blacknet | e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27-12-2023 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97cb3fda3cff430377a866d6b437de8f.exe
Size

220KB
MD5

97cb3fda3cff430377a866d6b437de8f
SHA1

2359c8459c1e1dd133c2842b51d2982e63016f92
SHA256

e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a
SHA512

e192d3afaa093b5b11643aafefa8192cfeb79e5f284e6c757532fd3e2a4a93970f5f8d54b0e983b4c406ced46aee04a99c186f31ff321f9292c51587603c630f
SSDEEP

3072:alaJEgEXbfa9K4Em8wNBiXMhDJv7WehI2135eDRCyqTp0FUSVBOHfHAXTRsPCgfr:BEg4S9KqiSJvthI25ebqqBOKTRsaj2e

Score

10^/10

blacknet bot evasion persistence trojan

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

Bot

http://furyx.de/panel

Mutex

BN[c1916af6f3a468e5b6f5c7f6b9c78982]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
e162b1333458a713bc6916cc8ac4110c
startup
false
usb_spread
true

aes.plain

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\furz.exe	family_blacknet
behavioral1/memory/1880-39-0x0000000000AC0000-0x0000000000AE2000-memory.dmp	family_blacknet
behavioral1/memory/768-41-0x0000000004A70000-0x0000000004AB0000-memory.dmp	family_blacknet

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\furz.exe	disable_win_def
behavioral1/memory/1880-39-0x0000000000AC0000-0x0000000000AE2000-memory.dmp	disable_win_def
behavioral1/memory/768-41-0x0000000004A70000-0x0000000004AB0000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

furz.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	furz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	furz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	furz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	furz.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2560 cmd.exe
Executes dropped EXE 5 IoCs

Processes:

furz.exeUacTest.exeInpwdja.exeMnrjvryib.exeWindowsUpdate.exe

pid process

1880 furz.exe
768 UacTest.exe
556 Inpwdja.exe
2632 Mnrjvryib.exe
1444 WindowsUpdate.exe
Loads dropped DLL 6 IoCs

Processes:

97cb3fda3cff430377a866d6b437de8f.exeUacTest.exe

pid process

2712 97cb3fda3cff430377a866d6b437de8f.exe
2712 97cb3fda3cff430377a866d6b437de8f.exe
768 UacTest.exe
768 UacTest.exe
768 UacTest.exe
768 UacTest.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	process
2560	cmd.exe

pid	process
1880	furz.exe
768	UacTest.exe
556	Inpwdja.exe
2632	Mnrjvryib.exe
1444	WindowsUpdate.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

furz.exeWindowsUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	furz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	WindowsUpdate.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

97cb3fda3cff430377a866d6b437de8f.exefurz.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update Folder\\Windows Update.exe"	97cb3fda3cff430377a866d6b437de8f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Windows\\Microsoft\\MyClient\\WindowsUpdate.exe"	furz.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

97cb3fda3cff430377a866d6b437de8f.exe

description pid process target process

PID 1064 set thread context of 2712 1064 97cb3fda3cff430377a866d6b437de8f.exe 97cb3fda3cff430377a866d6b437de8f.exe

description	pid	process	target process
PID 1064 set thread context of 2712	1064	97cb3fda3cff430377a866d6b437de8f.exe	97cb3fda3cff430377a866d6b437de8f.exe

Drops file in Windows directory 2 IoCs

Processes:

furz.exe

description	ioc	process
File created	C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	furz.exe
File opened for modification	C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	furz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2372 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2236 taskkill.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2232 reg.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2044 PING.EXE
588 PING.EXE

pid	process
2372	schtasks.exe

pid	process
2236	taskkill.exe

pid	process
2232	reg.exe

pid	process
2044	PING.EXE
588	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

97cb3fda3cff430377a866d6b437de8f.exefurz.exepowershell.exe

pid	process
2712	97cb3fda3cff430377a866d6b437de8f.exe
2712	97cb3fda3cff430377a866d6b437de8f.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1292	powershell.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

97cb3fda3cff430377a866d6b437de8f.exetaskkill.exefurz.exepowershell.exeWindowsUpdate.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2712	97cb3fda3cff430377a866d6b437de8f.exe
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	1880	furz.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	1444	WindowsUpdate.exe
Token: SeDebugPrivilege	900	powershell.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

furz.exeWindowsUpdate.exe

pid process

1880 furz.exe
1880 furz.exe
1880 furz.exe
1444 WindowsUpdate.exe
1444 WindowsUpdate.exe
1444 WindowsUpdate.exe

pid	process
1880	furz.exe
1880	furz.exe
1880	furz.exe
1444	WindowsUpdate.exe
1444	WindowsUpdate.exe
1444	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

97cb3fda3cff430377a866d6b437de8f.exe97cb3fda3cff430377a866d6b437de8f.execmd.exeUacTest.exeInpwdja.exeMnrjvryib.execmd.execmd.execmd.exefurz.exe

description	pid	process	target process
PID 1064 wrote to memory of 2712	1064	97cb3fda3cff430377a866d6b437de8f.exe	97cb3fda3cff430377a866d6b437de8f.exe
PID 1064 wrote to memory of 2712	1064	97cb3fda3cff430377a866d6b437de8f.exe	97cb3fda3cff430377a866d6b437de8f.exe
PID 1064 wrote to memory of 2712	1064	97cb3fda3cff430377a866d6b437de8f.exe	97cb3fda3cff430377a866d6b437de8f.exe
PID 1064 wrote to memory of 2712	1064	97cb3fda3cff430377a866d6b437de8f.exe	97cb3fda3cff430377a866d6b437de8f.exe
PID 1064 wrote to memory of 2712	1064	97cb3fda3cff430377a866d6b437de8f.exe	97cb3fda3cff430377a866d6b437de8f.exe
PID 1064 wrote to memory of 2712	1064	97cb3fda3cff430377a866d6b437de8f.exe	97cb3fda3cff430377a866d6b437de8f.exe
PID 1064 wrote to memory of 2712	1064	97cb3fda3cff430377a866d6b437de8f.exe	97cb3fda3cff430377a866d6b437de8f.exe
PID 1064 wrote to memory of 2712	1064	97cb3fda3cff430377a866d6b437de8f.exe	97cb3fda3cff430377a866d6b437de8f.exe
PID 1064 wrote to memory of 2712	1064	97cb3fda3cff430377a866d6b437de8f.exe	97cb3fda3cff430377a866d6b437de8f.exe
PID 2712 wrote to memory of 1880	2712	97cb3fda3cff430377a866d6b437de8f.exe	furz.exe
PID 2712 wrote to memory of 1880	2712	97cb3fda3cff430377a866d6b437de8f.exe	furz.exe
PID 2712 wrote to memory of 1880	2712	97cb3fda3cff430377a866d6b437de8f.exe	furz.exe
PID 2712 wrote to memory of 1880	2712	97cb3fda3cff430377a866d6b437de8f.exe	furz.exe
PID 2712 wrote to memory of 768	2712	97cb3fda3cff430377a866d6b437de8f.exe	UacTest.exe
PID 2712 wrote to memory of 768	2712	97cb3fda3cff430377a866d6b437de8f.exe	UacTest.exe
PID 2712 wrote to memory of 768	2712	97cb3fda3cff430377a866d6b437de8f.exe	UacTest.exe
PID 2712 wrote to memory of 768	2712	97cb3fda3cff430377a866d6b437de8f.exe	UacTest.exe
PID 2712 wrote to memory of 2560	2712	97cb3fda3cff430377a866d6b437de8f.exe	cmd.exe
PID 2712 wrote to memory of 2560	2712	97cb3fda3cff430377a866d6b437de8f.exe	cmd.exe
PID 2712 wrote to memory of 2560	2712	97cb3fda3cff430377a866d6b437de8f.exe	cmd.exe
PID 2712 wrote to memory of 2560	2712	97cb3fda3cff430377a866d6b437de8f.exe	cmd.exe
PID 2560 wrote to memory of 2044	2560	cmd.exe	PING.EXE
PID 2560 wrote to memory of 2044	2560	cmd.exe	PING.EXE
PID 2560 wrote to memory of 2044	2560	cmd.exe	PING.EXE
PID 2560 wrote to memory of 2044	2560	cmd.exe	PING.EXE
PID 2560 wrote to memory of 588	2560	cmd.exe	PING.EXE
PID 2560 wrote to memory of 588	2560	cmd.exe	PING.EXE
PID 2560 wrote to memory of 588	2560	cmd.exe	PING.EXE
PID 2560 wrote to memory of 588	2560	cmd.exe	PING.EXE
PID 768 wrote to memory of 556	768	UacTest.exe	Inpwdja.exe
PID 768 wrote to memory of 556	768	UacTest.exe	Inpwdja.exe
PID 768 wrote to memory of 556	768	UacTest.exe	Inpwdja.exe
PID 768 wrote to memory of 556	768	UacTest.exe	Inpwdja.exe
PID 768 wrote to memory of 2632	768	UacTest.exe	Mnrjvryib.exe
PID 768 wrote to memory of 2632	768	UacTest.exe	Mnrjvryib.exe
PID 768 wrote to memory of 2632	768	UacTest.exe	Mnrjvryib.exe
PID 768 wrote to memory of 2632	768	UacTest.exe	Mnrjvryib.exe
PID 556 wrote to memory of 2660	556	Inpwdja.exe	cmd.exe
PID 556 wrote to memory of 2660	556	Inpwdja.exe	cmd.exe
PID 556 wrote to memory of 2660	556	Inpwdja.exe	cmd.exe
PID 556 wrote to memory of 2660	556	Inpwdja.exe	cmd.exe
PID 2632 wrote to memory of 1952	2632	Mnrjvryib.exe	cmd.exe
PID 2632 wrote to memory of 1952	2632	Mnrjvryib.exe	cmd.exe
PID 2632 wrote to memory of 1952	2632	Mnrjvryib.exe	cmd.exe
PID 2632 wrote to memory of 1952	2632	Mnrjvryib.exe	cmd.exe
PID 2660 wrote to memory of 2400	2660	cmd.exe	cmd.exe
PID 2660 wrote to memory of 2400	2660	cmd.exe	cmd.exe
PID 2660 wrote to memory of 2400	2660	cmd.exe	cmd.exe
PID 2400 wrote to memory of 2232	2400	cmd.exe	reg.exe
PID 2400 wrote to memory of 2232	2400	cmd.exe	reg.exe
PID 2400 wrote to memory of 2232	2400	cmd.exe	reg.exe
PID 1952 wrote to memory of 2236	1952	cmd.exe	taskkill.exe
PID 1952 wrote to memory of 2236	1952	cmd.exe	taskkill.exe
PID 1952 wrote to memory of 2236	1952	cmd.exe	taskkill.exe
PID 1952 wrote to memory of 2236	1952	cmd.exe	taskkill.exe
PID 1880 wrote to memory of 1292	1880	furz.exe	powershell.exe
PID 1880 wrote to memory of 1292	1880	furz.exe	powershell.exe
PID 1880 wrote to memory of 1292	1880	furz.exe	powershell.exe
PID 1880 wrote to memory of 1720	1880	furz.exe	schtasks.exe
PID 1880 wrote to memory of 1720	1880	furz.exe	schtasks.exe
PID 1880 wrote to memory of 1720	1880	furz.exe	schtasks.exe
PID 1880 wrote to memory of 1444	1880	furz.exe	WindowsUpdate.exe
PID 1880 wrote to memory of 1444	1880	furz.exe	WindowsUpdate.exe
PID 1880 wrote to memory of 1444	1880	furz.exe	WindowsUpdate.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\97cb3fda3cff430377a866d6b437de8f.exe
"C:\Users\Admin\AppData\Local\Temp\97cb3fda3cff430377a866d6b437de8f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1064

