Analysis Overview
SHA256
2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19
Threat Level: Known bad
The file 2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe was found to be: Known bad.
Malicious Activity Summary
BlackNET Payload
Blacknet family
Contains code to disable Windows Defender
BlackNET
Adds Run key to start application
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-12 01:23
Signatures
BlackNET Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blacknet family
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-12 01:23
Reported
2022-04-12 01:40
Platform
win7-20220331-en
Max time kernel
139s
Max time network
183s
Command Line
Signatures
BlackNET
BlackNET Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe
"C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | theblogreader-blog.wtf | udp |
| CA | 172.105.27.61:80 | theblogreader-blog.wtf | tcp |
| CA | 172.105.27.61:80 | theblogreader-blog.wtf | tcp |
| US | 8.8.8.8:53 | theblogreader-blog.wtf | udp |
Files
memory/1660-54-0x00000000002B0000-0x00000000002D2000-memory.dmp
memory/1660-55-0x000000001ADC0000-0x000000001ADC2000-memory.dmp
memory/1660-56-0x000000001ADC9000-0x000000001ADE8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-12 01:23
Reported
2022-04-12 01:41
Platform
win10v2004-20220331-en
Max time kernel
56s
Max time network
149s
Command Line
Signatures
BlackNET
BlackNET Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe" | C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe
"C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | theblogreader-blog.wtf | udp |
| CA | 172.105.27.61:80 | theblogreader-blog.wtf | tcp |
| CA | 172.105.27.61:80 | theblogreader-blog.wtf | tcp |
| US | 20.189.173.9:443 | tcp | |
| NL | 20.190.160.74:443 | tcp | |
| CA | 172.105.27.61:80 | theblogreader-blog.wtf | tcp |
| FI | 62.115.252.112:80 | tcp | |
| FI | 62.115.252.112:80 | tcp | |
| FI | 62.115.252.112:80 | tcp | |
| CA | 172.105.27.61:80 | theblogreader-blog.wtf | tcp |
| US | 93.184.221.240:36320 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:2837 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:12535 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:31363 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:57096 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:23437 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:323 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:28224 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:6334 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:2226 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:17802 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:33551 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:25996 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:44103 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:9815 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:52700 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:45774 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:173 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:5365 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:60627 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:22647 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:38793 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:11095 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:40424 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:13871 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:60077 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:3109 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:56146 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:50428 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:62267 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:16254 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:64792 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:12283 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:40630 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:43194 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:24876 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:7015 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:43690 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:55082 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:9906 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:11263 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:56711 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:6998 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:10936 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:3361 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:47741 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:10533 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:47199 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:7926 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:45293 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:37801 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:31952 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:29234 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:5072 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:59924 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:59603 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:28141 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:1838 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:48191 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:15689 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:57982 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:43780 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:38131 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:39221 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:53284 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:34235 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:19850 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:30354 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:10180 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:26475 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:18690 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:57067 | ctldl.windowsupdate.com | tcp |
Files
memory/1840-124-0x0000000000AE0000-0x0000000000B02000-memory.dmp
memory/1840-126-0x000000001C540000-0x000000001C542000-memory.dmp
memory/1840-125-0x00007FFCC8120000-0x00007FFCC8BE1000-memory.dmp
memory/1840-127-0x000000001C545000-0x000000001C547000-memory.dmp