Analysis
-
max time kernel
68s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07-02-2023 02:36
Behavioral task
behavioral1
Sample
c77e5db3244e658843f06ae2e61ad95f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c77e5db3244e658843f06ae2e61ad95f.exe
Resource
win10v2004-20220812-en
General
-
Target
c77e5db3244e658843f06ae2e61ad95f.exe
-
Size
133KB
-
MD5
c77e5db3244e658843f06ae2e61ad95f
-
SHA1
5bcf4c83cd1218db713c1be89369e368c6c0f115
-
SHA256
97ac2f7c9ff8e79aa217a8bac22bc9575cecb39bc87bcd753d428c56ea4899c9
-
SHA512
0d62eaaf493e840d4fe0c96cde1d8d1c76377789c1e99817426e39d16573a4a8de722d3c337a100e2a3c74bea7f1d89e5e494b0587b4c6114eb33b8b0c31d339
-
SSDEEP
3072:BI7KpEaKA2L22xYWVVz8pWzWpBZ7ubozFyTO1wbCl9fGJu:u7kKAhI8pWzWpB0boQMZGJ
Malware Config
Extracted
blacknet
ec
NriE0EakUiK+22Ai4N6Othh0De1s55kV0+sFoXChkQhcVCI2dUu3XGlBV5pu/x/cmJ/BByQIf9PqFghM2sWKP07Iz1Om2nFj+5Ad12ZaY4I9PtWNNix+MC57LiawhMvDUqvUZ0D9AMzT8Ml3Nn9NF/VG4jr2jwHli/295QeYGFGuN7RO/IqZPFblPfaRqq3BNeE7xgdHFMHJVcwvHA4s0oso3I6avTLaxL57NqpSPVJhEZ1yPk4qQWERPXxXoS+1Wp4lQUuVgRpkdjgjhF3IjONn1RIO+3lwJvDoUCLTzG1IxQGrYB+xHSLQ6jCzByfdvDqCc0Jpf0uylVa3q6zmPQ==
BN[UfwxTUeC-7463479]
-
antivm
false
-
elevate_uac
true
-
install_name
WindowsUpdate.exe
-
splitter
|BN|
-
start_name
cde2f914e4cce7f13b2c1cec7b6da970
-
startup
false
-
usb_spread
true
Signatures
-
BlackNET payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x00070000000133e6-60.dat family_blacknet behavioral1/files/0x00070000000133e6-61.dat family_blacknet -
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/files/0x00070000000133e6-60.dat disable_win_def behavioral1/files/0x00070000000133e6-61.dat disable_win_def -
Processes:
c77e5db3244e658843f06ae2e61ad95f.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c77e5db3244e658843f06ae2e61ad95f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection c77e5db3244e658843f06ae2e61ad95f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c77e5db3244e658843f06ae2e61ad95f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c77e5db3244e658843f06ae2e61ad95f.exe -
Executes dropped EXE 2 IoCs
Processes:
WindowsUpdate.exesvchosts.exepid Process 1684 WindowsUpdate.exe 1692 svchosts.exe -
Processes:
c77e5db3244e658843f06ae2e61ad95f.exeWindowsUpdate.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features c77e5db3244e658843f06ae2e61ad95f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features WindowsUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c77e5db3244e658843f06ae2e61ad95f.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\cde2f914e4cce7f13b2c1cec7b6da970 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" c77e5db3244e658843f06ae2e61ad95f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c77e5db3244e658843f06ae2e61ad95f.exepid Process 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe 1784 c77e5db3244e658843f06ae2e61ad95f.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
c77e5db3244e658843f06ae2e61ad95f.exepowershell.exeWindowsUpdate.exepowershell.exesvchosts.exedescription pid Process Token: SeDebugPrivilege 1784 c77e5db3244e658843f06ae2e61ad95f.exe Token: SeDebugPrivilege 1900 powershell.exe Token: SeDebugPrivilege 1684 WindowsUpdate.exe Token: SeDebugPrivilege 1936 powershell.exe Token: SeDebugPrivilege 1692 svchosts.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
c77e5db3244e658843f06ae2e61ad95f.exeWindowsUpdate.exedescription pid Process procid_target PID 1784 wrote to memory of 1900 1784 c77e5db3244e658843f06ae2e61ad95f.exe 29 PID 1784 wrote to memory of 1900 1784 c77e5db3244e658843f06ae2e61ad95f.exe 29 PID 1784 wrote to memory of 1900 1784 c77e5db3244e658843f06ae2e61ad95f.exe 29 PID 1784 wrote to memory of 1684 1784 c77e5db3244e658843f06ae2e61ad95f.exe 31 PID 1784 wrote to memory of 1684 1784 c77e5db3244e658843f06ae2e61ad95f.exe 31 PID 1784 wrote to memory of 1684 1784 c77e5db3244e658843f06ae2e61ad95f.exe 31 PID 1684 wrote to memory of 1936 1684 WindowsUpdate.exe 32 PID 1684 wrote to memory of 1936 1684 WindowsUpdate.exe 32 PID 1684 wrote to memory of 1936 1684 WindowsUpdate.exe 32 PID 1684 wrote to memory of 1252 1684 WindowsUpdate.exe 34 PID 1684 wrote to memory of 1252 1684 WindowsUpdate.exe 34 PID 1684 wrote to memory of 1252 1684 WindowsUpdate.exe 34 PID 1684 wrote to memory of 1692 1684 WindowsUpdate.exe 36 PID 1684 wrote to memory of 1692 1684 WindowsUpdate.exe 36 PID 1684 wrote to memory of 1692 1684 WindowsUpdate.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\c77e5db3244e658843f06ae2e61ad95f.exe"C:\Users\Admin\AppData\Local\Temp\c77e5db3244e658843f06ae2e61ad95f.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"2⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONSTART /RL HIGHEST /tn "'WindowsUpdate"' /tr "'C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"'3⤵
- Creates scheduled task(s)
PID:1252
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\svchosts.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\svchosts.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD5c77e5db3244e658843f06ae2e61ad95f
SHA15bcf4c83cd1218db713c1be89369e368c6c0f115
SHA25697ac2f7c9ff8e79aa217a8bac22bc9575cecb39bc87bcd753d428c56ea4899c9
SHA5120d62eaaf493e840d4fe0c96cde1d8d1c76377789c1e99817426e39d16573a4a8de722d3c337a100e2a3c74bea7f1d89e5e494b0587b4c6114eb33b8b0c31d339
-
Filesize
133KB
MD5c77e5db3244e658843f06ae2e61ad95f
SHA15bcf4c83cd1218db713c1be89369e368c6c0f115
SHA25697ac2f7c9ff8e79aa217a8bac22bc9575cecb39bc87bcd753d428c56ea4899c9
SHA5120d62eaaf493e840d4fe0c96cde1d8d1c76377789c1e99817426e39d16573a4a8de722d3c337a100e2a3c74bea7f1d89e5e494b0587b4c6114eb33b8b0c31d339
-
Filesize
18KB
MD5d133d370c3858c9811e70f95d554d2c6
SHA1bb09b1253ce571a49b76951283883a3499588295
SHA25687a1711030512dd414bcbab0659a2b51c0c16505bd8a068a282a1cc2c9fdf93b
SHA512db4d41fca43e496b2b0d8d47d936a9ce204e3b6c4c669a8a9810362776a977b5337359b843fcd1d20004455d2c91f9790b3accb5352f4e55ec53c7e5d359d778
-
Filesize
18KB
MD5d133d370c3858c9811e70f95d554d2c6
SHA1bb09b1253ce571a49b76951283883a3499588295
SHA25687a1711030512dd414bcbab0659a2b51c0c16505bd8a068a282a1cc2c9fdf93b
SHA512db4d41fca43e496b2b0d8d47d936a9ce204e3b6c4c669a8a9810362776a977b5337359b843fcd1d20004455d2c91f9790b3accb5352f4e55ec53c7e5d359d778
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD51378e490c0b7f5dc9b4fd534087d0ec5
SHA19788733cf9cdc02a3769f01beead8b796bcf36fa
SHA25623c9f5fbef6181200f2b3f9ead32efc9fa2aae211b881d89dba047c12641b2b8
SHA512ab62063146a9c09ff9ebfcc79fbda8797d2d0454cd38e229920706fe9c142b1f704b0c4253c9974f98836389ffcb60e41d56785282ee1f6beb7f1c0a71c72a07