00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39

General

Target

00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
Size

235KB
MD5

2b68b4ac5925dc134631ff4555c5aea5
SHA1

ed0112fa289ed48c5b541eec39fd1554ae08ab9f
SHA256

00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39
SHA512

77ce92481066a3a6efd68055b5551562d8997900d65f9b888cd6d3a485aac459b46c0aab2407828e73c28bdcec9bfd2d2ad0933109d9584ed1ee06fb02601803

Score

10^/10

evasion persistence suricata trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive
suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive
suricata

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe"	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2400 PING.EXE

pid	process
2400	PING.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exepowershell.exe

pid	process
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
2948	powershell.exe
2948	powershell.exe
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
Token: SeDebugPrivilege	2948	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe

pid	process
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.execmd.exe

description	pid	process	target process
PID 5040 wrote to memory of 2948	5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe	powershell.exe
PID 5040 wrote to memory of 2948	5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe	powershell.exe
PID 5040 wrote to memory of 4936	5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe	cmd.exe
PID 5040 wrote to memory of 4936	5040	00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe	cmd.exe
PID 4936 wrote to memory of 2400	4936	cmd.exe	PING.EXE
PID 4936 wrote to memory of 2400	4936	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe
"C:\Users\Admin\AppData\Local\Temp\00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 5 -w 5000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\00570cda65504949c9e47e4901c7b503c13b0c981d7df20182824ed65c858c39.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 5 -w 5000
3⤵
- Runs ping.exe
PID:2400

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 5040 -ip 5040
1⤵
PID:3788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Disabling Security Tools

1

T1089

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2400-136-0x0000000000000000-mapping.dmp

Download
memory/2948-132-0x0000000000000000-mapping.dmp

Download
memory/2948-133-0x00007FFE537D0000-0x00007FFE54291000-memory.dmp

Filesize
10.8MB

Download
memory/2948-134-0x000001F5C85C0000-0x000001F5C85E2000-memory.dmp

Filesize
136KB

Download
memory/4936-135-0x0000000000000000-mapping.dmp

Download
memory/5040-130-0x0000000000140000-0x000000000017E000-memory.dmp

Filesize
248KB

Download
memory/5040-131-0x00007FFE537D0000-0x00007FFE54291000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads