Overview

overview

10

Static

static

file.exe

windows7-x64

3

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2023 13:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    295KB

  • MD5

    b6e66d96d62e7eab3513899694c07ac7

  • SHA1

    8d5cb73ee712c6bde5fe8fe79b3183caef83d4a6

  • SHA256

    b55e750d3ec8f350361c608a597d29359a315991bca5bd1cb0617b00cf5a1e60

  • SHA512

    52aab7d57cfd70ef5d02459e16de6b5db0999261280e82f6738c588165eef44186855e22a82baa75c1ebbc2ec7353d76034eb3fa91212cc41e8b6f0962022829

  • SSDEEP

    6144:G835hoX8h4pzNlpVzyfwiRBo1u/QSJjdN1IGRU:5XirLoRBo1U5NdN1

Score
10/10
blacknetbot01persistencetrojan

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

bot01

C2

http://18.117.193.148/

Mutex

BN[]

Attributes
  • antivm

    false

  • elevate_uac

    false

  • install_name

    WindowsUpdate.exe

  • splitter

    |BN|

  • start_name

    e162b1333458a713bc6916cc8ac4110c

  • startup

    false

  • usb_spread

    false

Signatures

  • BlackNET

    BlackNET is an open source remote access tool written in VB.NET.

    trojanblacknet
  • BlackNET payload 3 IoCs
  • Contains code to disable Windows Defender 3 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3540
    • C:\Users\Admin\AppData\Local\Temp\RunIt.exe
      "C:\Users\Admin\AppData\Local\Temp\RunIt.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:3144
    • C:\Users\Admin\AppData\Local\Temp\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1516
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 5 -w 5000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2136
        • C:\Windows\system32\PING.EXE
          ping 1.1.1.1 -n 5 -w 5000
          4⤵
          • Runs ping.exe
          PID:3368

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    Filesize

    99KB

    MD5

    b20ffab6a6a911d2d38a24350ca38e07

    SHA1

    623bd87603950e847f25121e153412ed704aaae7

    SHA256

    c0446b5d8723595bb4bee68a6a9cac370471bdc5d9afeafc6b9894cbb5378497

    SHA512

    7ce65974cb18d31f67f255a3e167a9b6a01c49210e14ac65ae11bcbb6e3b2cd538cc4605a494a28e5cf02e547a14c5495d3b007051d8b6087d7b18fcb5a85616

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    Filesize

    99KB

    MD5

    b20ffab6a6a911d2d38a24350ca38e07

    SHA1

    623bd87603950e847f25121e153412ed704aaae7

    SHA256

    c0446b5d8723595bb4bee68a6a9cac370471bdc5d9afeafc6b9894cbb5378497

    SHA512

    7ce65974cb18d31f67f255a3e167a9b6a01c49210e14ac65ae11bcbb6e3b2cd538cc4605a494a28e5cf02e547a14c5495d3b007051d8b6087d7b18fcb5a85616

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RunIt.exe
    Filesize

    117KB

    MD5

    9b6978c7592e7ac509b12bec5ad041b3

    SHA1

    4167f59920f7bb295abdca5834f208da2290eb0e

    SHA256

    d060a3b980d42f3e71b58eebca49a88a2bab063f8513ebe24b44b684d51dfcb1

    SHA512

    2fc5ee1e9a69ec6abd8f59335b1b8c005ae63abe8bb8409758ea856cf7133ffeb1b7ad25360cc2279812f16e36da057c171da81b5b7b54f6552dd8566fdbd537

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RunIt.exe
    Filesize

    117KB

    MD5

    9b6978c7592e7ac509b12bec5ad041b3

    SHA1

    4167f59920f7bb295abdca5834f208da2290eb0e

    SHA256

    d060a3b980d42f3e71b58eebca49a88a2bab063f8513ebe24b44b684d51dfcb1

    SHA512

    2fc5ee1e9a69ec6abd8f59335b1b8c005ae63abe8bb8409758ea856cf7133ffeb1b7ad25360cc2279812f16e36da057c171da81b5b7b54f6552dd8566fdbd537

    Download Submit

  • memory/1516-148-0x00007FFF1D770000-0x00007FFF1E231000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1516-151-0x00007FFF1D770000-0x00007FFF1E231000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1516-136-0x0000000000000000-mapping.dmp

    Download

  • memory/1516-140-0x0000000000FD0000-0x0000000000FEE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1516-141-0x00007FFF1D770000-0x00007FFF1E231000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2136-149-0x0000000000000000-mapping.dmp

    Download

  • memory/3144-142-0x0000000000DF0000-0x0000000000E14000-memory.dmp

    Filesize

    144KB

    Download

  • memory/3144-143-0x0000000005920000-0x0000000005EC4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3144-144-0x0000000005270000-0x0000000005302000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3144-145-0x0000000005410000-0x00000000054AC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3144-146-0x0000000005340000-0x000000000534A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3144-134-0x0000000000000000-mapping.dmp

    Download

  • memory/3368-150-0x0000000000000000-mapping.dmp

    Download

  • memory/3540-147-0x00007FFF1D770000-0x00007FFF1E231000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3540-132-0x0000000000AE0000-0x0000000000B32000-memory.dmp

    Filesize

    328KB

    Download

  • memory/3540-133-0x00007FFF1D770000-0x00007FFF1E231000-memory.dmp

    Filesize

    10.8MB

    Download