Analysis

  • max time kernel
    113s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    14-05-2022 13:50

General

  • Target

    00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe

  • Size

    235KB

  • MD5

    2b68b4ac5925dc134631ff4555c5aea5

  • SHA1

    ed0112fa289ed48c5b541eec39fd1554ae08ab9f

  • SHA256

    00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39

  • SHA512

    77ce92481066a3a6efd68055b5551562d8997900d65f9b888cd6d3a485aac459b46c0aab2407828e73c28bdcec9bfd2d2ad0933109d9584ed1ee06fb02601803

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive

    suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
    "C:\Users\Admin\AppData\Local\Temp\00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2504
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 5 -w 5000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4588
      • C:\Windows\system32\PING.EXE
        ping 1.1.1.1 -n 5 -w 5000
        3⤵
        • Runs ping.exe
        PID:1112
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4524 -s 3656
      2⤵
      • Program crash
      PID:404
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 452 -p 4524 -ip 4524
    1⤵
      PID:2584

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1112-136-0x0000000000000000-mapping.dmp

    • memory/2504-132-0x0000000000000000-mapping.dmp

    • memory/2504-133-0x000002A0F64C0000-0x000002A0F64E2000-memory.dmp

      Filesize

      136KB

    • memory/2504-134-0x00007FF963760000-0x00007FF964221000-memory.dmp

      Filesize

      10.8MB

    • memory/4524-130-0x0000000000ED0000-0x0000000000F0E000-memory.dmp

      Filesize

      248KB

    • memory/4524-131-0x00007FF963760000-0x00007FF964221000-memory.dmp

      Filesize

      10.8MB

    • memory/4588-135-0x0000000000000000-mapping.dmp