C:\Users\Admin\AppData\Local\Temp\97cb3fda3cff430377a866d6b437de8f.exe
"C:\Users\Admin\AppData\Local\Temp\97cb3fda3cff430377a866d6b437de8f.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712

C:\Users\Admin\AppData\Local\Temp\furz.exe
"C:\Users\Admin\AppData\Local\Temp\furz.exe"
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\system32\schtasks.exe
"schtasks" /delete /tn "WindowsUpdate.exe" /f
4⤵
PID:1720

C:\Windows\Microsoft\MyClient\WindowsUpdate.exe
"C:\Windows\Microsoft\MyClient\WindowsUpdate.exe"
4⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\system32\schtasks.exe
"schtasks" /delete /tn "WindowsUpdate.exe" /f
5⤵
PID:1704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1444 -s 1052
5⤵
PID:2832

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WindowsUpdate.exe" /sc ONLOGON /tr "C:\Windows\WindowsUpdate.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:2372

C:\Users\Admin\AppData\Local\Temp\UacTest.exe
"C:\Users\Admin\AppData\Local\Temp\UacTest.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe
"C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\80A5.tmp\80A6.tmp\80A7.bat C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /k C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\System32\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
7⤵
- UAC bypass
- Modifies registry key
PID:2232

C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe
"C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\80B4.tmp\80B5.tmp\80B6.bat C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\taskkill.exe
Taskkill /IM cmd.exe /F
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\97cb3fda3cff430377a866d6b437de8f.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\97cb3fda3cff430377a866d6b437de8f.exe"
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 100
4⤵
- Runs ping.exe
PID:2044

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 900
4⤵
- Runs ping.exe
PID:588

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\80A5.tmp\80A6.tmp\80A7.bat
Filesize
187B

MD5
befbbfdadeef80e445fdd152a121a6d1

SHA1
67019f2a12662f2ff92dc7977769b0debdbf564e

SHA256
0848f1ac65974856844e59ff3b8d492c88acf43f0fd64505d5bf3fd4e43d9da6

SHA512
867c4ee6cb22ba7ba0d5aa9c16d321f36013588b6057e3f3f0e6de670481ab1f7d46c1553b9410ff753de7e923d1b774db0c8297091fd9c852bdc96fee43ee32

Download Submit
C:\Users\Admin\AppData\Local\Temp\80B4.tmp\80B5.tmp\80B6.bat
Filesize
34B

MD5
4f4ecd10fc86be6be730390c06be67c8

SHA1
4c59c25907109fd48d8d94caaa8b8266ffa3c7c3

SHA256
a9bf329ec3514d7d5698851137d508b763b1a627747b1ce40ddd5c524538459c

SHA512
b4e89c807071e770b9327693032c8d1ebc06811dfeccfe0892e00deb449b75cb5d921ed2f7ae53d3fae00837bd6eed3fcb0bfc7168cad0f0c44997e51e4365f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
474e00aa2a3a2ec1a6bd935a38d3d920

SHA1
cf0b38149574d2be4e10a61bf803cc110f74973e

SHA256
fdeb62b4d2c4b94a9a3d077a77dbe98e1bced9486e8fd0f6f3af6ac07921db20

SHA512
b97aa15d41e4ef5d6b167de5b3fc01179858486cd214641965a982d9b5d7919d3b278b0507c5ed4078434bf20d130ace644315101b8d451bc910f98aab405a7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R3TLVSKYBC0HR7XQIGHI.temp
Filesize
7KB

MD5
57fb813445ba9fc77d6c1d876ef43d93

SHA1
54a7241e5872a5a7e89769efb2552bae421d7258

SHA256
6d85d0a69da2e5e657f6fc05f0c080ed61a550c1a770f2906802bc4029a8aae3

SHA512
3239d46d6b6297b1289c87512bd6e03899d627190005f00cc2f57067b41a9a1f917818a54fc43059fb268f01ecc48b91332f7d93818d2c9d01081bdb9adafcb7

Download Submit
\Users\Admin\AppData\Local\Temp\Inpwdja.exe
Filesize
88KB

MD5
d1082e6ae11fecd45ebe0f2b3d32230d

SHA1
c070a8395ccb984f5bcd8f22629ffa1b41ea14c1

SHA256
dce696122649ef915c08645cf53e6b118977ce476b076f72d00e3b6f3e309c77

SHA512
d712276a263e77617838a709e4a8d6b18a676832e909f0ab5547d22a128c309c92dc0f1044c62c0782c3f9f3e2103c08dd9eaf6166f17fd7f0165490e17c0ca3

Download Submit
\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe
Filesize
88KB

MD5
5303046dacbdfcb013ff016a72311e22

SHA1
deaef4843f0bfcb1bf57a93a9e5ed1c4a7a1e009

SHA256
46618b299010b375a3be43493d14de102180a042f03bdfa1d3290d04feba587a

SHA512
261f76a0c02366ca31ec4e964bb414bf6c42587eea79079beb4b6c66875f565ff925d45722b40c84fdd6ac844dad1d878381f87d8b28af75a98310f534af2b1b

