Analysis

  • max time kernel
    75s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    15-04-2022 02:08

General

  • Target

    332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe

  • Size

    1.1MB

  • MD5

    78daff0be38c4b6167fc039095fbfe2f

  • SHA1

    8a01f87a55b6d6aeb891f28d55e4c51873e58f73

  • SHA256

    332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb

  • SHA512

    2206ce045a59d6758bac3a441b8d3f67a3516f2d7dcd81c6670734b5553a03467f019907f09fe6137697e797d60639cea434dd7842eb7c73fafe0e95e353a020

Malware Config

Signatures

  • BlackNET

    BlackNET is an open source remote access tool written in VB.NET.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe
    "C:\Users\Admin\AppData\Local\Temp\332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:828
    • C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2028

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe

    Filesize

    1.1MB

    MD5

    78daff0be38c4b6167fc039095fbfe2f

    SHA1

    8a01f87a55b6d6aeb891f28d55e4c51873e58f73

    SHA256

    332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb

    SHA512

    2206ce045a59d6758bac3a441b8d3f67a3516f2d7dcd81c6670734b5553a03467f019907f09fe6137697e797d60639cea434dd7842eb7c73fafe0e95e353a020

  • C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe

    Filesize

    1.1MB

    MD5

    78daff0be38c4b6167fc039095fbfe2f

    SHA1

    8a01f87a55b6d6aeb891f28d55e4c51873e58f73

    SHA256

    332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb

    SHA512

    2206ce045a59d6758bac3a441b8d3f67a3516f2d7dcd81c6670734b5553a03467f019907f09fe6137697e797d60639cea434dd7842eb7c73fafe0e95e353a020

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe

    Filesize

    17KB

    MD5

    89dd6e72358a669b7d6e2348307a7af7

    SHA1

    0db348f3c6114a45d71f4d218e0e088b71c7bb0a

    SHA256

    ad34794058212006ae974fcc6a0242598e6d020f08044439e3512773cd402b7e

    SHA512

    93b8a47686d7491281a0809b138a6244a535302ba0d6b2146849e9888632c72b6223ae8eb7a24f1006aaf57ab947a8f43719cff4837df559e7bf42f52c63856b

  • memory/828-130-0x0000000074220000-0x00000000747D1000-memory.dmp

    Filesize

    5.7MB

  • memory/828-131-0x0000000004EE7000-0x0000000004EE9000-memory.dmp

    Filesize

    8KB

  • memory/2028-132-0x0000000000000000-mapping.dmp

  • memory/2028-135-0x0000000074220000-0x00000000747D1000-memory.dmp

    Filesize

    5.7MB

  • memory/2028-136-0x00000000049A7000-0x00000000049A9000-memory.dmp

    Filesize

    8KB