Analysis
-
max time kernel
25s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 19:39
Static task
static1
Behavioral task
behavioral1
Sample
6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe
Resource
win10v2004-20220414-en
General
-
Target
6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe
-
Size
107KB
-
MD5
34462cc235a225cfea64571cbe5f1f9a
-
SHA1
bf83863f8501f4d7fb60306cef10f878f99c3341
-
SHA256
6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c
-
SHA512
6668072aaf81198f86a62fa6cf5756c98d5d100e0f17171bb56cc7f00c0e917386bcb92bdd6d6c68a406deb0d7c1a809064a2e517b3a4bf625652495fb9a3836
Malware Config
Extracted
blacknet
MAcroExploit
qcRLY15MytEH8zzltUEUXqMWcrfsJpvwf9Q847/pEPjQw/wKO/3cbdqjE/N5HkfOnvMDzlfeLP49xZyrrYQc01IRmoUWcIuDFK+Uw41r3IbCQ4S68d9CG+JSQHBD1u/k+VYdqmpcn/Rdz6DJKRufFJeoOGnvi4I0y/dk3Q3oOZ0QjPa8Br3g34putZYLkW+7vlPCz9v0kqlE8wekEHL+y0+LYms4Ik8+dRp/9egEXzTy6NrW+JDx3yNvWUBcX8wXIK8PSzZMloJPQU6QDAQY1ZAJWOdpfuL8TSXH9AKWDlFNI311m2sFcvYtKEnt6uCaHvY/R79HlfoffaozQAlYaQ==
BN[LCsHRzym-8457373]
-
antivm
true
-
elevate_uac
false
-
install_name
WindowsUpdate.exe
-
splitter
|BN|
-
start_name
24d7d2c2d063440d72f07787304f20b9
-
startup
true
-
usb_spread
true
Signatures
-
BlackNET Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe family_blacknet C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe family_blacknet -
Executes dropped EXE 2 IoCs
Processes:
svshost.exeWindowsUpdate.exepid process 1948 svshost.exe 2036 WindowsUpdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exesvshost.exeWindowsUpdate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\24d7d2c2d063440d72f07787304f20b9 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe" 6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\24d7d2c2d063440d72f07787304f20b9 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" 6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\svshost.exe" svshost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\24d7d2c2d063440d72f07787304f20b9 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" WindowsUpdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
WindowsUpdate.exepid process 2036 WindowsUpdate.exe 2036 WindowsUpdate.exe 2036 WindowsUpdate.exe 2036 WindowsUpdate.exe 2036 WindowsUpdate.exe 2036 WindowsUpdate.exe 2036 WindowsUpdate.exe 2036 WindowsUpdate.exe 2036 WindowsUpdate.exe 2036 WindowsUpdate.exe 2036 WindowsUpdate.exe 2036 WindowsUpdate.exe 2036 WindowsUpdate.exe 2036 WindowsUpdate.exe 2036 WindowsUpdate.exe 2036 WindowsUpdate.exe 2036 WindowsUpdate.exe 2036 WindowsUpdate.exe 2036 WindowsUpdate.exe 2036 WindowsUpdate.exe 2036 WindowsUpdate.exe 2036 WindowsUpdate.exe 2036 WindowsUpdate.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WindowsUpdate.exedescription pid process Token: SeDebugPrivilege 2036 WindowsUpdate.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exedescription pid process target process PID 2160 wrote to memory of 1948 2160 6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe svshost.exe PID 2160 wrote to memory of 1948 2160 6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe svshost.exe PID 2160 wrote to memory of 2036 2160 6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe WindowsUpdate.exe PID 2160 wrote to memory of 2036 2160 6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe WindowsUpdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe"C:\Users\Admin\AppData\Local\Temp\6af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svshost.exe"C:\Users\Admin\AppData\Local\Temp\svshost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exeFilesize
107KB
MD534462cc235a225cfea64571cbe5f1f9a
SHA1bf83863f8501f4d7fb60306cef10f878f99c3341
SHA2566af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c
SHA5126668072aaf81198f86a62fa6cf5756c98d5d100e0f17171bb56cc7f00c0e917386bcb92bdd6d6c68a406deb0d7c1a809064a2e517b3a4bf625652495fb9a3836
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exeFilesize
107KB
MD534462cc235a225cfea64571cbe5f1f9a
SHA1bf83863f8501f4d7fb60306cef10f878f99c3341
SHA2566af3997fbc219d7107ed501e7c1bec7e2e5fde3a8e10b4de4525921dad70a13c
SHA5126668072aaf81198f86a62fa6cf5756c98d5d100e0f17171bb56cc7f00c0e917386bcb92bdd6d6c68a406deb0d7c1a809064a2e517b3a4bf625652495fb9a3836
-
C:\Users\Admin\AppData\Local\Temp\svshost.exeFilesize
10KB
MD574799c22938cc4758d06aad116fff0fb
SHA124f517d9a666adacc88a1c0c7b9db39743f573a4
SHA256eff5f5ea6e6f96b3391dc8b8b8bd3651f3e38b9a5907e985b3704bc06df559c2
SHA512f850f5e03ead19fc4e318cc14c96e6bd0198b0f2b467304da00b627cd838240d6790f466edd4aaf18767c7ff0c2a7cb881ae1f55fd487f5b2d1d1e2e100affee
-
C:\Users\Admin\AppData\Local\Temp\svshost.exeFilesize
10KB
MD574799c22938cc4758d06aad116fff0fb
SHA124f517d9a666adacc88a1c0c7b9db39743f573a4
SHA256eff5f5ea6e6f96b3391dc8b8b8bd3651f3e38b9a5907e985b3704bc06df559c2
SHA512f850f5e03ead19fc4e318cc14c96e6bd0198b0f2b467304da00b627cd838240d6790f466edd4aaf18767c7ff0c2a7cb881ae1f55fd487f5b2d1d1e2e100affee
-
memory/1948-130-0x0000000000000000-mapping.dmp
-
memory/1948-133-0x0000000000180000-0x0000000000188000-memory.dmpFilesize
32KB
-
memory/1948-137-0x00007FFC6D6C0000-0x00007FFC6E181000-memory.dmpFilesize
10.8MB
-
memory/2036-134-0x0000000000000000-mapping.dmp