Analysis
-
max time kernel
44s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-06-2022 22:16
Behavioral task
behavioral1
Sample
4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
Resource
win10v2004-20220414-en
General
-
Target
4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
-
Size
316KB
-
MD5
638681d2a3ca3ab15791adf63e068f5c
-
SHA1
8d9be64a501184e14eeeb3bd1b1f2bc6d7ab7c53
-
SHA256
4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c
-
SHA512
f407a7e234e7ee7fc7a756335420f2b6056838c6a8734ba7daf98f31abde19d36b41c6f28e3d3e5e49e857d539f0cf14fb8ae8b5f915208fc4fbe551d31ad555
Malware Config
Extracted
blacknet
v3.7.0 Public
Second
https://mailquickdiate.com
BN[e9ebec8bb16ee9a3]
-
antivm
false
-
elevate_uac
false
-
install_name
WindowsUpdate.exe
-
splitter
|BN|
-
start_name
e162b1333458a713bc6916cc8ac4110c
-
startup
true
-
usb_spread
false
Signatures
-
BlackNET Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/780-54-0x0000000000930000-0x0000000000984000-memory.dmp family_blacknet C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe family_blacknet C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe family_blacknet behavioral1/memory/1572-62-0x0000000000950000-0x00000000009A4000-memory.dmp family_blacknet -
Contains code to disable Windows Defender 4 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/780-54-0x0000000000930000-0x0000000000984000-memory.dmp disable_win_def C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe disable_win_def C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe disable_win_def behavioral1/memory/1572-62-0x0000000000950000-0x00000000009A4000-memory.dmp disable_win_def -
Executes dropped EXE 1 IoCs
Processes:
WindowsUpdate.exepid process 1572 WindowsUpdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe" 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exeWindowsUpdate.exepid process 780 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 1572 WindowsUpdate.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exeWindowsUpdate.exedescription pid process Token: SeDebugPrivilege 780 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe Token: SeDebugPrivilege 1572 WindowsUpdate.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exeWindowsUpdate.exepid process 780 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 780 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 1572 WindowsUpdate.exe 1572 WindowsUpdate.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.execmd.exedescription pid process target process PID 780 wrote to memory of 528 780 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe cmd.exe PID 780 wrote to memory of 528 780 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe cmd.exe PID 780 wrote to memory of 528 780 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe cmd.exe PID 528 wrote to memory of 572 528 cmd.exe PING.EXE PID 528 wrote to memory of 572 528 cmd.exe PING.EXE PID 528 wrote to memory of 572 528 cmd.exe PING.EXE PID 780 wrote to memory of 1572 780 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe WindowsUpdate.exe PID 780 wrote to memory of 1572 780 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe WindowsUpdate.exe PID 780 wrote to memory of 1572 780 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe WindowsUpdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe"C:\Users\Admin\AppData\Local\Temp\4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 5 -w 5000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 5 -w 50003⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exeFilesize
316KB
MD5638681d2a3ca3ab15791adf63e068f5c
SHA18d9be64a501184e14eeeb3bd1b1f2bc6d7ab7c53
SHA2564fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c
SHA512f407a7e234e7ee7fc7a756335420f2b6056838c6a8734ba7daf98f31abde19d36b41c6f28e3d3e5e49e857d539f0cf14fb8ae8b5f915208fc4fbe551d31ad555
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exeFilesize
316KB
MD5638681d2a3ca3ab15791adf63e068f5c
SHA18d9be64a501184e14eeeb3bd1b1f2bc6d7ab7c53
SHA2564fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c
SHA512f407a7e234e7ee7fc7a756335420f2b6056838c6a8734ba7daf98f31abde19d36b41c6f28e3d3e5e49e857d539f0cf14fb8ae8b5f915208fc4fbe551d31ad555
-
memory/528-57-0x0000000000000000-mapping.dmp
-
memory/572-58-0x0000000000000000-mapping.dmp
-
memory/780-54-0x0000000000930000-0x0000000000984000-memory.dmpFilesize
336KB
-
memory/780-55-0x000007FEFBA91000-0x000007FEFBA93000-memory.dmpFilesize
8KB
-
memory/780-56-0x000000001B269000-0x000000001B288000-memory.dmpFilesize
124KB
-
memory/780-65-0x000000001B269000-0x000000001B288000-memory.dmpFilesize
124KB
-
memory/1572-59-0x0000000000000000-mapping.dmp
-
memory/1572-62-0x0000000000950000-0x00000000009A4000-memory.dmpFilesize
336KB
-
memory/1572-64-0x000000001B629000-0x000000001B648000-memory.dmpFilesize
124KB