Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
12-02-2024 22:40
General
-
Target
97cb3fda3cff430377a866d6b437de8f.exe
-
Size
220KB
-
MD5
97cb3fda3cff430377a866d6b437de8f
-
SHA1
2359c8459c1e1dd133c2842b51d2982e63016f92
-
SHA256
e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a
-
SHA512
e192d3afaa093b5b11643aafefa8192cfeb79e5f284e6c757532fd3e2a4a93970f5f8d54b0e983b4c406ced46aee04a99c186f31ff321f9292c51587603c630f
-
SSDEEP
3072:alaJEgEXbfa9K4Em8wNBiXMhDJv7WehI2135eDRCyqTp0FUSVBOHfHAXTRsPCgfr:BEg4S9KqiSJvthI25ebqqBOKTRsaj2e
Malware Config
Extracted
blacknet
v3.7.0 Public
Bot
http://furyx.de/panel
BN[c1916af6f3a468e5b6f5c7f6b9c78982]
-
antivm
false
-
elevate_uac
false
-
install_name
WindowsUpdate.exe
-
splitter
|BN|
-
start_name
e162b1333458a713bc6916cc8ac4110c
-
startup
false
-
usb_spread
true
Signatures
-
BlackNET
BlackNET is an open source remote access tool written in VB.NET.
-
BlackNET payload 2 IoCs
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\97cb3fda3cff430377a866d6b437de8f.exe"C:\Users\Admin\AppData\Local\Temp\97cb3fda3cff430377a866d6b437de8f.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\97cb3fda3cff430377a866d6b437de8f.exe"C:\Users\Admin\AppData\Local\Temp\97cb3fda3cff430377a866d6b437de8f.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\furz.exe"C:\Users\Admin\AppData\Local\Temp\furz.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\schtasks.exe"schtasks" /delete /tn "WindowsUpdate.exe" /f4⤵
-
-
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe"C:\Windows\Microsoft\MyClient\WindowsUpdate.exe"4⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\schtasks.exe"schtasks" /delete /tn "WindowsUpdate.exe" /f5⤵
-
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsUpdate.exe" /sc ONLOGON /tr "C:\Windows\WindowsUpdate.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 892 -s 10485⤵
-
-
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsUpdate.exe" /sc ONLOGON /tr "C:\Windows\WindowsUpdate.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Local\Temp\UacTest.exe"C:\Users\Admin\AppData\Local\Temp\UacTest.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe"C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7C62.tmp\7C62.tmp\7C63.bat C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /k C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f7⤵
- UAC bypass
- Modifies registry key
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe"C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7C61.tmp\7C62.tmp\7C63.bat C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exeTaskkill /IM cmd.exe /F6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\97cb3fda3cff430377a866d6b437de8f.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\97cb3fda3cff430377a866d6b437de8f.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1004⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 9004⤵
- Runs ping.exe
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344B
MD577dd3474261346c50a9d8c177a11940c
SHA1934ccb59b6096c21dd908cc16f4da06683ccaf4d
SHA256fc4bdc1a0c1ca3d150b305a2727d6791e93158ccfe61f9c3eb698affcb114869
SHA51240eff43f944003aeb9f1de5ed3b72e8c78e6546845669114a107052faa04498a05fd1d73b60e28db6d910183cddd3ed275d7adc54eb1c6b2cd3b458c6c1bf59e
-
Filesize
34B
MD54f4ecd10fc86be6be730390c06be67c8
SHA14c59c25907109fd48d8d94caaa8b8266ffa3c7c3
SHA256a9bf329ec3514d7d5698851137d508b763b1a627747b1ce40ddd5c524538459c
SHA512b4e89c807071e770b9327693032c8d1ebc06811dfeccfe0892e00deb449b75cb5d921ed2f7ae53d3fae00837bd6eed3fcb0bfc7168cad0f0c44997e51e4365f9
-
Filesize
187B
MD5befbbfdadeef80e445fdd152a121a6d1
SHA167019f2a12662f2ff92dc7977769b0debdbf564e
SHA2560848f1ac65974856844e59ff3b8d492c88acf43f0fd64505d5bf3fd4e43d9da6
SHA512867c4ee6cb22ba7ba0d5aa9c16d321f36013588b6057e3f3f0e6de670481ab1f7d46c1553b9410ff753de7e923d1b774db0c8297091fd9c852bdc96fee43ee32
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
7KB
MD53538f05f0a34bdae564393bea37181fb
SHA14d8e73dd8fa0583bee3eef1a756d61a5c6912243
SHA25685000cb813f5441dbd516a7999a0a1da62bd5b552aceac3efc1716286a29bed2
SHA512c7b8909518b3d107839098de546a973f02d87040a71d152c74cc3aee0c2e093d39662a7a0afd7f45453301ba0ce4cf5fbbba41a11238fbde00ded97d69d32248
-
Filesize
7KB
MD593c479fe065ecb6048d9ac0fd1377d2e
SHA1d93aeff04706495649aad2346612b494822fc327
SHA25602359c293f0cdfbe4ece047cab0ed0b5859ea9f1605eb439c16c4615557e8c7e
SHA512378f2d3ad146b1e5f87c227bd80af8a118b164cf1221597254f5825a6d760aabd8c817281fc70ec7a74c0ffe9e388f661872c2a1faef9478f46d71ea6dff3275
-
Filesize
88KB
MD5d1082e6ae11fecd45ebe0f2b3d32230d
SHA1c070a8395ccb984f5bcd8f22629ffa1b41ea14c1
SHA256dce696122649ef915c08645cf53e6b118977ce476b076f72d00e3b6f3e309c77
SHA512d712276a263e77617838a709e4a8d6b18a676832e909f0ab5547d22a128c309c92dc0f1044c62c0782c3f9f3e2103c08dd9eaf6166f17fd7f0165490e17c0ca3
-
Filesize
88KB
MD55303046dacbdfcb013ff016a72311e22
SHA1deaef4843f0bfcb1bf57a93a9e5ed1c4a7a1e009
SHA25646618b299010b375a3be43493d14de102180a042f03bdfa1d3290d04feba587a
SHA512261f76a0c02366ca31ec4e964bb414bf6c42587eea79079beb4b6c66875f565ff925d45722b40c84fdd6ac844dad1d878381f87d8b28af75a98310f534af2b1b
-
Filesize
140KB
MD57c011f0ea2387f0124c959e3f663cb4d
SHA112e668079661c557963236786bb821af4628ee1b
SHA2566b69a8fd83ca150642a20128f84cdd2e91aaa6852e705e55e4116caa487903c4
SHA512f5770246c943a997c96713a721d512fc0eaf530f3b7d22abe56f50d35b582af4b9f86a65113dee0f09aa7766d257ac0b29a9a56348891339399a2923b399925e
-
Filesize
117KB
MD5b72d429d1d690165c7b0de4a074c4a58
SHA1f0704d227482a80f2f90dab79ed4acd9770fe565
SHA256b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae
SHA512f3b565e67d5a15d5305982701bd5f0d37eec0bfe2d152556584fa1d01faf1def6e616d0addea91e0663be084450b49f99e2108cc06a9b50c9e1482f9290b6c5c
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
200KB
-
Filesize
4KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
6.9MB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
9.9MB
-
Filesize
136KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
9.9MB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
512KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
512KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
6.9MB
-
Filesize
176KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
248KB
-
Filesize
256KB
-
Filesize
40KB
-
Filesize
9.6MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
12KB