Analysis Overview
SHA256
332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb
Threat Level: Known bad
The file 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb was found to be: Known bad.
Malicious Activity Summary
BlackNET
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-15 02:08
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-15 02:08
Reported
2022-04-15 02:13
Platform
win7-20220414-en
Max time kernel
146s
Max time network
44s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe
"C:\Users\Admin\AppData\Local\Temp\332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe"
Network
Files
memory/1532-54-0x0000000076241000-0x0000000076243000-memory.dmp
memory/1532-55-0x00000000745C0000-0x0000000074B6B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-15 02:08
Reported
2022-04-15 02:13
Platform
win10v2004-20220414-en
Max time kernel
75s
Max time network
154s
Command Line
Signatures
BlackNET
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\530aa54a7f8da22dfa9151c567c09315 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe" | C:\Users\Admin\AppData\Local\Temp\332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\530aa54a7f8da22dfa9151c567c09315 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" | C:\Users\Admin\AppData\Local\Temp\332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\530aa54a7f8da22dfa9151c567c09315 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" | C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 828 wrote to memory of 2028 | N/A | C:\Users\Admin\AppData\Local\Temp\332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe | C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe |
| PID 828 wrote to memory of 2028 | N/A | C:\Users\Admin\AppData\Local\Temp\332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe | C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe |
| PID 828 wrote to memory of 2028 | N/A | C:\Users\Admin\AppData\Local\Temp\332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe | C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe
"C:\Users\Admin\AppData\Local\Temp\332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe"
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | windows-install-update.duckdns.org | udp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| US | 52.109.12.20:443 | tcp | |
| IE | 20.50.73.9:443 | tcp | |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| BE | 8.238.110.126:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| BE | 8.238.110.126:80 | tcp | |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
| RU | 95.181.172.241:443 | windows-install-update.duckdns.org | tcp |
Files
memory/828-130-0x0000000074220000-0x00000000747D1000-memory.dmp
memory/828-131-0x0000000004EE7000-0x0000000004EE9000-memory.dmp
memory/2028-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
| MD5 | 78daff0be38c4b6167fc039095fbfe2f |
| SHA1 | 8a01f87a55b6d6aeb891f28d55e4c51873e58f73 |
| SHA256 | 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb |
| SHA512 | 2206ce045a59d6758bac3a441b8d3f67a3516f2d7dcd81c6670734b5553a03467f019907f09fe6137697e797d60639cea434dd7842eb7c73fafe0e95e353a020 |
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
| MD5 | 78daff0be38c4b6167fc039095fbfe2f |
| SHA1 | 8a01f87a55b6d6aeb891f28d55e4c51873e58f73 |
| SHA256 | 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb |
| SHA512 | 2206ce045a59d6758bac3a441b8d3f67a3516f2d7dcd81c6670734b5553a03467f019907f09fe6137697e797d60639cea434dd7842eb7c73fafe0e95e353a020 |
memory/2028-135-0x0000000074220000-0x00000000747D1000-memory.dmp
memory/2028-136-0x00000000049A7000-0x00000000049A9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | 89dd6e72358a669b7d6e2348307a7af7 |
| SHA1 | 0db348f3c6114a45d71f4d218e0e088b71c7bb0a |
| SHA256 | ad34794058212006ae974fcc6a0242598e6d020f08044439e3512773cd402b7e |
| SHA512 | 93b8a47686d7491281a0809b138a6244a535302ba0d6b2146849e9888632c72b6223ae8eb7a24f1006aaf57ab947a8f43719cff4837df559e7bf42f52c63856b |