Analysis
-
max time kernel
99s -
max time network
98s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 16:28
Static task
static1
Behavioral task
behavioral1
Sample
c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe
Resource
win10v2004-20221111-en
General
-
Target
c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe
-
Size
179KB
-
MD5
c89be917eb11b5f09561177b4cfddff5
-
SHA1
61f7e9a65430c732bb145864fb5ea40fddbde35e
-
SHA256
c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671
-
SHA512
6717283fd645873a042f63ea95ba01455d91a046317c0011a387bbfd352b69e71a53cb15811d0ff3ac2c7682102961da68c6fc7aa729a8fc2196e9af139ce5af
-
SSDEEP
3072:zobMNvy29G/P/XP3ue33nev2W33PXPmG+ePu23PfmmO3XePmmPm3PeP3uPvu/Ovi:zobwhVi2nh3HETytaoRFYBiXB
Malware Config
Extracted
blacknet
v3.7.0 Public
HacKed
http://194.33.45.112
BN[]
-
antivm
false
-
elevate_uac
false
-
install_name
WindowsUpdate.exe
-
splitter
|BN|
-
start_name
e162b1333458a713bc6916cc8ac4110c
-
startup
false
-
usb_spread
false
Signatures
-
BlackNET payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1728-60-0x0000000000400000-0x000000000041E000-memory.dmp family_blacknet behavioral1/memory/1728-62-0x0000000000400000-0x000000000041E000-memory.dmp family_blacknet behavioral1/memory/1728-64-0x000000000041756E-mapping.dmp family_blacknet behavioral1/memory/1728-63-0x0000000000400000-0x000000000041E000-memory.dmp family_blacknet behavioral1/memory/1728-66-0x0000000000400000-0x000000000041E000-memory.dmp family_blacknet behavioral1/memory/1728-68-0x0000000000400000-0x000000000041E000-memory.dmp family_blacknet -
Contains code to disable Windows Defender 6 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/1728-60-0x0000000000400000-0x000000000041E000-memory.dmp disable_win_def behavioral1/memory/1728-62-0x0000000000400000-0x000000000041E000-memory.dmp disable_win_def behavioral1/memory/1728-64-0x000000000041756E-mapping.dmp disable_win_def behavioral1/memory/1728-63-0x0000000000400000-0x000000000041E000-memory.dmp disable_win_def behavioral1/memory/1728-66-0x0000000000400000-0x000000000041E000-memory.dmp disable_win_def behavioral1/memory/1728-68-0x0000000000400000-0x000000000041E000-memory.dmp disable_win_def -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 880 cmd.exe -
Drops startup file 2 IoCs
Processes:
pOwERsHeLl.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.exe pOwERsHeLl.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.exe pOwERsHeLl.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exedescription pid process target process PID 1060 set thread context of 1728 1060 c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exepOwERsHeLl.exepid process 1728 c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe 1984 pOwERsHeLl.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exepOwERsHeLl.exedescription pid process Token: SeDebugPrivilege 1728 c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe Token: SeDebugPrivilege 1984 pOwERsHeLl.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exepid process 1728 c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe 1728 c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exec138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.execmd.exedescription pid process target process PID 1060 wrote to memory of 1728 1060 c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe PID 1060 wrote to memory of 1728 1060 c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe PID 1060 wrote to memory of 1728 1060 c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe PID 1060 wrote to memory of 1728 1060 c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe PID 1060 wrote to memory of 1728 1060 c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe PID 1060 wrote to memory of 1728 1060 c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe PID 1060 wrote to memory of 1728 1060 c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe PID 1060 wrote to memory of 1728 1060 c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe PID 1060 wrote to memory of 1728 1060 c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe PID 1060 wrote to memory of 1984 1060 c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe pOwERsHeLl.exe PID 1060 wrote to memory of 1984 1060 c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe pOwERsHeLl.exe PID 1060 wrote to memory of 1984 1060 c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe pOwERsHeLl.exe PID 1060 wrote to memory of 1984 1060 c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe pOwERsHeLl.exe PID 1728 wrote to memory of 880 1728 c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe cmd.exe PID 1728 wrote to memory of 880 1728 c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe cmd.exe PID 1728 wrote to memory of 880 1728 c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe cmd.exe PID 1728 wrote to memory of 880 1728 c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe cmd.exe PID 880 wrote to memory of 292 880 cmd.exe PING.EXE PID 880 wrote to memory of 292 880 cmd.exe PING.EXE PID 880 wrote to memory of 292 880 cmd.exe PING.EXE PID 880 wrote to memory of 292 880 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe"C:\Users\Admin\AppData\Local\Temp\c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe"C:\Users\Admin\AppData\Local\Temp\c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 5 -w 5000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 5 -w 50004⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pOwERsHeLl.exe"pOwERsHeLl.exe" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\c138d8e3110237ad4ed5dba3308a2e8a4eb685f84a55043354554b1127776671.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.exe'2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/292-78-0x0000000000000000-mapping.dmp
-
memory/880-76-0x0000000000000000-mapping.dmp
-
memory/1060-72-0x0000000004CA5000-0x0000000004CB6000-memory.dmpFilesize
68KB
-
memory/1060-55-0x0000000075021000-0x0000000075023000-memory.dmpFilesize
8KB
-
memory/1060-56-0x0000000000370000-0x0000000000386000-memory.dmpFilesize
88KB
-
memory/1060-54-0x0000000000300000-0x0000000000334000-memory.dmpFilesize
208KB
-
memory/1060-75-0x0000000004CA5000-0x0000000004CB6000-memory.dmpFilesize
68KB
-
memory/1728-58-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1728-63-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1728-66-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1728-68-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1728-64-0x000000000041756E-mapping.dmp
-
memory/1728-62-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1728-60-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1728-77-0x0000000004BC7000-0x0000000004BD8000-memory.dmpFilesize
68KB
-
memory/1728-57-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1984-69-0x0000000000000000-mapping.dmp
-
memory/1984-73-0x000000006E5C0000-0x000000006EB6B000-memory.dmpFilesize
5.7MB
-
memory/1984-74-0x000000006E5C0000-0x000000006EB6B000-memory.dmpFilesize
5.7MB