Analysis

  • max time kernel
    49s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    15-04-2022 02:08

General

  • Target

    b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe

  • Size

    1.1MB

  • MD5

    a85d38af1a94e238abddb11e66d6f673

  • SHA1

    36c3966ca74f3c4a4f3988717fb701570c70486f

  • SHA256

    b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd

  • SHA512

    6856f1827210ce9ecdb4dd2c503ed5a9cf0774e69a93826fa0e5c0f774186d83161dbe25bbf93397f8fdaf4af0f1699daeaf857cd2c28e717858e0e518ce5092

Malware Config

Signatures

  • BlackNET

    BlackNET is an open source remote access tool written in VB.NET.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe
    "C:\Users\Admin\AppData\Local\Temp\b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3036

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe

    Filesize

    1.1MB

    MD5

    a85d38af1a94e238abddb11e66d6f673

    SHA1

    36c3966ca74f3c4a4f3988717fb701570c70486f

    SHA256

    b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd

    SHA512

    6856f1827210ce9ecdb4dd2c503ed5a9cf0774e69a93826fa0e5c0f774186d83161dbe25bbf93397f8fdaf4af0f1699daeaf857cd2c28e717858e0e518ce5092

  • C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe

    Filesize

    1.1MB

    MD5

    a85d38af1a94e238abddb11e66d6f673

    SHA1

    36c3966ca74f3c4a4f3988717fb701570c70486f

    SHA256

    b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd

    SHA512

    6856f1827210ce9ecdb4dd2c503ed5a9cf0774e69a93826fa0e5c0f774186d83161dbe25bbf93397f8fdaf4af0f1699daeaf857cd2c28e717858e0e518ce5092

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe

    Filesize

    17KB

    MD5

    89dd6e72358a669b7d6e2348307a7af7

    SHA1

    0db348f3c6114a45d71f4d218e0e088b71c7bb0a

    SHA256

    ad34794058212006ae974fcc6a0242598e6d020f08044439e3512773cd402b7e

    SHA512

    93b8a47686d7491281a0809b138a6244a535302ba0d6b2146849e9888632c72b6223ae8eb7a24f1006aaf57ab947a8f43719cff4837df559e7bf42f52c63856b

  • memory/1620-130-0x00000000740D0000-0x0000000074681000-memory.dmp

    Filesize

    5.7MB

  • memory/1620-131-0x0000000003DC7000-0x0000000003DC9000-memory.dmp

    Filesize

    8KB

  • memory/3036-132-0x0000000000000000-mapping.dmp

  • memory/3036-135-0x00000000740D0000-0x0000000074681000-memory.dmp

    Filesize

    5.7MB

  • memory/3036-136-0x00000000037E7000-0x00000000037E9000-memory.dmp

    Filesize

    8KB