blacknet | 6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c

General

Target

6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe
Size

107KB
MD5

34462cc235a225cfea64571cbe5f1f9a
SHA1

bf83863f8501f4d7fb60306cef10f878f99c3341
SHA256

6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c
SHA512

6668072aaf81198f86a62fa6cf5756c98d5d100e0f17171bb56cc7f00c0e917386bcb92bdd6d6c68a406deb0d7c1a809064a2e517b3a4bf625652495fb9a3836

Score

10^/10

blacknet macroexploit persistence trojan

Malware Config

Extracted

Family

blacknet

Botnet

MAcroExploit

C2

qcRLY15MytEH8zzltUEUXqMWcrfsJpvwf9Q847/pEPjQw/wKO/3cbdqjE/N5HkfOnvMDzlfeLP49xZyrrYQc01IRmoUWcIuDFK+Uw41r3IbCQ4S68d9CG+JSQHBD1u/k+VYdqmpcn/Rdz6DJKRufFJeoOGnvi4I0y/dk3Q3oOZ0QjPa8Br3g34putZYLkW+7vlPCz9v0kqlE8wekEHL+y0+LYms4Ik8+dRp/9egEXzTy6NrW+JDx3yNvWUBcX8wXIK8PSzZMloJPQU6QDAQY1ZAJWOdpfuL8TSXH9AKWDlFNI311m2sFcvYtKEnt6uCaHvY/R79HlfoffaozQAlYaQ==

Mutex

BN[LCsHRzym-8457373]

Attributes

antivm
true
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
24d7d2c2d063440d72f07787304f20b9
startup
true
usb_spread
true

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe	family_blacknet
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe	family_blacknet

Executes dropped EXE 2 IoCs

Processes:

svshost.exeWindowsUpdate.exe

pid process

1676 svshost.exe
1712 WindowsUpdate.exe

pid	process
1676	svshost.exe
1712	WindowsUpdate.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exesvshost.exeWindowsUpdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\24d7d2c2d063440d72f07787304f20b9 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe"	6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\24d7d2c2d063440d72f07787304f20b9 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe"	6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\24d7d2c2d063440d72f07787304f20b9 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe"	WindowsUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe

description	pid	process	target process
PID 1392 wrote to memory of 1676	1392	6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe	svshost.exe
PID 1392 wrote to memory of 1676	1392	6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe	svshost.exe
PID 1392 wrote to memory of 1676	1392	6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe	svshost.exe
PID 1392 wrote to memory of 1712	1392	6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe	WindowsUpdate.exe
PID 1392 wrote to memory of 1712	1392	6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe	WindowsUpdate.exe
PID 1392 wrote to memory of 1712	1392	6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe	WindowsUpdate.exe

C:\Users\Admin\AppData\Local\Temp\6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe
"C:\Users\Admin\AppData\Local\Temp\6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\Temp\svshost.exe
"C:\Users\Admin\AppData\Local\Temp\svshost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1676

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
Filesize
107KB

MD5
34462cc235a225cfea64571cbe5f1f9a

SHA1
bf83863f8501f4d7fb60306cef10f878f99c3341

SHA256
6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c

SHA512
6668072aaf81198f86a62fa6cf5756c98d5d100e0f17171bb56cc7f00c0e917386bcb92bdd6d6c68a406deb0d7c1a809064a2e517b3a4bf625652495fb9a3836

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
Filesize
107KB

MD5
34462cc235a225cfea64571cbe5f1f9a

SHA1
bf83863f8501f4d7fb60306cef10f878f99c3341

SHA256
6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c

SHA512
6668072aaf81198f86a62fa6cf5756c98d5d100e0f17171bb56cc7f00c0e917386bcb92bdd6d6c68a406deb0d7c1a809064a2e517b3a4bf625652495fb9a3836

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe
Filesize
10KB

MD5
74799c22938cc4758d06aad116fff0fb

SHA1
24f517d9a666adacc88a1c0c7b9db39743f573a4

SHA256
eff5f5ea6e6f96b3391dc8b8b8bd3651f3e38b9a5907e985b3704bc06df559c2

SHA512
f850f5e03ead19fc4e318cc14c96e6bd0198b0f2b467304da00b627cd838240d6790f466edd4aaf18767c7ff0c2a7cb881ae1f55fd487f5b2d1d1e2e100affee

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe
Filesize
10KB

MD5
74799c22938cc4758d06aad116fff0fb

SHA1
24f517d9a666adacc88a1c0c7b9db39743f573a4

SHA256
eff5f5ea6e6f96b3391dc8b8b8bd3651f3e38b9a5907e985b3704bc06df559c2

SHA512
f850f5e03ead19fc4e318cc14c96e6bd0198b0f2b467304da00b627cd838240d6790f466edd4aaf18767c7ff0c2a7cb881ae1f55fd487f5b2d1d1e2e100affee

Download Submit
memory/1392-54-0x000007FEF2930000-0x000007FEF39C6000-memory.dmp

Filesize
16.6MB

Download
memory/1392-55-0x0000000002056000-0x0000000002075000-memory.dmp

Filesize
124KB

Download
memory/1676-56-0x0000000000000000-mapping.dmp

Download
memory/1676-64-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

Filesize
32KB

Download
memory/1712-59-0x0000000000000000-mapping.dmp

Download
memory/1712-62-0x000007FEF2930000-0x000007FEF39C6000-memory.dmp

Filesize
16.6MB

Download
memory/1712-63-0x0000000000C16000-0x0000000000C35000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads