blacknet | 86f5d60117c8881242d3e23e6f966306dc32265f8f1ba8a7ccd6c146bea3cf24

General

Target

4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
Size

316KB
MD5

638681d2a3ca3ab15791adf63e068f5c
SHA1

8d9be64a501184e14eeeb3bd1b1f2bc6d7ab7c53
SHA256

4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c
SHA512

f407a7e234e7ee7fc7a756335420f2b6056838c6a8734ba7daf98f31abde19d36b41c6f28e3d3e5e49e857d539f0cf14fb8ae8b5f915208fc4fbe551d31ad555

Score

10^/10

blacknet second persistence suricata trojan

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

Second

C2

https://mailquickdiate.com

Mutex

BN[e9ebec8bb16ee9a3]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
e162b1333458a713bc6916cc8ac4110c
startup
true
usb_spread
false

aes.plain

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2432-130-0x00000000001B0000-0x0000000000204000-memory.dmp	family_blacknet
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe	family_blacknet
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe	family_blacknet

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/2432-130-0x00000000001B0000-0x0000000000204000-memory.dmp	disable_win_def
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe	disable_win_def

suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive
suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive
suricata
Executes dropped EXE 1 IoCs

Processes:

WindowsUpdate.exe

pid process

2116 WindowsUpdate.exe

pid	process
2116	WindowsUpdate.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exeWindowsUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	WindowsUpdate.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exeWindowsUpdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe"	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe"	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe"	WindowsUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2388 PING.EXE
4204 PING.EXE

pid	process
2388	PING.EXE
4204	PING.EXE

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exeWindowsUpdate.exe

pid	process
2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
2116	WindowsUpdate.exe
2116	WindowsUpdate.exe
2116	WindowsUpdate.exe
2116	WindowsUpdate.exe
2116	WindowsUpdate.exe
2116	WindowsUpdate.exe
2116	WindowsUpdate.exe
2116	WindowsUpdate.exe
2116	WindowsUpdate.exe
2116	WindowsUpdate.exe
2116	WindowsUpdate.exe
2116	WindowsUpdate.exe
2116	WindowsUpdate.exe
2116	WindowsUpdate.exe
2116	WindowsUpdate.exe
2116	WindowsUpdate.exe
2116	WindowsUpdate.exe
2116	WindowsUpdate.exe
2116	WindowsUpdate.exe
2116	WindowsUpdate.exe
2116	WindowsUpdate.exe
2116	WindowsUpdate.exe
2116	WindowsUpdate.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exeWindowsUpdate.exe

description	pid	process
Token: SeDebugPrivilege	2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
Token: SeDebugPrivilege	2116	WindowsUpdate.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exeWindowsUpdate.exe

pid	process
2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
2116	WindowsUpdate.exe
2116	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.execmd.exeWindowsUpdate.execmd.exe

description	pid	process	target process
PID 2432 wrote to memory of 3452	2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe	cmd.exe
PID 2432 wrote to memory of 3452	2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe	cmd.exe
PID 3452 wrote to memory of 2388	3452	cmd.exe	PING.EXE
PID 3452 wrote to memory of 2388	3452	cmd.exe	PING.EXE
PID 2432 wrote to memory of 2116	2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe	WindowsUpdate.exe
PID 2432 wrote to memory of 2116	2432	4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe	WindowsUpdate.exe
PID 2116 wrote to memory of 4156	2116	WindowsUpdate.exe	cmd.exe
PID 2116 wrote to memory of 4156	2116	WindowsUpdate.exe	cmd.exe
PID 4156 wrote to memory of 4204	4156	cmd.exe	PING.EXE
PID 4156 wrote to memory of 4204	4156	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe
"C:\Users\Admin\AppData\Local\Temp\4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 5 -w 5000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 5 -w 5000
3⤵
- Runs ping.exe
PID:2388

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 5 -w 5000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4156

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 5 -w 5000
4⤵
- Runs ping.exe
PID:4204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
Filesize
316KB

MD5
638681d2a3ca3ab15791adf63e068f5c

SHA1
8d9be64a501184e14eeeb3bd1b1f2bc6d7ab7c53

SHA256
4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c

SHA512
f407a7e234e7ee7fc7a756335420f2b6056838c6a8734ba7daf98f31abde19d36b41c6f28e3d3e5e49e857d539f0cf14fb8ae8b5f915208fc4fbe551d31ad555

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
Filesize
316KB

MD5
638681d2a3ca3ab15791adf63e068f5c

SHA1
8d9be64a501184e14eeeb3bd1b1f2bc6d7ab7c53

SHA256
4fbba14a292b8827b2034f8a3b22ad408248e64585876cd93d7eb9e4bf96735c

SHA512
f407a7e234e7ee7fc7a756335420f2b6056838c6a8734ba7daf98f31abde19d36b41c6f28e3d3e5e49e857d539f0cf14fb8ae8b5f915208fc4fbe551d31ad555

Download Submit
memory/2116-134-0x0000000000000000-mapping.dmp

Download
memory/2116-138-0x00007FFC79F30000-0x00007FFC7A9F1000-memory.dmp

Filesize
10.8MB

Download
memory/2116-141-0x00007FFC79F30000-0x00007FFC7A9F1000-memory.dmp

Filesize
10.8MB

Download
memory/2388-133-0x0000000000000000-mapping.dmp

Download
memory/2432-130-0x00000000001B0000-0x0000000000204000-memory.dmp

Filesize
336KB

Download
memory/2432-131-0x00007FFC79F30000-0x00007FFC7A9F1000-memory.dmp

Filesize
10.8MB

Download
memory/2432-137-0x00007FFC79F30000-0x00007FFC7A9F1000-memory.dmp

Filesize
10.8MB

Download
memory/3452-132-0x0000000000000000-mapping.dmp

Download
memory/4156-139-0x0000000000000000-mapping.dmp

Download
memory/4204-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads