Analysis
-
max time kernel
93s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
20-10-2022 08:47
General
-
Target
Client.exe
-
Size
81KB
-
MD5
d504f7de6fc5459ee783b868766c1c4b
-
SHA1
f31c98177ddfed34d1aa4bbb15b4dd22a887bf7a
-
SHA256
753af27307876aa774a1f942184312dd73fa8f85331a5bc8c0f35dede2a5702a
-
SHA512
9c42c754c70d4b82f120d380faf615e8ff118668ffd56e5fdc0218224be1a22c91f402f656fe625092f6d6070131b2e9c399e8e430eac2a944376459ef62786e
-
SSDEEP
1536:JZuhD5z28TCRZyDeK0uKsA1HdCbv42jYLe81d:5OeKKJwbvTj6eud
Malware Config
Extracted
blacknet
v3.5 Public
bot
http://52.34.77.168:54948
BN[mIgYVgxM-7572066]
-
antivm
false
-
elevate_uac
false
-
install_name
svchost.exe
-
splitter
|BN|
-
start_name
14247ae8e9bdf8a07859c46cc6c701e5
-
startup
true
-
usb_spread
true
Signatures
-
BlackNET
BlackNET is an open source remote access tool written in VB.NET.
-
BlackNET payload 2 IoCs
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\svchost.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\svchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\svchost.exeFilesize
81KB
MD5d504f7de6fc5459ee783b868766c1c4b
SHA1f31c98177ddfed34d1aa4bbb15b4dd22a887bf7a
SHA256753af27307876aa774a1f942184312dd73fa8f85331a5bc8c0f35dede2a5702a
SHA5129c42c754c70d4b82f120d380faf615e8ff118668ffd56e5fdc0218224be1a22c91f402f656fe625092f6d6070131b2e9c399e8e430eac2a944376459ef62786e
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\svchost.exeFilesize
81KB
MD5d504f7de6fc5459ee783b868766c1c4b
SHA1f31c98177ddfed34d1aa4bbb15b4dd22a887bf7a
SHA256753af27307876aa774a1f942184312dd73fa8f85331a5bc8c0f35dede2a5702a
SHA5129c42c754c70d4b82f120d380faf615e8ff118668ffd56e5fdc0218224be1a22c91f402f656fe625092f6d6070131b2e9c399e8e430eac2a944376459ef62786e
-
memory/4508-132-0x00007FFAAD560000-0x00007FFAADF96000-memory.dmpFilesize
10.2MB
-
memory/4508-133-0x000000000131A000-0x000000000131F000-memory.dmpFilesize
20KB
-
memory/4508-134-0x000000000131A000-0x000000000131F000-memory.dmpFilesize
20KB
-
memory/4508-139-0x000000000131A000-0x000000000131F000-memory.dmpFilesize
20KB
-
memory/4680-135-0x0000000000000000-mapping.dmp
-
memory/4680-138-0x00007FFAAD560000-0x00007FFAADF96000-memory.dmpFilesize
10.2MB