Overview

overview

10

Static

static

91c23be678...0a.exe

windows7-x64

1

91c23be678...0a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/01/2023, 19:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    91c23be6780cd10b2f46371601701182302a0f214f8b01028def69aadee0410a.exe

  • Size

    873KB

  • MD5

    42b8b74ec77a26c89389fa1846b14ebc

  • SHA1

    53ee3acd6146cb982c0f5aa583d93ba961bd4d07

  • SHA256

    91c23be6780cd10b2f46371601701182302a0f214f8b01028def69aadee0410a

  • SHA512

    9572cb51e9d0b8a2175bfdcf603856d2951fc7c188ec0922b487b314cf6598a1421484338a3d0187ea0eca3a491ccd6ed19fcffea5ff553ac3119e096b9b2769

  • SSDEEP

    12288:GDJFGJ1MBqv6KOtAr7ClNpHaNGIr8QTBcRG8k6QDH:GDJFDw0hlNpH05r8KBcRK6YH

Score
10/10
blacknetwf6fo4trojan

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

WF6Fo4

C2

http://185.239.242.77/fucku/getwrecked/fockbot/

Mutex

BN[98f274ee7dffa0a483bf6aae80c1bed1]

Attributes
  • antivm

    false

  • elevate_uac

    false

  • install_name

    WindowsUpdate.exe

  • splitter

    |BN|

  • start_name

    e162b1333458a713bc6916cc8ac4110c

  • startup

    false

  • usb_spread

    true

aes.plain

Signatures

  • BlackNET

    BlackNET is an open source remote access tool written in VB.NET.

    trojanblacknet
  • BlackNET payload 1 IoCs
  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\91c23be6780cd10b2f46371601701182302a0f214f8b01028def69aadee0410a.exe
    "C:\Users\Admin\AppData\Local\Temp\91c23be6780cd10b2f46371601701182302a0f214f8b01028def69aadee0410a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1620
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 5 -w 5000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3508
        • C:\Windows\SysWOW64\PING.EXE
          ping 1.1.1.1 -n 5 -w 5000
          4⤵
          • Runs ping.exe
          PID:4980

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    41KB

    MD5

    5d4073b2eb6d217c19f2b22f21bf8d57

    SHA1

    f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

    SHA256

    ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

    SHA512

    9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    41KB

    MD5

    5d4073b2eb6d217c19f2b22f21bf8d57

    SHA1

    f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

    SHA256

    ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

    SHA512

    9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

    Download Submit

  • memory/1620-142-0x00000000003E0000-0x00000000003FE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1620-143-0x0000000004B40000-0x0000000004B4A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1620-144-0x0000000004DA0000-0x0000000004DF6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2096-135-0x00000000059A0000-0x0000000005A3C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2096-136-0x00000000081A0000-0x0000000008206000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2096-137-0x0000000008160000-0x0000000008182000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2096-134-0x00000000055A0000-0x0000000005632000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2096-133-0x0000000005B50000-0x00000000060F4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2096-132-0x0000000000A80000-0x0000000000B5E000-memory.dmp

    Filesize

    888KB

    Download