Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-06-2022 22:16
Behavioral task
behavioral1
Sample
4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
Resource
win10v2004-20220414-en
General
-
Target
4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
-
Size
316KB
-
MD5
638681d2a3ca3ab15791adf63e068f5c
-
SHA1
8d9be64a501184e14eeeb3bd1b1f2bc6d7ab7c53
-
SHA256
4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c
-
SHA512
f407a7e234e7ee7fc7a756335420f2b6056838c6a8734ba7daf98f31abde19d36b41c6f28e3d3e5e49e857d539f0cf14fb8ae8b5f915208fc4fbe551d31ad555
Malware Config
Extracted
blacknet
v3.7.0 Public
Second
https://mailquickdiate.com
BN[e9ebec8bb16ee9a3]
-
antivm
false
-
elevate_uac
false
-
install_name
WindowsUpdate.exe
-
splitter
|BN|
-
start_name
e162b1333458a713bc6916cc8ac4110c
-
startup
true
-
usb_spread
false
Signatures
-
BlackNET Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2432-130-0x00000000001B0000-0x0000000000204000-memory.dmp family_blacknet C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe family_blacknet C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe family_blacknet -
Contains code to disable Windows Defender 3 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral2/memory/2432-130-0x00000000001B0000-0x0000000000204000-memory.dmp disable_win_def C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe disable_win_def C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe disable_win_def -
suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive
suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive
-
Executes dropped EXE 1 IoCs
Processes:
WindowsUpdate.exepid process 2116 WindowsUpdate.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exeWindowsUpdate.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation WindowsUpdate.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exeWindowsUpdate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe" 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" WindowsUpdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exeWindowsUpdate.exepid process 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 2116 WindowsUpdate.exe 2116 WindowsUpdate.exe 2116 WindowsUpdate.exe 2116 WindowsUpdate.exe 2116 WindowsUpdate.exe 2116 WindowsUpdate.exe 2116 WindowsUpdate.exe 2116 WindowsUpdate.exe 2116 WindowsUpdate.exe 2116 WindowsUpdate.exe 2116 WindowsUpdate.exe 2116 WindowsUpdate.exe 2116 WindowsUpdate.exe 2116 WindowsUpdate.exe 2116 WindowsUpdate.exe 2116 WindowsUpdate.exe 2116 WindowsUpdate.exe 2116 WindowsUpdate.exe 2116 WindowsUpdate.exe 2116 WindowsUpdate.exe 2116 WindowsUpdate.exe 2116 WindowsUpdate.exe 2116 WindowsUpdate.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exeWindowsUpdate.exedescription pid process Token: SeDebugPrivilege 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe Token: SeDebugPrivilege 2116 WindowsUpdate.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exeWindowsUpdate.exepid process 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe 2116 WindowsUpdate.exe 2116 WindowsUpdate.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.execmd.exeWindowsUpdate.execmd.exedescription pid process target process PID 2432 wrote to memory of 3452 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe cmd.exe PID 2432 wrote to memory of 3452 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe cmd.exe PID 3452 wrote to memory of 2388 3452 cmd.exe PING.EXE PID 3452 wrote to memory of 2388 3452 cmd.exe PING.EXE PID 2432 wrote to memory of 2116 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe WindowsUpdate.exe PID 2432 wrote to memory of 2116 2432 4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe WindowsUpdate.exe PID 2116 wrote to memory of 4156 2116 WindowsUpdate.exe cmd.exe PID 2116 wrote to memory of 4156 2116 WindowsUpdate.exe cmd.exe PID 4156 wrote to memory of 4204 4156 cmd.exe PING.EXE PID 4156 wrote to memory of 4204 4156 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe"C:\Users\Admin\AppData\Local\Temp\4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 5 -w 5000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 5 -w 50003⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 5 -w 5000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 5 -w 50004⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exeFilesize
316KB
MD5638681d2a3ca3ab15791adf63e068f5c
SHA18d9be64a501184e14eeeb3bd1b1f2bc6d7ab7c53
SHA2564fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c
SHA512f407a7e234e7ee7fc7a756335420f2b6056838c6a8734ba7daf98f31abde19d36b41c6f28e3d3e5e49e857d539f0cf14fb8ae8b5f915208fc4fbe551d31ad555
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exeFilesize
316KB
MD5638681d2a3ca3ab15791adf63e068f5c
SHA18d9be64a501184e14eeeb3bd1b1f2bc6d7ab7c53
SHA2564fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c
SHA512f407a7e234e7ee7fc7a756335420f2b6056838c6a8734ba7daf98f31abde19d36b41c6f28e3d3e5e49e857d539f0cf14fb8ae8b5f915208fc4fbe551d31ad555
-
memory/2116-134-0x0000000000000000-mapping.dmp
-
memory/2116-138-0x00007FFC79F30000-0x00007FFC7A9F1000-memory.dmpFilesize
10.8MB
-
memory/2116-141-0x00007FFC79F30000-0x00007FFC7A9F1000-memory.dmpFilesize
10.8MB
-
memory/2388-133-0x0000000000000000-mapping.dmp
-
memory/2432-130-0x00000000001B0000-0x0000000000204000-memory.dmpFilesize
336KB
-
memory/2432-131-0x00007FFC79F30000-0x00007FFC7A9F1000-memory.dmpFilesize
10.8MB
-
memory/2432-137-0x00007FFC79F30000-0x00007FFC7A9F1000-memory.dmpFilesize
10.8MB
-
memory/3452-132-0x0000000000000000-mapping.dmp
-
memory/4156-139-0x0000000000000000-mapping.dmp
-
memory/4204-140-0x0000000000000000-mapping.dmp