Analysis

  • max time kernel
    78s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    15-04-2022 02:08

General

  • Target

    a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe

  • Size

    1.1MB

  • MD5

    9fd83afa4f050599f081eaa6b36b380c

  • SHA1

    f062d2cbeaf4395d2335665ad57477c4949b3260

  • SHA256

    a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e

  • SHA512

    62a3f682fcf14eee14537552977f5906f50dd3e29598feaf8c90b285abc7484e432a843e5cf5621d72322e7de35a812b2421e50de2ff1f93dbb66a3daa0b7420

Malware Config

Signatures

  • BlackNET

    BlackNET is an open source remote access tool written in VB.NET.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe
    "C:\Users\Admin\AppData\Local\Temp\a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4968
    • C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1124

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe

    Filesize

    1.1MB

    MD5

    9fd83afa4f050599f081eaa6b36b380c

    SHA1

    f062d2cbeaf4395d2335665ad57477c4949b3260

    SHA256

    a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e

    SHA512

    62a3f682fcf14eee14537552977f5906f50dd3e29598feaf8c90b285abc7484e432a843e5cf5621d72322e7de35a812b2421e50de2ff1f93dbb66a3daa0b7420

  • C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe

    Filesize

    1.1MB

    MD5

    9fd83afa4f050599f081eaa6b36b380c

    SHA1

    f062d2cbeaf4395d2335665ad57477c4949b3260

    SHA256

    a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e

    SHA512

    62a3f682fcf14eee14537552977f5906f50dd3e29598feaf8c90b285abc7484e432a843e5cf5621d72322e7de35a812b2421e50de2ff1f93dbb66a3daa0b7420

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe

    Filesize

    17KB

    MD5

    89dd6e72358a669b7d6e2348307a7af7

    SHA1

    0db348f3c6114a45d71f4d218e0e088b71c7bb0a

    SHA256

    ad34794058212006ae974fcc6a0242598e6d020f08044439e3512773cd402b7e

    SHA512

    93b8a47686d7491281a0809b138a6244a535302ba0d6b2146849e9888632c72b6223ae8eb7a24f1006aaf57ab947a8f43719cff4837df559e7bf42f52c63856b

  • memory/1124-132-0x0000000000000000-mapping.dmp

  • memory/1124-135-0x0000000073F00000-0x00000000744B1000-memory.dmp

    Filesize

    5.7MB

  • memory/1124-136-0x0000000004097000-0x0000000004099000-memory.dmp

    Filesize

    8KB

  • memory/4968-130-0x0000000073F00000-0x00000000744B1000-memory.dmp

    Filesize

    5.7MB

  • memory/4968-131-0x0000000003757000-0x0000000003759000-memory.dmp

    Filesize

    8KB