Analysis

  • max time kernel
    91s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2022 15:21

General

  • Target

    HEUR-Trojan.Win32.Generic-bf0dae2bf317f6fd26f.exe

  • Size

    206KB

  • MD5

    3917f35aed62a03adffbe0f22ff0d446

  • SHA1

    7e2b3ffff8220e0b2b603e97343bfafcc7ea1079

  • SHA256

    bf0dae2bf317f6fd26f8815792aa685671842fa9393cef61c394b37ff552595d

  • SHA512

    3918e1f4b67f0195cff25a1326431ddf04ee173b50553e6ee4a0072879402388e16c5fcd6d9f2e6117e3b09b90496808776ba1fed5b92c6e69ab808949081911

  • SSDEEP

    3072:OxkNWNo7HCdkVTYB+eztx3be/EKyNFna4FwX5F:sePHd5YB+eztlboZ8wX5

Score
10/10

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

PRUEBA

C2

http://74.208.16.112/net

Mutex

BN[]

Attributes
  • antivm

    false

  • elevate_uac

    false

  • install_name

    WindowsUpdate.exe

  • splitter

    |BN|

  • start_name

    e162b1333458a713bc6916cc8ac4110c

  • startup

    false

  • usb_spread

    false

Signatures

  • BlackNET

    BlackNET is an open source remote access tool written in VB.NET.

  • BlackNET payload 1 IoCs
  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-bf0dae2bf317f6fd26f.exe
    "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-bf0dae2bf317f6fd26f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /delete /tn "WindowsUpdate.exe" /f
      2⤵
        PID:3988
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 5 -w 5000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-bf0dae2bf317f6fd26f.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4812
        • C:\Windows\system32\PING.EXE
          ping 1.1.1.1 -n 5 -w 5000
          3⤵
          • Runs ping.exe
          PID:4796
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "WindowsUpdate.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-bf0dae2bf317f6fd26f.exe" /rl HIGHEST /f
        2⤵
        • Creates scheduled task(s)
        PID:1356

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1356-136-0x0000000000000000-mapping.dmp

    • memory/2420-132-0x0000000000FF0000-0x0000000001028000-memory.dmp

      Filesize

      224KB

    • memory/2420-133-0x00007FF84FDF0000-0x00007FF8508B1000-memory.dmp

      Filesize

      10.8MB

    • memory/2420-138-0x00007FF84FDF0000-0x00007FF8508B1000-memory.dmp

      Filesize

      10.8MB

    • memory/3988-134-0x0000000000000000-mapping.dmp

    • memory/4796-137-0x0000000000000000-mapping.dmp

    • memory/4812-135-0x0000000000000000-mapping.dmp