Analysis
-
max time kernel
152s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:46
Static task
static1
Behavioral task
behavioral1
Sample
00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
Resource
win10v2004-20220414-en
General
-
Target
00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
-
Size
235KB
-
MD5
2b68b4ac5925dc134631ff4555c5aea5
-
SHA1
ed0112fa289ed48c5b541eec39fd1554ae08ab9f
-
SHA256
00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39
-
SHA512
77ce92481066a3a6efd68055b5551562d8997900d65f9b888cd6d3a485aac459b46c0aab2407828e73c28bdcec9bfd2d2ad0933109d9584ed1ee06fb02601803
Malware Config
Signatures
-
suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive
suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe" 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exepowershell.exepid process 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 2948 powershell.exe 2948 powershell.exe 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exepowershell.exedescription pid process Token: SeDebugPrivilege 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe Token: SeDebugPrivilege 2948 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exepid process 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.execmd.exedescription pid process target process PID 5040 wrote to memory of 2948 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe powershell.exe PID 5040 wrote to memory of 2948 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe powershell.exe PID 5040 wrote to memory of 4936 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe cmd.exe PID 5040 wrote to memory of 4936 5040 00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe cmd.exe PID 4936 wrote to memory of 2400 4936 cmd.exe PING.EXE PID 4936 wrote to memory of 2400 4936 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe"C:\Users\Admin\AppData\Local\Temp\00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 5 -w 5000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 5 -w 50003⤵
- Runs ping.exe
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 404 -p 5040 -ip 50401⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2400-136-0x0000000000000000-mapping.dmp
-
memory/2948-132-0x0000000000000000-mapping.dmp
-
memory/2948-133-0x00007FFE537D0000-0x00007FFE54291000-memory.dmpFilesize
10.8MB
-
memory/2948-134-0x000001F5C85C0000-0x000001F5C85E2000-memory.dmpFilesize
136KB
-
memory/4936-135-0x0000000000000000-mapping.dmp
-
memory/5040-130-0x0000000000140000-0x000000000017E000-memory.dmpFilesize
248KB
-
memory/5040-131-0x00007FFE537D0000-0x00007FFE54291000-memory.dmpFilesize
10.8MB