blacknet | 84298e0b46665ad3825b9344fbda6ac8d75a6e9ccc44eab5b40a70555e4718f4

General

Target

84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe
Size

86KB
MD5

ad9e6ee16b3abd3f757c8b5357de6042
SHA1

f324263dc0b46991bb0ed664577910c4f4de8009
SHA256

84298e0b46665ad3825b9344fbda6ac8d75a6e9ccc44eab5b40a70555e4718f4
SHA512

428453f17a3c7829e8d6719fb605439ac26368be25113c179af2fa03e2b064e523eae1043998d54dd5ce07626012c43ffede666dec431013183eef990e0d8235
SSDEEP

1536:zW27RutYPWEBQlIGOO1g4W6j6hMbv4UFZLrkjj1RZ:5g1g49jcMbvLFxrkjF

Score

10^/10

blacknet evasion persistence trojan

Malware Config

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/1972-54-0x00000000000F0000-0x000000000010A000-memory.dmp	disable_win_def
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe	disable_win_def
behavioral1/memory/968-63-0x0000000000810000-0x000000000082A000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe

Executes dropped EXE 1 IoCs

Processes:

WindowsUpdate.exe

pid process

968 WindowsUpdate.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features 84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe

pid	process
968	WindowsUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\edd3d42a2f83b252a9c7c412bfbb2d3c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe"	84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exeWindowsUpdate.exepowershell.exe

pid process

1972 84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe
968 WindowsUpdate.exe
1892 powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exeWindowsUpdate.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1972	84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe
Token: SeDebugPrivilege	968	WindowsUpdate.exe
Token: SeDebugPrivilege	1892	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exeWindowsUpdate.exe

pid	process
1972	84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe
1972	84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe
968	WindowsUpdate.exe
968	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe

description	pid	process	target process
PID 1972 wrote to memory of 1892	1972	84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe	powershell.exe
PID 1972 wrote to memory of 1892	1972	84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe	powershell.exe
PID 1972 wrote to memory of 1892	1972	84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe	powershell.exe
PID 1972 wrote to memory of 968	1972	84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe	WindowsUpdate.exe
PID 1972 wrote to memory of 968	1972	84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe	WindowsUpdate.exe
PID 1972 wrote to memory of 968	1972	84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe	WindowsUpdate.exe

C:\Users\Admin\AppData\Local\Temp\84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe
"C:\Users\Admin\AppData\Local\Temp\84298E0B46665AD3825B9344FBDA6AC8D75A6E9CCC44E.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
Filesize
86KB

MD5
ad9e6ee16b3abd3f757c8b5357de6042

SHA1
f324263dc0b46991bb0ed664577910c4f4de8009

SHA256
84298e0b46665ad3825b9344fbda6ac8d75a6e9ccc44eab5b40a70555e4718f4

SHA512
428453f17a3c7829e8d6719fb605439ac26368be25113c179af2fa03e2b064e523eae1043998d54dd5ce07626012c43ffede666dec431013183eef990e0d8235

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
Filesize
86KB

MD5
ad9e6ee16b3abd3f757c8b5357de6042

SHA1
f324263dc0b46991bb0ed664577910c4f4de8009

SHA256
84298e0b46665ad3825b9344fbda6ac8d75a6e9ccc44eab5b40a70555e4718f4

SHA512
428453f17a3c7829e8d6719fb605439ac26368be25113c179af2fa03e2b064e523eae1043998d54dd5ce07626012c43ffede666dec431013183eef990e0d8235

Download Submit
memory/968-74-0x0000000000560000-0x00000000005E0000-memory.dmp

Filesize
512KB

Download
memory/968-73-0x0000000000560000-0x00000000005E0000-memory.dmp

Filesize
512KB

Download
memory/968-79-0x0000000000560000-0x00000000005E0000-memory.dmp

Filesize
512KB

Download
memory/968-63-0x0000000000810000-0x000000000082A000-memory.dmp

Filesize
104KB

Download
memory/968-76-0x0000000000560000-0x00000000005E0000-memory.dmp

Filesize
512KB

Download
memory/968-78-0x0000000000560000-0x00000000005E0000-memory.dmp

Filesize
512KB

Download
memory/968-77-0x0000000000560000-0x00000000005E0000-memory.dmp

Filesize
512KB

Download
memory/968-75-0x0000000000560000-0x00000000005E0000-memory.dmp

Filesize
512KB

Download
memory/968-72-0x0000000000560000-0x00000000005E0000-memory.dmp

Filesize
512KB

Download
memory/1892-71-0x000000000294B000-0x0000000002982000-memory.dmp

Filesize
220KB

Download
memory/1892-70-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/1892-69-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/1892-68-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/1972-54-0x00000000000F0000-0x000000000010A000-memory.dmp

Filesize
104KB

Download
memory/1972-56-0x0000000001F50000-0x0000000001FD0000-memory.dmp

Filesize
512KB

Download
memory/1972-55-0x0000000001F50000-0x0000000001FD0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads