Malware Analysis Report

2024-11-30 23:19

Sample ID 220412-brw12sgbf3
Target 2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe
SHA256 2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19
Tags
cn32mx blacknet trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19

Threat Level: Known bad

The file 2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe was found to be: Known bad.

Malicious Activity Summary

cn32mx blacknet trojan persistence

BlackNET Payload

Blacknet family

Contains code to disable Windows Defender

BlackNET

Adds Run key to start application

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-12 01:23

Signatures

BlackNET Payload

Description Indicator Process Target
N/A N/A N/A N/A

Blacknet family

blacknet

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-12 01:23

Reported

2022-04-12 01:40

Platform

win7-20220331-en

Max time kernel

139s

Max time network

183s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe"

Signatures

BlackNET

trojan blacknet

BlackNET Payload

Description Indicator Process Target
N/A N/A N/A N/A

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe

"C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 theblogreader-blog.wtf udp
CA 172.105.27.61:80 theblogreader-blog.wtf tcp
CA 172.105.27.61:80 theblogreader-blog.wtf tcp
US 8.8.8.8:53 theblogreader-blog.wtf udp

Files

memory/1660-54-0x00000000002B0000-0x00000000002D2000-memory.dmp

memory/1660-55-0x000000001ADC0000-0x000000001ADC2000-memory.dmp

memory/1660-56-0x000000001ADC9000-0x000000001ADE8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-12 01:23

Reported

2022-04-12 01:41

Platform

win10v2004-20220331-en

Max time kernel

56s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe"

Signatures

BlackNET

trojan blacknet

BlackNET Payload

Description Indicator Process Target
N/A N/A N/A N/A

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe" C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe

"C:\Users\Admin\AppData\Local\Temp\2f5618011959e0ea6248675fe90c7ff13966cfccb5d0d84d46163d0b4814ca19.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 theblogreader-blog.wtf udp
CA 172.105.27.61:80 theblogreader-blog.wtf tcp
CA 172.105.27.61:80 theblogreader-blog.wtf tcp
US 20.189.173.9:443 tcp
NL 20.190.160.74:443 tcp
CA 172.105.27.61:80 theblogreader-blog.wtf tcp
FI 62.115.252.112:80 tcp
FI 62.115.252.112:80 tcp
FI 62.115.252.112:80 tcp
CA 172.105.27.61:80 theblogreader-blog.wtf tcp
US 93.184.221.240:36320 ctldl.windowsupdate.com tcp
US 93.184.221.240:2837 ctldl.windowsupdate.com tcp
US 93.184.221.240:12535 ctldl.windowsupdate.com tcp
US 93.184.221.240:31363 ctldl.windowsupdate.com tcp
US 93.184.221.240:57096 ctldl.windowsupdate.com tcp
US 93.184.221.240:23437 ctldl.windowsupdate.com tcp
US 93.184.221.240:323 ctldl.windowsupdate.com tcp
US 93.184.221.240:28224 ctldl.windowsupdate.com tcp
US 93.184.221.240:6334 ctldl.windowsupdate.com tcp
US 93.184.221.240:2226 ctldl.windowsupdate.com tcp
US 93.184.221.240:17802 ctldl.windowsupdate.com tcp
US 93.184.221.240:33551 ctldl.windowsupdate.com tcp
US 93.184.221.240:25996 ctldl.windowsupdate.com tcp
US 93.184.221.240:44103 ctldl.windowsupdate.com tcp
US 93.184.221.240:9815 ctldl.windowsupdate.com tcp
US 93.184.221.240:52700 ctldl.windowsupdate.com tcp
US 93.184.221.240:45774 ctldl.windowsupdate.com tcp
US 93.184.221.240:173 ctldl.windowsupdate.com tcp
US 93.184.221.240:5365 ctldl.windowsupdate.com tcp
US 93.184.221.240:60627 ctldl.windowsupdate.com tcp
US 93.184.221.240:22647 ctldl.windowsupdate.com tcp
US 93.184.221.240:38793 ctldl.windowsupdate.com tcp
US 93.184.221.240:11095 ctldl.windowsupdate.com tcp
US 93.184.221.240:40424 ctldl.windowsupdate.com tcp
US 93.184.221.240:13871 ctldl.windowsupdate.com tcp
US 93.184.221.240:60077 ctldl.windowsupdate.com tcp
US 93.184.221.240:3109 ctldl.windowsupdate.com tcp
US 93.184.221.240:56146 ctldl.windowsupdate.com tcp
US 93.184.221.240:50428 ctldl.windowsupdate.com tcp
US 93.184.221.240:62267 ctldl.windowsupdate.com tcp
US 93.184.221.240:16254 ctldl.windowsupdate.com tcp
US 93.184.221.240:64792 ctldl.windowsupdate.com tcp
US 93.184.221.240:12283 ctldl.windowsupdate.com tcp
US 93.184.221.240:40630 ctldl.windowsupdate.com tcp
US 93.184.221.240:43194 ctldl.windowsupdate.com tcp
US 93.184.221.240:24876 ctldl.windowsupdate.com tcp
US 93.184.221.240:7015 ctldl.windowsupdate.com tcp
US 93.184.221.240:43690 ctldl.windowsupdate.com tcp
US 93.184.221.240:55082 ctldl.windowsupdate.com tcp
US 93.184.221.240:9906 ctldl.windowsupdate.com tcp
US 93.184.221.240:11263 ctldl.windowsupdate.com tcp
US 93.184.221.240:56711 ctldl.windowsupdate.com tcp
US 93.184.221.240:6998 ctldl.windowsupdate.com tcp
US 93.184.221.240:10936 ctldl.windowsupdate.com tcp
US 93.184.221.240:3361 ctldl.windowsupdate.com tcp
US 93.184.221.240:47741 ctldl.windowsupdate.com tcp
US 93.184.221.240:10533 ctldl.windowsupdate.com tcp
US 93.184.221.240:47199 ctldl.windowsupdate.com tcp
US 93.184.221.240:7926 ctldl.windowsupdate.com tcp
US 93.184.221.240:45293 ctldl.windowsupdate.com tcp
US 93.184.221.240:37801 ctldl.windowsupdate.com tcp
US 93.184.221.240:31952 ctldl.windowsupdate.com tcp
US 93.184.221.240:29234 ctldl.windowsupdate.com tcp
US 93.184.221.240:5072 ctldl.windowsupdate.com tcp
US 93.184.221.240:59924 ctldl.windowsupdate.com tcp
US 93.184.221.240:59603 ctldl.windowsupdate.com tcp
US 93.184.221.240:28141 ctldl.windowsupdate.com tcp
US 93.184.221.240:1838 ctldl.windowsupdate.com tcp
US 93.184.221.240:48191 ctldl.windowsupdate.com tcp
US 93.184.221.240:15689 ctldl.windowsupdate.com tcp
US 93.184.221.240:57982 ctldl.windowsupdate.com tcp
US 93.184.221.240:43780 ctldl.windowsupdate.com tcp
US 93.184.221.240:38131 ctldl.windowsupdate.com tcp
US 93.184.221.240:39221 ctldl.windowsupdate.com tcp
US 93.184.221.240:53284 ctldl.windowsupdate.com tcp
US 93.184.221.240:34235 ctldl.windowsupdate.com tcp
US 93.184.221.240:19850 ctldl.windowsupdate.com tcp
US 93.184.221.240:30354 ctldl.windowsupdate.com tcp
US 93.184.221.240:10180 ctldl.windowsupdate.com tcp
US 93.184.221.240:26475 ctldl.windowsupdate.com tcp
US 93.184.221.240:18690 ctldl.windowsupdate.com tcp
US 93.184.221.240:57067 ctldl.windowsupdate.com tcp

Files

memory/1840-124-0x0000000000AE0000-0x0000000000B02000-memory.dmp

memory/1840-126-0x000000001C540000-0x000000001C542000-memory.dmp

memory/1840-125-0x00007FFCC8120000-0x00007FFCC8BE1000-memory.dmp

memory/1840-127-0x000000001C545000-0x000000001C547000-memory.dmp