blacknet | 8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d

General

Target

8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
Size

113KB
MD5

16b2192fc64d1cc4347cc505234efbb7
SHA1

dfeae6690c243500a2f91ba2f6b0389231891490
SHA256

8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d
SHA512

488c53e7b55bb53edc608c3f7e6363e2b44fc2f0fd97723598c4e8e80e7e30907473bf995652f62a2bd37f17b28db4f8a262e557675c99ae790ba814223b2d94

Score

10^/10

blacknet persistence trojan

Malware Config

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchosts.exe

pid process

3460 svchost.exe
5056 svchosts.exe

pid	process
3460	svchost.exe
5056	svchosts.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	svchost.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\765bcb2a9d8a6a686559411d153437c4 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\MyClient\\svchost.exe"	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\765bcb2a9d8a6a686559411d153437c4 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe"	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\765bcb2a9d8a6a686559411d153437c4 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\MyClient\\svchost.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe

pid	process
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exesvchost.exesvchosts.exe

description	pid	process
Token: SeDebugPrivilege	1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
Token: SeDebugPrivilege	3460	svchost.exe
Token: SeDebugPrivilege	5056	svchosts.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exesvchost.exe

description	pid	process	target process
PID 1284 wrote to memory of 3460	1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe	svchost.exe
PID 1284 wrote to memory of 3460	1284	8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe	svchost.exe
PID 3460 wrote to memory of 5056	3460	svchost.exe	svchosts.exe
PID 3460 wrote to memory of 5056	3460	svchost.exe	svchosts.exe

C:\Users\Admin\AppData\Local\Temp\8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe
"C:\Users\Admin\AppData\Local\Temp\8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\svchost.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3460

C:\Users\Admin\AppData\Roaming\svchosts.exe
"C:\Users\Admin\AppData\Roaming\svchosts.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\svchost.exe
Filesize
113KB

MD5
16b2192fc64d1cc4347cc505234efbb7

SHA1
dfeae6690c243500a2f91ba2f6b0389231891490

SHA256
8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d

SHA512
488c53e7b55bb53edc608c3f7e6363e2b44fc2f0fd97723598c4e8e80e7e30907473bf995652f62a2bd37f17b28db4f8a262e557675c99ae790ba814223b2d94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\svchost.exe
Filesize
113KB

MD5
16b2192fc64d1cc4347cc505234efbb7

SHA1
dfeae6690c243500a2f91ba2f6b0389231891490

SHA256
8da0935bb9ecfb796a92fd2ed63b5d1dad8bef456ae1b9ec895f8fd69ab6127d

SHA512
488c53e7b55bb53edc608c3f7e6363e2b44fc2f0fd97723598c4e8e80e7e30907473bf995652f62a2bd37f17b28db4f8a262e557675c99ae790ba814223b2d94

Download Submit
C:\Users\Admin\AppData\Roaming\svchosts.exe
Filesize
17KB

MD5
cb9c9656e6ffd45241a4278af1ffbb97

SHA1
3f4af7f4377c254a0df56b9fff385f893f639ffd

SHA256
b4b6abe57148a81899636fc9f168c013c0301b8f116a3b8e3a57171d909a33dc

SHA512
055cc0651004f0a8f0b884798657ac8ddc977efcd54483a4312087b00205d7aebc048d64a31e0946d48e66b26686d19e7c57e1d88d885d775228c22653ea3d30

Download Submit
C:\Users\Admin\AppData\Roaming\svchosts.exe
Filesize
17KB

MD5
cb9c9656e6ffd45241a4278af1ffbb97

SHA1
3f4af7f4377c254a0df56b9fff385f893f639ffd

SHA256
b4b6abe57148a81899636fc9f168c013c0301b8f116a3b8e3a57171d909a33dc

SHA512
055cc0651004f0a8f0b884798657ac8ddc977efcd54483a4312087b00205d7aebc048d64a31e0946d48e66b26686d19e7c57e1d88d885d775228c22653ea3d30

Download Submit
memory/1284-157-0x0000000020AFE000-0x0000000020B0F000-memory.dmp

Filesize
68KB

Download
memory/1284-147-0x0000000020AFE000-0x0000000020B0F000-memory.dmp

Filesize
68KB

Download
memory/1284-137-0x0000000020AC4000-0x0000000020AC9000-memory.dmp

Filesize
20KB

Download
memory/1284-136-0x0000000020ABF000-0x0000000020AC4000-memory.dmp

Filesize
20KB

Download
memory/1284-135-0x0000000020ABA000-0x0000000020ABF000-memory.dmp

Filesize
20KB

Download
memory/1284-133-0x0000000020AB4000-0x0000000020AB7000-memory.dmp

Filesize
12KB

Download
memory/1284-134-0x0000000020AB7000-0x0000000020ABA000-memory.dmp

Filesize
12KB

Download
memory/1284-132-0x0000000020AB0000-0x0000000020AB4000-memory.dmp

Filesize
16KB

Download
memory/1284-131-0x00000000006BA000-0x00000000006BF000-memory.dmp

Filesize
20KB

Download
memory/1284-140-0x0000000020ADB000-0x0000000020AE4000-memory.dmp

Filesize
36KB

Download
memory/1284-139-0x0000000020AD2000-0x0000000020ADB000-memory.dmp

Filesize
36KB

Download
memory/1284-141-0x0000000020AE4000-0x0000000020AED000-memory.dmp

Filesize
36KB

Download
memory/1284-142-0x0000000020AED000-0x0000000020AFE000-memory.dmp

Filesize
68KB

Download
memory/1284-138-0x0000000020AC9000-0x0000000020AD2000-memory.dmp

Filesize
36KB

Download
memory/1284-148-0x0000000020B0F000-0x0000000020B20000-memory.dmp

Filesize
68KB

Download
memory/1284-149-0x0000000020B20000-0x0000000020B31000-memory.dmp

Filesize
68KB

Download
memory/1284-152-0x0000000020AB0000-0x0000000020AB4000-memory.dmp

Filesize
16KB

Download
memory/1284-155-0x0000000020B63000-0x0000000020B86000-memory.dmp

Filesize
140KB

Download
memory/1284-156-0x0000000020AED000-0x0000000020AFE000-memory.dmp

Filesize
68KB

Download
memory/1284-154-0x0000000020AE4000-0x0000000020AED000-memory.dmp

Filesize
36KB

Download
memory/1284-130-0x00007FFC24A20000-0x00007FFC25456000-memory.dmp

Filesize
10.2MB

Download
memory/1284-153-0x0000000020B42000-0x0000000020B63000-memory.dmp

Filesize
132KB

Download
memory/1284-151-0x00000000006BA000-0x00000000006BF000-memory.dmp

Filesize
20KB

Download
memory/1284-150-0x0000000020B31000-0x0000000020B42000-memory.dmp

Filesize
68KB

Download
memory/3460-146-0x00007FFC24A20000-0x00007FFC25456000-memory.dmp

Filesize
10.2MB

Download
memory/3460-143-0x0000000000000000-mapping.dmp

Download
memory/5056-158-0x0000000000000000-mapping.dmp

Download
memory/5056-161-0x00007FFC24A20000-0x00007FFC25456000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads