Analysis
-
max time kernel
93s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2022 08:47
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Client.exe
Resource
win10v2004-20220812-en
General
-
Target
Client.exe
-
Size
81KB
-
MD5
d504f7de6fc5459ee783b868766c1c4b
-
SHA1
f31c98177ddfed34d1aa4bbb15b4dd22a887bf7a
-
SHA256
753af27307876aa774a1f942184312dd73fa8f85331a5bc8c0f35dede2a5702a
-
SHA512
9c42c754c70d4b82f120d380faf615e8ff118668ffd56e5fdc0218224be1a22c91f402f656fe625092f6d6070131b2e9c399e8e430eac2a944376459ef62786e
-
SSDEEP
1536:JZuhD5z28TCRZyDeK0uKsA1HdCbv42jYLe81d:5OeKKJwbvTj6eud
Malware Config
Extracted
blacknet
v3.5 Public
bot
http://52.34.77.168:54948
BN[mIgYVgxM-7572066]
-
antivm
false
-
elevate_uac
false
-
install_name
svchost.exe
-
splitter
|BN|
-
start_name
14247ae8e9bdf8a07859c46cc6c701e5
-
startup
true
-
usb_spread
true
Signatures
-
BlackNET payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\svchost.exe family_blacknet C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\svchost.exe family_blacknet -
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\svchost.exe disable_win_def C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\svchost.exe disable_win_def -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 4680 svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Client.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Client.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
Client.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\14247ae8e9bdf8a07859c46cc6c701e5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\svchost.exe" Client.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\14247ae8e9bdf8a07859c46cc6c701e5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Client.exe" Client.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\14247ae8e9bdf8a07859c46cc6c701e5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\svchost.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
Client.exesvchost.exepid process 4508 Client.exe 4508 Client.exe 4508 Client.exe 4508 Client.exe 4508 Client.exe 4508 Client.exe 4508 Client.exe 4508 Client.exe 4508 Client.exe 4508 Client.exe 4508 Client.exe 4508 Client.exe 4508 Client.exe 4508 Client.exe 4508 Client.exe 4508 Client.exe 4508 Client.exe 4508 Client.exe 4508 Client.exe 4508 Client.exe 4508 Client.exe 4508 Client.exe 4508 Client.exe 4680 svchost.exe 4680 svchost.exe 4680 svchost.exe 4680 svchost.exe 4680 svchost.exe 4680 svchost.exe 4680 svchost.exe 4680 svchost.exe 4680 svchost.exe 4680 svchost.exe 4680 svchost.exe 4680 svchost.exe 4680 svchost.exe 4680 svchost.exe 4680 svchost.exe 4680 svchost.exe 4680 svchost.exe 4680 svchost.exe 4680 svchost.exe 4680 svchost.exe 4680 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client.exesvchost.exedescription pid process Token: SeDebugPrivilege 4508 Client.exe Token: SeDebugPrivilege 4680 svchost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
Client.exesvchost.exepid process 4508 Client.exe 4508 Client.exe 4680 svchost.exe 4680 svchost.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Client.exedescription pid process target process PID 4508 wrote to memory of 4680 4508 Client.exe svchost.exe PID 4508 wrote to memory of 4680 4508 Client.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\svchost.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\svchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\svchost.exeFilesize
81KB
MD5d504f7de6fc5459ee783b868766c1c4b
SHA1f31c98177ddfed34d1aa4bbb15b4dd22a887bf7a
SHA256753af27307876aa774a1f942184312dd73fa8f85331a5bc8c0f35dede2a5702a
SHA5129c42c754c70d4b82f120d380faf615e8ff118668ffd56e5fdc0218224be1a22c91f402f656fe625092f6d6070131b2e9c399e8e430eac2a944376459ef62786e
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\svchost.exeFilesize
81KB
MD5d504f7de6fc5459ee783b868766c1c4b
SHA1f31c98177ddfed34d1aa4bbb15b4dd22a887bf7a
SHA256753af27307876aa774a1f942184312dd73fa8f85331a5bc8c0f35dede2a5702a
SHA5129c42c754c70d4b82f120d380faf615e8ff118668ffd56e5fdc0218224be1a22c91f402f656fe625092f6d6070131b2e9c399e8e430eac2a944376459ef62786e
-
memory/4508-132-0x00007FFAAD560000-0x00007FFAADF96000-memory.dmpFilesize
10.2MB
-
memory/4508-133-0x000000000131A000-0x000000000131F000-memory.dmpFilesize
20KB
-
memory/4508-134-0x000000000131A000-0x000000000131F000-memory.dmpFilesize
20KB
-
memory/4508-139-0x000000000131A000-0x000000000131F000-memory.dmpFilesize
20KB
-
memory/4680-135-0x0000000000000000-mapping.dmp
-
memory/4680-138-0x00007FFAAD560000-0x00007FFAADF96000-memory.dmpFilesize
10.2MB