Overview

overview

10

Static

static

1

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    99s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    07-02-2024 06:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    1.1MB

  • MD5

    baa73a9b35bf02d8c56a1286bcd2d714

  • SHA1

    a179259548f9e81b65126130342f5b076c8b8a77

  • SHA256

    14490c9c139e9bc984781f8143a571e1f1f140c69a7cd12c34fc0bf20abb0889

  • SHA512

    02f75dafbd6cabc107fd681d0cc65991b0a21b16b713fba77db4928e78f1da23474ddb4535f8280dc56186da90e41adc7ad8b10ffde2d0b18ff494273021d644

  • SSDEEP

    12288:DCwHtUz0qTqcXrwV+XinIBLAx9gKupscZ0PpHTzY8QGWlCL8K7XLlq95ZPFdmUG/:DCwHybsV/IOv6scZ0BzUfCz3+zsw8YS

Score
10/10
blacknetzgrathackedpersistencerattrojan

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

HacKed

C2

http://190.123.44.240

Mutex

BN[]

Attributes
  • antivm

    false

  • elevate_uac

    false

  • install_name

    WindowsUpdate.exe

  • splitter

    |BN|

  • start_name

    e162b1333458a713bc6916cc8ac4110c

  • startup

    true

  • usb_spread

    false

Signatures

  • BlackNET

    BlackNET is an open source remote access tool written in VB.NET.

    trojanblacknet
  • BlackNET payload 4 IoCs
  • Contains code to disable Windows Defender 4 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      C:\Users\Admin\AppData\Local\Temp\tmp.exe
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:556
      • C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:588
        • C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe
          4⤵
          • Executes dropped EXE
          PID:1532
        • C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:844

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe
    Filesize

    1.1MB

    MD5

    baa73a9b35bf02d8c56a1286bcd2d714

    SHA1

    a179259548f9e81b65126130342f5b076c8b8a77

    SHA256

    14490c9c139e9bc984781f8143a571e1f1f140c69a7cd12c34fc0bf20abb0889

    SHA512

    02f75dafbd6cabc107fd681d0cc65991b0a21b16b713fba77db4928e78f1da23474ddb4535f8280dc56186da90e41adc7ad8b10ffde2d0b18ff494273021d644

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sksewdjj.vbs
    Filesize

    83B

    MD5

    1bda7ff3ab57ee35f078aeb89c17198b

    SHA1

    dd1837e07192a78e9d21ec4055dc0dcd1ac9937a

    SHA256

    13abe05c8ea57d6976dd03a9089c744e1e156e54e4a0377580f5be181be94869

    SHA512

    f70f52ad8a7693318bb7332dd2c9a22f8707994fe77aeb15a5694b93df33960f4dc3806a32e137c7d1544a534816e75c1b7c8fab317bb04e59c1df6d7d028723

    Download Submit

  • memory/556-956-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/556-958-0x00000000047F0000-0x0000000004830000-memory.dmp

    Filesize

    256KB

    Download

  • memory/556-959-0x00000000047F0000-0x0000000004830000-memory.dmp

    Filesize

    256KB

    Download

  • memory/556-973-0x00000000047F0000-0x0000000004830000-memory.dmp

    Filesize

    256KB

    Download

  • memory/556-1000-0x00000000047F0000-0x0000000004830000-memory.dmp

    Filesize

    256KB

    Download

  • memory/556-1003-0x0000000074100000-0x00000000747EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/556-957-0x0000000074100000-0x00000000747EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/588-1908-0x00000000011D0000-0x0000000001210000-memory.dmp

    Filesize

    256KB

    Download

  • memory/588-968-0x00000000013D0000-0x00000000014F8000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/588-1907-0x0000000074100000-0x00000000747EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/588-1906-0x0000000000380000-0x0000000000381000-memory.dmp

    Filesize

    4KB

    Download

  • memory/588-1923-0x0000000074100000-0x00000000747EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/588-970-0x0000000074100000-0x00000000747EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/588-971-0x00000000011D0000-0x0000000001210000-memory.dmp

    Filesize

    256KB

    Download

  • memory/844-1927-0x00000000747F0000-0x0000000074EDE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/844-1929-0x0000000004C70000-0x0000000004CB0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/844-1928-0x0000000004C70000-0x0000000004CB0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/844-1930-0x0000000004C70000-0x0000000004CB0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/844-1931-0x0000000004C70000-0x0000000004CB0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/844-1932-0x00000000747F0000-0x0000000074EDE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/844-1933-0x0000000004C70000-0x0000000004CB0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3032-26-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-44-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-40-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-48-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-50-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-46-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-52-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-54-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-56-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-62-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-60-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-58-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-64-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-66-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-68-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-937-0x00000000004E0000-0x00000000004E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3032-939-0x00000000043A0000-0x00000000043EC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3032-938-0x0000000004320000-0x0000000004356000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3032-940-0x00000000747F0000-0x0000000074EDE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3032-941-0x0000000004360000-0x00000000043A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3032-952-0x00000000747F0000-0x0000000074EDE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3032-42-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-36-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-38-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-32-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-34-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-30-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-24-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-0-0x0000000000160000-0x0000000000288000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3032-28-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-22-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-20-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-18-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-12-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-14-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-16-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-10-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-5-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-8-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-6-0x0000000004C50000-0x0000000004CE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3032-4-0x0000000004C50000-0x0000000004CEE000-memory.dmp

    Filesize

    632KB

    Download

  • memory/3032-3-0x0000000004AB0000-0x0000000004B4E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/3032-2-0x0000000004360000-0x00000000043A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3032-1-0x00000000747F0000-0x0000000074EDE000-memory.dmp

    Filesize

    6.9MB

    Download