Analysis
-
max time kernel
41s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
16/11/2022, 11:38
General
-
Target
f335de99ddd439a9cbdcfed4b0a401806af481b789122df20936b9c00991b7e7.exe
-
Size
226KB
-
MD5
42e00577b163d4c87b0b758871452ff6
-
SHA1
b829fad325624cba1b1feb07f09cc24d471f47a5
-
SHA256
f335de99ddd439a9cbdcfed4b0a401806af481b789122df20936b9c00991b7e7
-
SHA512
6f89abe6076acd36e410cca7817e0bc33d056a2bfead08c5e8a84649b57a53428f2640b6fd026d52895057193af34e249c1dd071d5a781b35be5a62e30285c16
-
SSDEEP
3072:gXOzkeIaL1sR5Han+zMEJgWYL4BVEu8UwyVCrgW+gvhw4Cg3drRh5h+yKnu:UON/LE5Ow7gWeju8DgBw3ND5h+yc
Malware Config
Extracted
blacknet
v3.7.0 Public
Round3
http://zee.zight.ru
BN[d396d077ee81b07d64cc8bbff27bbccb]
-
antivm
true
-
elevate_uac
false
-
install_name
GPUpdate.exe
-
splitter
|BN|
-
start_name
e162b1333458a713bc6916cc8ac4110c
-
startup
false
-
usb_spread
false
Signatures
-
BlackNET
BlackNET is an open source remote access tool written in VB.NET.
-
BlackNET payload 1 IoCs
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detects Smokeloader packer 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f335de99ddd439a9cbdcfed4b0a401806af481b789122df20936b9c00991b7e7.exe"C:\Users\Admin\AppData\Local\Temp\f335de99ddd439a9cbdcfed4b0a401806af481b789122df20936b9c00991b7e7.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\D304.exeC:\Users\Admin\AppData\Local\Temp\D304.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\DAF4.exeC:\Users\Admin\AppData\Local\Temp\DAF4.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\E527.exeC:\Users\Admin\AppData\Local\Temp\E527.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\E527.exe"C:\Users\Admin\AppData\Local\Temp\E527.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 26923⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\RegStart"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\RegStart\RegStart.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\RegStart\RegStart.exe'" /f3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\E527.exe" "C:\Users\Admin\AppData\Roaming\RegStart\RegStart.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\F814.exeC:\Users\Admin\AppData\Local\Temp\F814.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1D9.exeC:\Users\Admin\AppData\Local\Temp\1D9.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:N"4⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:R" /E4⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 11402⤵
- Program crash
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3700 -ip 37001⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3896 -ip 38961⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD567422d51b73b9e580ad1d4ba4a0553b9
SHA1cbbbb10166bb020d637bee3b99a1e61dab3e2067
SHA25664f2b64d4122513a18baddccd96b896d6287916a53745756ba44b3ff3c39117d
SHA51243b60e1184fbf566eaf820d5aeeb649f62112d09607d6d746d562fc3e13c590c23bfa6cd80caf769005f1ba7be22d7e2d12294117e8ee618aa5e4357bcb4bb89
-
Filesize
264KB
MD567422d51b73b9e580ad1d4ba4a0553b9
SHA1cbbbb10166bb020d637bee3b99a1e61dab3e2067
SHA25664f2b64d4122513a18baddccd96b896d6287916a53745756ba44b3ff3c39117d
SHA51243b60e1184fbf566eaf820d5aeeb649f62112d09607d6d746d562fc3e13c590c23bfa6cd80caf769005f1ba7be22d7e2d12294117e8ee618aa5e4357bcb4bb89
-
Filesize
264KB
MD567422d51b73b9e580ad1d4ba4a0553b9
SHA1cbbbb10166bb020d637bee3b99a1e61dab3e2067
SHA25664f2b64d4122513a18baddccd96b896d6287916a53745756ba44b3ff3c39117d
SHA51243b60e1184fbf566eaf820d5aeeb649f62112d09607d6d746d562fc3e13c590c23bfa6cd80caf769005f1ba7be22d7e2d12294117e8ee618aa5e4357bcb4bb89
-
Filesize
264KB
MD567422d51b73b9e580ad1d4ba4a0553b9
SHA1cbbbb10166bb020d637bee3b99a1e61dab3e2067