Download Submit
\Users\Admin\AppData\Local\Temp\UacTest.exe
Filesize
140KB

MD5
7c011f0ea2387f0124c959e3f663cb4d

SHA1
12e668079661c557963236786bb821af4628ee1b

SHA256
6b69a8fd83ca150642a20128f84cdd2e91aaa6852e705e55e4116caa487903c4

SHA512
f5770246c943a997c96713a721d512fc0eaf530f3b7d22abe56f50d35b582af4b9f86a65113dee0f09aa7766d257ac0b29a9a56348891339399a2923b399925e

Download Submit
\Users\Admin\AppData\Local\Temp\furz.exe
Filesize
117KB

MD5
b72d429d1d690165c7b0de4a074c4a58

SHA1
f0704d227482a80f2f90dab79ed4acd9770fe565

SHA256
b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae

SHA512
f3b565e67d5a15d5305982701bd5f0d37eec0bfe2d152556584fa1d01faf1def6e616d0addea91e0663be084450b49f99e2108cc06a9b50c9e1482f9290b6c5c

Download Submit
memory/768-41-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/768-64-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/768-37-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/768-36-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1064-1-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/1064-18-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/1064-4-0x00000000002F0000-0x00000000002FA000-memory.dmp

Filesize
40KB

Download
memory/1064-2-0x0000000004A10000-0x0000000004A50000-memory.dmp

Filesize
256KB

Download
memory/1064-0-0x0000000000110000-0x000000000014E000-memory.dmp

Filesize
248KB

Download
memory/1292-74-0x000007FEEDAA0000-0x000007FEEE43D000-memory.dmp

Filesize
9.6MB

Download
memory/1292-73-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/1292-75-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/1292-76-0x000007FEEDAA0000-0x000007FEEE43D000-memory.dmp

Filesize
9.6MB

Download
memory/1292-77-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/1292-72-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/1292-78-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/1292-79-0x000007FEEDAA0000-0x000007FEEE43D000-memory.dmp

Filesize
9.6MB

Download
memory/1880-83-0x000000001ACC0000-0x000000001AD40000-memory.dmp

Filesize
512KB

Download
memory/1880-109-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-39-0x0000000000AC0000-0x0000000000AE2000-memory.dmp

Filesize
136KB

Download
memory/1880-65-0x000000001ACC0000-0x000000001AD40000-memory.dmp

Filesize
512KB

Download
memory/1880-66-0x000000001ACC0000-0x000000001AD40000-memory.dmp

Filesize
512KB

Download
memory/1880-67-0x000000001ACC0000-0x000000001AD40000-memory.dmp

Filesize
512KB

Download
memory/1880-105-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-110-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-112-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-115-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-118-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-120-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-119-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-117-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-80-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/1880-116-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-84-0x000000001ACC0000-0x000000001AD40000-memory.dmp

Filesize
512KB

Download
memory/1880-85-0x000000001ACC0000-0x000000001AD40000-memory.dmp

Filesize
512KB

Download
memory/1880-86-0x000000001ACC0000-0x000000001AD40000-memory.dmp

Filesize
512KB

Download
memory/1880-87-0x000000001ACC0000-0x000000001AD40000-memory.dmp

Filesize
512KB

Download
memory/1880-88-0x000000001ACC0000-0x000000001AD40000-memory.dmp

Filesize
512KB

Download
memory/1880-89-0x000000001ACC0000-0x000000001AD40000-memory.dmp

Filesize
512KB

Download
memory/1880-90-0x000000001ACC0000-0x000000001AD40000-memory.dmp

Filesize
512KB

Download
memory/1880-91-0x000000001ACC0000-0x000000001AD40000-memory.dmp

Filesize
512KB

Download
memory/1880-92-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-93-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-94-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-95-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-97-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-96-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-98-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-99-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-100-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-101-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-102-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-103-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-104-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-106-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-107-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-108-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-40-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/1880-111-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-113-0x000000001D720000-0x000000001D820000-memory.dmp

Filesize
1024KB

Download
memory/1880-114-0x000000001ACC0000-0x000000001AD40000-memory.dmp

Filesize
512KB

Download
memory/2712-9-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2712-10-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2712-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2712-13-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2712-15-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2712-17-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2712-19-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2712-20-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/2712-38-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2712-7-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2712-5-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download