupdate.com tcp
US 93.184.221.240:62970 ctldl.windowsupdate.com tcp
US 93.184.221.240:52021 ctldl.windowsupdate.com tcp
US 93.184.221.240:61018 ctldl.windowsupdate.com tcp
US 93.184.221.240:27515 ctldl.windowsupdate.com tcp
US 93.184.221.240:46858 ctldl.windowsupdate.com tcp
US 93.184.221.240:58259 ctldl.windowsupdate.com tcp
US 93.184.221.240:60850 ctldl.windowsupdate.com tcp
US 93.184.221.240:58593 ctldl.windowsupdate.com tcp
US 93.184.221.240:20485 ctldl.windowsupdate.com tcp
US 93.184.221.240:27486 ctldl.windowsupdate.com tcp
US 93.184.221.240:21464 ctldl.windowsupdate.com tcp
US 93.184.221.240:55299 ctldl.windowsupdate.com tcp
US 93.184.221.240:52122 ctldl.windowsupdate.com tcp
US 93.184.221.240:31104 ctldl.windowsupdate.com tcp
US 93.184.221.240:6128 ctldl.windowsupdate.com tcp
US 93.184.221.240:5927 ctldl.windowsupdate.com tcp
US 93.184.221.240:55262 ctldl.windowsupdate.com tcp
US 93.184.221.240:10936 ctldl.windowsupdate.com tcp
US 93.184.221.240:3361 ctldl.windowsupdate.com tcp
US 93.184.221.240:47741 ctldl.windowsupdate.com tcp
US 93.184.221.240:10533 ctldl.windowsupdate.com tcp
US 93.184.221.240:47199 ctldl.windowsupdate.com tcp
US 93.184.221.240:7926 ctldl.windowsupdate.com tcp
US 93.184.221.240:45293 ctldl.windowsupdate.com tcp
US 93.184.221.240:37801 ctldl.windowsupdate.com tcp
US 93.184.221.240:31952 ctldl.windowsupdate.com tcp
US 93.184.221.240:29234 ctldl.windowsupdate.com tcp
US 93.184.221.240:5072 ctldl.windowsupdate.com tcp
US 93.184.221.240:59924 ctldl.windowsupdate.com tcp
US 93.184.221.240:59603 ctldl.windowsupdate.com tcp
US 93.184.221.240:28141 ctldl.windowsupdate.com tcp
US 93.184.221.240:1838 ctldl.windowsupdate.com tcp
US 93.184.221.240:48959 ctldl.windowsupdate.com tcp
US 93.184.221.240:40908 ctldl.windowsupdate.com tcp
US 93.184.221.240:48622 ctldl.windowsupdate.com tcp
US 93.184.221.240:44894 ctldl.windowsupdate.com tcp
US 93.184.221.240:41837 ctldl.windowsupdate.com tcp
US 93.184.221.240:59480 ctldl.windowsupdate.com tcp
US 93.184.221.240:30314 ctldl.windowsupdate.com tcp
US 93.184.221.240:4763 ctldl.windowsupdate.com tcp
US 93.184.221.240:12124 ctldl.windowsupdate.com tcp
US 93.184.221.240:22442 ctldl.windowsupdate.com tcp
US 93.184.221.240:42800 ctldl.windowsupdate.com tcp
US 93.184.221.240:21138 ctldl.windowsupdate.com tcp
US 93.184.221.240:18692 ctldl.windowsupdate.com tcp
US 93.184.221.240:61897 ctldl.windowsupdate.com tcp
US 8.8.8.8:53 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa udp
US 8.8.8.8:53 theblogreader-blog.wtf udp
CA 172.105.27.61:80 theblogreader-blog.wtf tcp

Files

memory/2544-124-0x0000000000CB0000-0x0000000000CD2000-memory.dmp

memory/2544-125-0x00007FFEBED40000-0x00007FFEBF801000-memory.dmp

memory/2544-126-0x00000000014D0000-0x00000000014D2000-memory.dmp

memory/2544-127-0x00000000014D5000-0x00000000014D7000-memory.dmp