blacknet | 6f02ca9fdc2cd216c60c1013dc5bfbca6384ed866e39b033a3c2bf68cdc0b79e

Analysis

max time kernel
107s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2022 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6F02CA9FDC2CD216C60C1013DC5BFBCA6384ED866E39B.exe
Size

438KB
MD5

0c551697d82616d3b1a485eddf0af56f
SHA1

40023cac06e70e14c13fbc7b710e87fce5406c61
SHA256

6f02ca9fdc2cd216c60c1013dc5bfbca6384ed866e39b033a3c2bf68cdc0b79e
SHA512

63a260836f4de87333232c899c8d5351a9db1e338caffbf2f5f577f96bbadac992bc041a623f7b3c1cbfea5af5228060b95725f758b1abf6428e75c17684a9a8

Score

10^/10

blacknet trojan

Malware Config

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet
Executes dropped EXE 1 IoCs

Processes:

update.exe

pid process

984 update.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6F02CA9FDC2CD216C60C1013DC5BFBCA6384ED866E39B.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	6F02CA9FDC2CD216C60C1013DC5BFBCA6384ED866E39B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

update.exe

pid	process
984	update.exe
984	update.exe
984	update.exe
984	update.exe
984	update.exe
984	update.exe
984	update.exe
984	update.exe
984	update.exe
984	update.exe
984	update.exe
984	update.exe
984	update.exe
984	update.exe
984	update.exe
984	update.exe
984	update.exe
984	update.exe
984	update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

update.exe

description pid process

Token: SeDebugPrivilege 984 update.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

update.exe

pid process

984 update.exe
984 update.exe

description	pid	process
Token: SeDebugPrivilege	984	update.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

6F02CA9FDC2CD216C60C1013DC5BFBCA6384ED866E39B.exe

description	pid	process	target process
PID 2640 wrote to memory of 984	2640	6F02CA9FDC2CD216C60C1013DC5BFBCA6384ED866E39B.exe	update.exe
PID 2640 wrote to memory of 984	2640	6F02CA9FDC2CD216C60C1013DC5BFBCA6384ED866E39B.exe	update.exe
PID 2640 wrote to memory of 4100	2640	6F02CA9FDC2CD216C60C1013DC5BFBCA6384ED866E39B.exe	cmd.exe
PID 2640 wrote to memory of 4100	2640	6F02CA9FDC2CD216C60C1013DC5BFBCA6384ED866E39B.exe	cmd.exe
PID 2640 wrote to memory of 4100	2640	6F02CA9FDC2CD216C60C1013DC5BFBCA6384ED866E39B.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\6F02CA9FDC2CD216C60C1013DC5BFBCA6384ED866E39B.exe
"C:\Users\Admin\AppData\Local\Temp\6F02CA9FDC2CD216C60C1013DC5BFBCA6384ED866E39B.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2640

C:\Users\Admin\AppData\Roaming\update.exe
"C:\Users\Admin\AppData\Roaming\update.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Discord-Nitro-Generator.bat" "
2⤵
PID:4100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Discord-Nitro-Generator.bat
Filesize
3KB

MD5
7bc715359db2720d52250539a3000774

SHA1
347cff5768cf149573e5db50889f823dda624712

SHA256
a5a0d5e79c1f88b6ad650ddfa522f0ace1239cb20d5ee8c077d0dbfd1195914e

SHA512
7844b08d6335d7eca718a02998c6a556e4063acd059725a746b805cf42f4c3677e8c9204dbcb5c657e9822a3b7c6049f2fef2dd6b9e73e412bfe0c56673f133f

Download Submit
C:\Users\Admin\AppData\Roaming\update.exe
Filesize
308KB

MD5
ea3b5c344a9a8c382513bf20bd073870

SHA1
b11a7f4ffa68e519760ed1f36e0fffd409a70d87

SHA256
530abe6bbab9935fc5de06e44f8441421118a27a1a4fe9b29866594c6292e273

SHA512
dfd2cce94257eecfc7b6e1268c8f64da602037338bb69f733dc92dca3f94030133357511d5a7c095a10030584475cfdc214d7859b2d7d5b0d67ee6ae288a4484

Download Submit
C:\Users\Admin\AppData\Roaming\update.exe
Filesize
308KB

MD5
ea3b5c344a9a8c382513bf20bd073870

SHA1
b11a7f4ffa68e519760ed1f36e0fffd409a70d87

SHA256
530abe6bbab9935fc5de06e44f8441421118a27a1a4fe9b29866594c6292e273

SHA512
dfd2cce94257eecfc7b6e1268c8f64da602037338bb69f733dc92dca3f94030133357511d5a7c095a10030584475cfdc214d7859b2d7d5b0d67ee6ae288a4484

Download Submit
memory/984-132-0x0000000000000000-mapping.dmp

Download
memory/984-137-0x00007FFD1EE20000-0x00007FFD1F856000-memory.dmp

Filesize
10.2MB

Download
memory/984-138-0x000000000111A000-0x000000000111F000-memory.dmp

Filesize
20KB

Download
memory/984-139-0x000000000111A000-0x000000000111F000-memory.dmp

Filesize
20KB

Download
memory/4100-135-0x0000000000000000-mapping.dmp

Download