Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
12-11-2022 12:31
Static task
static1
Behavioral task
behavioral1
Sample
HEUR-Trojan.Win32.Generic-e3ad04269f7d5b6be4a.exe
Resource
win7-20220812-en
General
-
Target
HEUR-Trojan.Win32.Generic-e3ad04269f7d5b6be4a.exe
-
Size
1.2MB
-
MD5
2a32b7f3a6f3398219829a798e705b68
-
SHA1
d1c9d4969239da09173c0c16ab7cc440214de440
-
SHA256
e3ad04269f7d5b6be4a0bbdb9d19f0b40bddfce4bc56697596e329903d1bedb3
-
SHA512
7759ac196d05442c0b3d0c93b91eccf5b5a365861c8f257a533dd2ddae3737d0349afdab2bbfe0cd00165367e303228a446468ab703b81a33b2f179a535bcdad
-
SSDEEP
24576:b4Syx6ara7MIrKxIT6/K/qt2pP/mtl/i6R6qLN0m:IWSAe/
Malware Config
Extracted
blacknet
v3.5.1 Public
HacKed
http://noctorships.ga/BlackNET/Panel/
BN[BNcJaNRq-7658837]
-
antivm
true
-
elevate_uac
false
-
install_name
WindowsUpdate.exe
-
splitter
|BN|
-
start_name
a4f5fc179540a0b155d91b489e6811e2
-
startup
false
-
usb_spread
false
Signatures
-
BlackNET payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\tmp425E.tmp.exe family_blacknet C:\Users\Admin\AppData\Local\Temp\tmp425E.tmp.exe family_blacknet -
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\tmp425E.tmp.exe disable_win_def C:\Users\Admin\AppData\Local\Temp\tmp425E.tmp.exe disable_win_def -
Executes dropped EXE 2 IoCs
Processes:
tmp425E.tmp.exesvshost.exepid process 1624 tmp425E.tmp.exe 1072 svshost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
tmp425E.tmp.exepid process 1624 tmp425E.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
HEUR-Trojan.Win32.Generic-e3ad04269f7d5b6be4a.exetmp425E.tmp.exedescription pid process Token: SeDebugPrivilege 1088 HEUR-Trojan.Win32.Generic-e3ad04269f7d5b6be4a.exe Token: SeDebugPrivilege 1624 tmp425E.tmp.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
tmp425E.tmp.exepid process 1624 tmp425E.tmp.exe 1624 tmp425E.tmp.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
HEUR-Trojan.Win32.Generic-e3ad04269f7d5b6be4a.exetmp425E.tmp.exedescription pid process target process PID 1088 wrote to memory of 1624 1088 HEUR-Trojan.Win32.Generic-e3ad04269f7d5b6be4a.exe tmp425E.tmp.exe PID 1088 wrote to memory of 1624 1088 HEUR-Trojan.Win32.Generic-e3ad04269f7d5b6be4a.exe tmp425E.tmp.exe PID 1088 wrote to memory of 1624 1088 HEUR-Trojan.Win32.Generic-e3ad04269f7d5b6be4a.exe tmp425E.tmp.exe PID 1624 wrote to memory of 1072 1624 tmp425E.tmp.exe svshost.exe PID 1624 wrote to memory of 1072 1624 tmp425E.tmp.exe svshost.exe PID 1624 wrote to memory of 1072 1624 tmp425E.tmp.exe svshost.exe PID 1624 wrote to memory of 1072 1624 tmp425E.tmp.exe svshost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-e3ad04269f7d5b6be4a.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-e3ad04269f7d5b6be4a.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp425E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp425E.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svshost.exe"C:\Users\Admin\AppData\Local\Temp\svshost.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svshost.exeFilesize
381KB
MD50a499943ccd563c8b7d4bb3c7717a341
SHA1c08a548c9d68f66feff1ce0bdc2e7ebddd1d5467
SHA256d8ff47a7e4fc832c9dcafca95990fe8e989aeef493be5dfecca10d9c3228c64b
SHA51289b0d83d2ea4b1e739c4f8d183670d8684624fb32ee29b22625adddb82a0b1a29c92423906bf3d4461d2efb3b46b717cb5cd742a29ed6b0d89d8735d5deb58f9
-
C:\Users\Admin\AppData\Local\Temp\svshost.exeFilesize
381KB
MD50a499943ccd563c8b7d4bb3c7717a341
SHA1c08a548c9d68f66feff1ce0bdc2e7ebddd1d5467
SHA256d8ff47a7e4fc832c9dcafca95990fe8e989aeef493be5dfecca10d9c3228c64b
SHA51289b0d83d2ea4b1e739c4f8d183670d8684624fb32ee29b22625adddb82a0b1a29c92423906bf3d4461d2efb3b46b717cb5cd742a29ed6b0d89d8735d5deb58f9
-
C:\Users\Admin\AppData\Local\Temp\tmp425E.tmp.exeFilesize
1.1MB
MD5589cac94238870c8fdabc6262e5b3026
SHA1d0c2fe2913f9a333b1402e42022f80b7d539b933
SHA25640b022c5ff2ecf2cfa11be4738839dbacafcfff233691256def7a1f2bdcd9060
SHA512d707e1b36599bd491d5ab29825969b3bfeb2fc1fc1f6fa906a0ad344eeddcef77565c55ad80bbe9a242139c217c0e08b3418ca79d1023bd494bc909e87ca0c57
-
C:\Users\Admin\AppData\Local\Temp\tmp425E.tmp.exeFilesize
1.1MB
MD5589cac94238870c8fdabc6262e5b3026
SHA1d0c2fe2913f9a333b1402e42022f80b7d539b933
SHA25640b022c5ff2ecf2cfa11be4738839dbacafcfff233691256def7a1f2bdcd9060
SHA512d707e1b36599bd491d5ab29825969b3bfeb2fc1fc1f6fa906a0ad344eeddcef77565c55ad80bbe9a242139c217c0e08b3418ca79d1023bd494bc909e87ca0c57
-
memory/1072-63-0x0000000000000000-mapping.dmp
-
memory/1072-66-0x0000000001220000-0x0000000001284000-memory.dmpFilesize
400KB
-
memory/1072-67-0x0000000076681000-0x0000000076683000-memory.dmpFilesize
8KB
-
memory/1072-69-0x0000000000BF5000-0x0000000000C06000-memory.dmpFilesize
68KB
-
memory/1088-54-0x000007FEF3F10000-0x000007FEF4933000-memory.dmpFilesize
10.1MB
-
memory/1088-55-0x000007FEFC431000-0x000007FEFC433000-memory.dmpFilesize
8KB
-
memory/1624-59-0x000007FEF3F10000-0x000007FEF4933000-memory.dmpFilesize
10.1MB
-
memory/1624-60-0x000007FEF2E70000-0x000007FEF3F06000-memory.dmpFilesize
16.6MB
-
memory/1624-62-0x0000000002016000-0x0000000002035000-memory.dmpFilesize
124KB
-
memory/1624-56-0x0000000000000000-mapping.dmp
-
memory/1624-68-0x0000000002016000-0x0000000002035000-memory.dmpFilesize
124KB