Analysis Overview
SHA256
b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09
Threat Level: Known bad
The file b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe was found to be: Known bad.
Malicious Activity Summary
BlackNET Payload
Blacknet family
Contains code to disable Windows Defender
BlackNET
Adds Run key to start application
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-29 07:38
Signatures
BlackNET Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blacknet family
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-29 07:38
Reported
2022-04-29 07:49
Platform
win7-20220414-en
Max time kernel
70s
Max time network
155s
Command Line
Signatures
BlackNET
BlackNET Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\df7427b5e05183e625345c3c37ef31c0 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe" | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\svchosts.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\svchosts.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | finalb.xyz | udp |
Files
memory/1464-54-0x000007FEF28E0000-0x000007FEF3976000-memory.dmp
memory/1464-55-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp
memory/1464-56-0x0000000001FD6000-0x0000000001FF5000-memory.dmp
memory/1464-57-0x000000000201D000-0x0000000002021000-memory.dmp
memory/1464-58-0x000000001E779000-0x000000001E77C000-memory.dmp
memory/1464-59-0x0000000002021000-0x0000000002025000-memory.dmp
memory/1464-60-0x000000001E77A000-0x000000001E77D000-memory.dmp
memory/1464-62-0x0000000002029000-0x000000000202D000-memory.dmp
memory/1464-61-0x0000000002025000-0x0000000002029000-memory.dmp
memory/1464-63-0x000000000202D000-0x0000000002031000-memory.dmp
memory/1464-64-0x0000000002031000-0x0000000002035000-memory.dmp
memory/1464-65-0x0000000002039000-0x000000000203D000-memory.dmp
memory/1464-66-0x000000000203D000-0x0000000002045000-memory.dmp
memory/1464-67-0x0000000002045000-0x0000000002050000-memory.dmp
memory/1464-68-0x0000000002011000-0x0000000002018000-memory.dmp
memory/1464-69-0x000000001E77D000-0x000000001E780000-memory.dmp
memory/1464-70-0x000000001E760000-0x000000001E769000-memory.dmp
memory/1464-71-0x000000001E769000-0x000000001E771000-memory.dmp
memory/1464-72-0x000000001E771000-0x000000001E779000-memory.dmp
memory/1464-73-0x000000001E779000-0x000000001E781000-memory.dmp
memory/1464-74-0x0000000002009000-0x000000000200F000-memory.dmp
memory/1464-75-0x0000000002013000-0x0000000002018000-memory.dmp
memory/1464-76-0x0000000002031000-0x0000000002038000-memory.dmp
memory/1464-77-0x0000000002015000-0x0000000002018000-memory.dmp
memory/1464-78-0x0000000002031000-0x0000000002038000-memory.dmp
memory/1464-79-0x0000000002031000-0x0000000002035000-memory.dmp
memory/1464-80-0x0000000002032000-0x0000000002035000-memory.dmp
memory/1464-81-0x000000001E779000-0x000000001E780000-memory.dmp
memory/1464-82-0x0000000002011000-0x0000000002014000-memory.dmp
memory/1464-83-0x000000001E77A000-0x000000001E780000-memory.dmp
memory/1464-84-0x000000001E761000-0x000000001E768000-memory.dmp
memory/1464-85-0x000000000201D000-0x0000000002020000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/664-86-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/664-89-0x000007FEF28E0000-0x000007FEF3976000-memory.dmp
memory/664-91-0x0000000001FB6000-0x0000000001FD5000-memory.dmp
memory/664-92-0x0000000001FDC000-0x0000000001FDF000-memory.dmp
memory/664-93-0x0000000001FE4000-0x0000000001FEB000-memory.dmp
memory/664-94-0x0000000001FEF000-0x0000000001FF4000-memory.dmp
memory/1076-95-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\svchosts.exe
| MD5 | 89dd6e72358a669b7d6e2348307a7af7 |
| SHA1 | 0db348f3c6114a45d71f4d218e0e088b71c7bb0a |
| SHA256 | ad34794058212006ae974fcc6a0242598e6d020f08044439e3512773cd402b7e |
| SHA512 | 93b8a47686d7491281a0809b138a6244a535302ba0d6b2146849e9888632c72b6223ae8eb7a24f1006aaf57ab947a8f43719cff4837df559e7bf42f52c63856b |
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\svchosts.exe
| MD5 | 89dd6e72358a669b7d6e2348307a7af7 |
| SHA1 | 0db348f3c6114a45d71f4d218e0e088b71c7bb0a |
| SHA256 | ad34794058212006ae974fcc6a0242598e6d020f08044439e3512773cd402b7e |
| SHA512 | 93b8a47686d7491281a0809b138a6244a535302ba0d6b2146849e9888632c72b6223ae8eb7a24f1006aaf57ab947a8f43719cff4837df559e7bf42f52c63856b |
memory/1076-98-0x000007FEF28E0000-0x000007FEF3976000-memory.dmp
memory/1076-99-0x00000000021B6000-0x00000000021D5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-29 07:38
Reported
2022-04-29 07:49
Platform
win10v2004-20220414-en
Max time kernel
47s
Max time network
161s
Command Line
Signatures
BlackNET
BlackNET Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\df7427b5e05183e625345c3c37ef31c0 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe" | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\svchosts.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\svchosts.exe"
Network
| Country | Destination | Domain | Proto |
| FR | 2.18.109.224:443 | tcp | |
| US | 104.18.24.243:80 | tcp | |
| AU | 104.46.162.226:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | finalb.xyz | udp |
| US | 8.8.8.8:53 | finalb.xyz | udp |
| US | 8.8.8.8:53 | finalb.xyz | udp |
| US | 8.8.8.8:53 | finalb.xyz | udp |
| US | 8.8.8.8:53 | finalb.xyz | udp |
| US | 8.8.8.8:53 | finalb.xyz | udp |
| US | 8.8.8.8:53 | finalb.xyz | udp |
| US | 8.8.8.8:53 | finalb.xyz | udp |
| US | 8.8.8.8:53 | finalb.xyz | udp |
| US | 8.8.8.8:53 | finalb.xyz | udp |
| US | 8.8.8.8:53 | finalb.xyz | udp |
| US | 8.8.8.8:53 | finalb.xyz | udp |
Files
memory/1204-130-0x000000000197A000-0x000000000197F000-memory.dmp
memory/4488-131-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/1204-134-0x00000000235C0000-0x00000000235C3000-memory.dmp
memory/4488-135-0x0000000000FAA000-0x0000000000FAF000-memory.dmp
memory/648-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\svchosts.exe
| MD5 | 89dd6e72358a669b7d6e2348307a7af7 |
| SHA1 | 0db348f3c6114a45d71f4d218e0e088b71c7bb0a |
| SHA256 | ad34794058212006ae974fcc6a0242598e6d020f08044439e3512773cd402b7e |
| SHA512 | 93b8a47686d7491281a0809b138a6244a535302ba0d6b2146849e9888632c72b6223ae8eb7a24f1006aaf57ab947a8f43719cff4837df559e7bf42f52c63856b |
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\svchosts.exe
| MD5 | 89dd6e72358a669b7d6e2348307a7af7 |
| SHA1 | 0db348f3c6114a45d71f4d218e0e088b71c7bb0a |
| SHA256 | ad34794058212006ae974fcc6a0242598e6d020f08044439e3512773cd402b7e |
| SHA512 | 93b8a47686d7491281a0809b138a6244a535302ba0d6b2146849e9888632c72b6223ae8eb7a24f1006aaf57ab947a8f43719cff4837df559e7bf42f52c63856b |