Analysis Overview
SHA256
2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19
Threat Level: Known bad
The file 2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe was found to be: Known bad.
Malicious Activity Summary
Contains code to disable Windows Defender
suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive
Blacknet family
BlackNET
BlackNET Payload
Adds Run key to start application
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-10 19:19
Signatures
BlackNET Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blacknet family
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-10 19:19
Reported
2022-04-10 19:35
Platform
win7-20220331-en
Max time kernel
106s
Max time network
109s
Command Line
Signatures
BlackNET
BlackNET Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe
"C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | theblogreader-blog.wtf | udp |
| CA | 172.105.27.61:80 | theblogreader-blog.wtf | tcp |
| CA | 172.105.27.61:80 | theblogreader-blog.wtf | tcp |
Files
memory/336-54-0x00000000012B0000-0x00000000012D2000-memory.dmp
memory/336-55-0x0000000000590000-0x0000000000592000-memory.dmp
memory/336-56-0x0000000000599000-0x00000000005B8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-10 19:19
Reported
2022-04-10 19:35
Platform
win10v2004-20220331-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
BlackNET
BlackNET Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe" | C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe
"C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe"
Network
| Country | Destination | Domain | Proto |
| IE | 20.190.159.74:443 | tcp | |
| IE | 20.190.159.74:443 | tcp | |
| IE | 52.109.76.32:443 | tcp | |
| IE | 20.190.159.74:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | theblogreader-blog.wtf | udp |
| CA | 172.105.27.61:80 | theblogreader-blog.wtf | tcp |
| US | 93.184.221.240:80 | tcp | |
| IE | 20.50.80.210:443 | tcp | |
| CA | 172.105.27.61:80 | theblogreader-blog.wtf | tcp |
| US | 93.184.221.240:80 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| US | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
| US | 93.184.221.240:36320 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:2837 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:12535 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:31363 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:57096 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:23437 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:323 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:28224 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:6334 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:2226 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:17802 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:56711 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:6998 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:17451 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:8557 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:17555 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:55795 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:16999 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:59074 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:4801 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:5277 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:53432 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:9810 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:58483 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:62970 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:52021 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:61018 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:27515 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:46858 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:58259 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:60850 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:58593 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:20485 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:27486 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:21464 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:55299 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:52122 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:31104 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:6128 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:5927 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:55262 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:10936 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:3361 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:47741 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:10533 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:47199 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:7926 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:45293 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:37801 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:31952 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:29234 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:5072 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:59924 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:59603 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:28141 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:1838 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:48959 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:40908 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:48622 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:44894 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:41837 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:59480 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:30314 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:4763 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:12124 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:22442 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:42800 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:21138 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:18692 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:61897 | ctldl.windowsupdate.com | tcp |
| US | 8.8.8.8:53 | 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| US | 8.8.8.8:53 | theblogreader-blog.wtf | udp |
| CA | 172.105.27.61:80 | theblogreader-blog.wtf | tcp |
Files
memory/2544-124-0x0000000000CB0000-0x0000000000CD2000-memory.dmp
memory/2544-125-0x00007FFEBED40000-0x00007FFEBF801000-memory.dmp
memory/2544-126-0x00000000014D0000-0x00000000014D2000-memory.dmp
memory/2544-127-0x00000000014D5000-0x00000000014D7000-memory.dmp