SHA25664f2b64d4122513a18baddccd96b896d6287916a53745756ba44b3ff3c39117d
SHA51243b60e1184fbf566eaf820d5aeeb649f62112d09607d6d746d562fc3e13c590c23bfa6cd80caf769005f1ba7be22d7e2d12294117e8ee618aa5e4357bcb4bb89
-
Filesize
330KB
MD561bf9bb6cca5549bea73511e3bb5309c
SHA1e2055192326bd529214883e6183fdcf7fbd09dfe
SHA25663566438f17e880d08435cc329b75f75f2c58773f3b2d046d4f3867cd8f2b810
SHA512d79745a0c5f72daa3e323340496bcce48411f1e843402d5bc3cb0732328952c36188bd2b961b16e9d424b2b5c1f5470efe0fce302dd71c8d6377c4b7cf455393
-
Filesize
330KB
MD561bf9bb6cca5549bea73511e3bb5309c
SHA1e2055192326bd529214883e6183fdcf7fbd09dfe
SHA25663566438f17e880d08435cc329b75f75f2c58773f3b2d046d4f3867cd8f2b810
SHA512d79745a0c5f72daa3e323340496bcce48411f1e843402d5bc3cb0732328952c36188bd2b961b16e9d424b2b5c1f5470efe0fce302dd71c8d6377c4b7cf455393
-
Filesize
4.2MB
MD5a62965dde47512afd390806c88f6821b
SHA1f389db3ccfd224c398e33375521ae18b5dc6b8fd
SHA256e3277990b72605b6007680f0709c1d6b7e2e178b71d6d3f45635ae1d085b1400
SHA51289dc8bd1ace718ba9326b3b12ac9aeca4e7d32afffd58676657966fa8e6c984eb346e88654e97603f47d0194d452e8da03d97acfd64be34ac10191f7ff30cacf
-
Filesize
356KB
MD5354d20e21be15dd24eb8a9b2b18a8407
SHA1f3c9182f5a8a45ee8f9cbcf2e4584c38ff670533
SHA2560cfd96c0bef9061e95adbc2f00f6e0bd39c1103ca4761c9af850528d28455b44
SHA5127bcfd0d2bca8a7bc3f0836c012438125cabdac11e7978f3d8a55ace928fe98ceac8ddf7cab146847ad9c9299c9231711df5b52cb0e429bcb5f519fae7353edb5
-
Filesize
356KB
MD5354d20e21be15dd24eb8a9b2b18a8407
SHA1f3c9182f5a8a45ee8f9cbcf2e4584c38ff670533
SHA2560cfd96c0bef9061e95adbc2f00f6e0bd39c1103ca4761c9af850528d28455b44
SHA5127bcfd0d2bca8a7bc3f0836c012438125cabdac11e7978f3d8a55ace928fe98ceac8ddf7cab146847ad9c9299c9231711df5b52cb0e429bcb5f519fae7353edb5
-
Filesize
356KB
MD5354d20e21be15dd24eb8a9b2b18a8407
SHA1f3c9182f5a8a45ee8f9cbcf2e4584c38ff670533
SHA2560cfd96c0bef9061e95adbc2f00f6e0bd39c1103ca4761c9af850528d28455b44
SHA5127bcfd0d2bca8a7bc3f0836c012438125cabdac11e7978f3d8a55ace928fe98ceac8ddf7cab146847ad9c9299c9231711df5b52cb0e429bcb5f519fae7353edb5
-
Filesize
3.0MB
MD536da8ca92f8725823be3112ad6387a19
SHA1daff6fee3427fcc8d5578c38473e9cef64af8bf6
SHA256c1ec537c48cc89eb36163eea90e1b6de9a0d5a23ee1b9fd6b9188057bb168fe2
SHA512a52e8ff50df8260bfb8368a1c53959fedf0b609c5cf5fb1d3fde5de0b800603e637f9afac939bddb7234e2215ba2b83a28af0fbc4cc5fbb2c7c2012c1b30ac2d
-
Filesize
3.0MB
MD536da8ca92f8725823be3112ad6387a19
SHA1daff6fee3427fcc8d5578c38473e9cef64af8bf6
SHA256c1ec537c48cc89eb36163eea90e1b6de9a0d5a23ee1b9fd6b9188057bb168fe2
SHA512a52e8ff50df8260bfb8368a1c53959fedf0b609c5cf5fb1d3fde5de0b800603e637f9afac939bddb7234e2215ba2b83a28af0fbc4cc5fbb2c7c2012c1b30ac2d
-
Filesize
8.6MB
-
Filesize
472KB
-
Filesize
8.6MB
-
Filesize
8.6MB
-
Filesize
8.6MB
-
Filesize
8.6MB
-
Filesize
1.8MB
-
Filesize
320KB
-
Filesize
8.6MB
-
Filesize
1.6MB
-
Filesize
8.6MB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
200KB
-
Filesize
6.5MB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
40KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
600KB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
56KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
376KB
-
Filesize
408KB
-
Filesize
248KB
-
Filesize
4.3MB
-
Filesize
124KB
-
Filesize
4.3MB
-
Filesize
136KB
-
Filesize
36KB
-
Filesize
92KB
-
Filesize
20KB
-
Filesize
16KB
-
Filesize
20KB
-
Filesize
624KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
76KB
-
Filesize
5.6MB
-
Filesize
40KB
-
Filesize
344KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
1.0MB
-
Filesize
248KB
-
Filesize
196KB
-
Filesize
1.7MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
5.2MB
-
Filesize
6.1MB
-
Filesize
196KB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
20KB
-
Filesize
36KB