Analysis
-
max time kernel
89s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
28-01-2024 19:06
General
-
Target
BAA73A9B35BF02D8C56A1286BCD2D714.exe
-
Size
1.1MB
-
MD5
baa73a9b35bf02d8c56a1286bcd2d714
-
SHA1
a179259548f9e81b65126130342f5b076c8b8a77
-
SHA256
14490c9c139e9bc984781f8143a571e1f1f140c69a7cd12c34fc0bf20abb0889
-
SHA512
02f75dafbd6cabc107fd681d0cc65991b0a21b16b713fba77db4928e78f1da23474ddb4535f8280dc56186da90e41adc7ad8b10ffde2d0b18ff494273021d644
-
SSDEEP
12288:DCwHtUz0qTqcXrwV+XinIBLAx9gKupscZ0PpHTzY8QGWlCL8K7XLlq95ZPFdmUG/:DCwHybsV/IOv6scZ0BzUfCz3+zsw8YS
Malware Config
Extracted
blacknet
v3.7.0 Public
HacKed
http://190.123.44.240
BN[]
-
antivm
false
-
elevate_uac
false
-
install_name
WindowsUpdate.exe
-
splitter
|BN|
-
start_name
e162b1333458a713bc6916cc8ac4110c
-
startup
true
-
usb_spread
false
Signatures
-
BlackNET
BlackNET is an open source remote access tool written in VB.NET.
-
BlackNET payload 1 IoCs
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect ZGRat V1 34 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\BAA73A9B35BF02D8C56A1286BCD2D714.exe"C:\Users\Admin\AppData\Local\Temp\BAA73A9B35BF02D8C56A1286BCD2D714.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BAA73A9B35BF02D8C56A1286BCD2D714.exeC:\Users\Admin\AppData\Local\Temp\BAA73A9B35BF02D8C56A1286BCD2D714.exe2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe"C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exeC:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD536fe3f3f72527621dc47e2b6acb0eac1
SHA1c3fa9842ab6eb5bc764d9ca2ca6e05e02517879e
SHA256bbcf9d4174847d06afd7221ce037e7da5264f390914351ed46a0433a4b67d676
SHA512c736ab9fb8664ba8e83ebaa25591967224be81a2ac9f40292ceba4d3a60e214314c40357e923a69fd404ec7a7e299dc0d89dd8885fcae513ecd102ca9311ee38
-
Filesize
1.1MB
MD5baa73a9b35bf02d8c56a1286bcd2d714
SHA1a179259548f9e81b65126130342f5b076c8b8a77
SHA25614490c9c139e9bc984781f8143a571e1f1f140c69a7cd12c34fc0bf20abb0889
SHA51202f75dafbd6cabc107fd681d0cc65991b0a21b16b713fba77db4928e78f1da23474ddb4535f8280dc56186da90e41adc7ad8b10ffde2d0b18ff494273021d644
-
Filesize
83B
MD51bda7ff3ab57ee35f078aeb89c17198b
SHA1dd1837e07192a78e9d21ec4055dc0dcd1ac9937a
SHA25613abe05c8ea57d6976dd03a9089c744e1e156e54e4a0377580f5be181be94869
SHA512f70f52ad8a7693318bb7332dd2c9a22f8707994fe77aeb15a5694b93df33960f4dc3806a32e137c7d1544a534816e75c1b7c8fab317bb04e59c1df6d7d028723
-
Filesize
1.1MB
MD58630fddbd1a5fcfd554e1c9491a842ba
SHA1c56c633f080cfc3bab936a961e37b1fe93d9fa6d
SHA256cea5cc90b812164f5832e7bdbf373ff61881db7d39e139e372ffa02b02646281
SHA51252593852749e16afcb5cf78892a75d02f7f2c38c8a9067a0696b8e495cba4458bc99bdaf832118a5a9f5a07a1f6d7f9e469e794da78fbeea3d8db69f9515d8b7
-
Filesize
81KB
MD58803648b14a44b2bcc8a24c10673c587
SHA1a2baf42f4561c52c72b4521f2a86b459d012e8fa
SHA256ff8aa400a1a76be1210e462624e5d7a64fcc3fff48fbc121af8dd38719395ac4
SHA5126d2de5695eebbff773efd0a085cb40bb7b7c34f0672e9381cdf156d7f304d35d125f580ec374fa4d1f3ba6c354f1a27c68b96afebba0e59df11d3f606c49da0e
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
1.2MB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
120KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
4KB
-
Filesize
304KB
-
Filesize
216KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
1.2MB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
612KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
256KB
-
Filesize
6.9MB