Analysis
-
max time kernel
60s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
-
submitted
06/07/2024, 15:55
Errors
General
-
Target
http://adhod12.ct8.pl/test.exe
Malware Config
Signatures
-
BlackNET
BlackNET is an open source remote access tool written in VB.NET.
-
BlackNET payload 1 IoCs
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://adhod12.ct8.pl/test.exe1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa659646f8,0x7ffa65964708,0x7ffa659647182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,15636154111634128160,17263197808886756175,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,15636154111634128160,17263197808886756175,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,15636154111634128160,17263197808886756175,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15636154111634128160,17263197808886756175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15636154111634128160,17263197808886756175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15636154111634128160,17263197808886756175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,15636154111634128160,17263197808886756175,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4192 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15636154111634128160,17263197808886756175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15636154111634128160,17263197808886756175,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,15636154111634128160,17263197808886756175,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6324 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,15636154111634128160,17263197808886756175,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6324 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,15636154111634128160,17263197808886756175,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6432 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15636154111634128160,17263197808886756175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15636154111634128160,17263197808886756175,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,15636154111634128160,17263197808886756175,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6340 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,15636154111634128160,17263197808886756175,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1960 /prefetch:22⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\test.exe"C:\Users\Admin\Downloads\test.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONSTART /RL HIGHEST /tn "'WindowsUpdate"' /tr "'C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SYSTEM32\shutdown.exeshutdown -s -t 003⤵
-
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONSTART /RL HIGHEST /tn "'WindowsUpdate"' /tr "'C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"'2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\Downloads\svchosts.exe"C:\Users\Admin\Downloads\svchosts.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\test.exe"C:\Users\Admin\Downloads\test.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\test.exe"C:\Users\Admin\Downloads\test.exe"3⤵
-
-
C:\Users\Admin\Downloads\test.exe"C:\Users\Admin\Downloads\test.exe"3⤵
-
-
C:\Users\Admin\Downloads\test.exe"C:\Users\Admin\Downloads\test.exe"3⤵
-
-
C:\Users\Admin\Downloads\test.exe"C:\Users\Admin\Downloads\test.exe"3⤵
-
-
C:\Users\Admin\Downloads\test.exe"C:\Users\Admin\Downloads\test.exe"3⤵
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3901055 /state1:0x41c64e6d1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
866B
MD5d7d09fe4ff702ba9f25d5f48923708b6
SHA185ce2b7a1c9a4c3252fc9f471cf13ad50ad2cf65
SHA256ae5b9b53869ba7b6bf99b07cb09c9ce9ff11d4abbbb626570390f9fba4f6f462
SHA512500a313cc36a23302763d6957516640c981da2fbab691c8b66518f5b0051e25dfb1b09449efff526eab707fa1be36ef9362286869c82b3800e42d2d8287ef1cf
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD5210676dde5c0bd984dc057e2333e1075
SHA12d2f8c14ee48a2580f852db7ac605f81b5b1399a
SHA2562a89d71b4ddd34734b16d91ebd8ea68b760f321baccdd4963f91b8d3507a3fb5
SHA512aeb81804cac5b17a5d1e55327f62df7645e9bbbfa8cad1401e7382628341a939b7aedc749b2412c06174a9e3fcdd5248d6df9b5d3f56c53232d17e59277ab017
-
Filesize
152B
MD5f4e6521c03f1bc16d91d99c059cc5424
SHA1043665051c486192a6eefe6d0632cf34ae8e89ad
SHA2567759c346539367b2f80e78abca170f09731caa169e3462f11eda84c3f1ca63d1
SHA5120bb4f628da6d715910161439685052409be54435e192cb4105191472bb14a33724592df24686d1655e9ba9572bd3dff8f46e211c0310e16bfe2ac949c49fbc5e
-
Filesize
6KB
MD56d4cbe9db7bf11bc3774e23969df5398
SHA13a7cdff38975a3692c601da9d8209082625d72cc
SHA256b81e5b39a150436c54a67ff935c71ce0f3a6c91047026e5c223fbcd660f3889d
SHA5127df6632c1ea7bbcf0b1e9b5cac10b16650afa4399f47f4a9e0ff1584ca7efb1b0582214bec920b69a5ba3a9864216b7cf3cb7a79fc38908ce1c6c06ea8b396c0
-
Filesize
6KB
MD5406603173b0eb14055195195e002be92
SHA12b8b47f4ce5b39754b47ece165dc3e5686c954a0
SHA256dc4bc17622752a027e50614e3d066c189d5238e1cffbdd621d571180c2f84222
SHA51259545e208c0dbf712ad6ff75c0dbdffd041dadb9bfe4ea0d92bc43eb135509e030a046af19b060edfdd29bd3c21fc8b1ffc578004f1de77b21a3341277e4a49d
-
Filesize
6KB
MD53921c6d341e088a91782299c8ba4d213
SHA1d6fe8e06aea0063d1c68163e7e435a8e9b57cdc3
SHA256d833662e6a16e72999917ab2cbd38cbd9e16c550d6ad1c7153ad0f407ec5ddc0
SHA512ba67f9828e58d09f85040023393e2a0a30f4bf9e6e7edf62be037dfd36d1a53973287c62fcbd96d0fdddf9ada48bdfd6236c72e02af14f63397da2a77cdeeb5f
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD552654739f4063c752af21b2a13ea5ddb
SHA11bb611bd59c90c833f76ffbb256dbff0b7cfa00a
SHA256c57aebb33b214a845a11d096201b2f7dacd19524119e42e6a46c4aa1bd6dba21
SHA512a8ec8862deb9ae8b5a22997e50dd8a54381e8879becdde3ec7c670378e6809095ae15b18f934626a78f9883b1c9aabf187cbd513fa47a1a184787daa2e1749b7
-
Filesize
11KB
MD55fb170e1b3bb8acde552af45521c3315
SHA17694765dd27a03259003923cb7797d7fc22020a1
SHA256b7f2e92a7fae968dd9cfdec0b7b6f1b9ee5a5639223ed6c2acc310415b3020e0
SHA512ed3f673be8c7c9ada52cd414c3505fc6671ffc64ef677954eac97eb99c785f6749b798ed2f88e03741e3a74300c4ffb149a73c9fcdd7fa96ade8c93597c9bc87
-
Filesize
11KB
MD520d1f4e44fad959fcfa59eefe33677cb
SHA15e250fe75ee901de221d9f63acee08fc888681c0
SHA25629c6086d1eb32eaee53246d1cc87a484c620ed50d3d011210da760c4bccb41e4
SHA512e0de71692ab811c9d0012b2fb08e882611a7ca4d6f989058b536f661e0cfcc562710d256088151081f5078bff4521bae1b365d659b22052860f17cf99a93dbe1
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
131KB
MD5ab9469ed19c0152caee91b43682264c7
SHA1c9941f10685c8eb596f3110a25cbda3e526ac387
SHA256e564e39ef1073e9b68daa5f09840ff71b2e22f52fa9ba589bafcd6a8ac80e912
SHA512a6ffee85ffd3f7e3e52eb5a3be90ba148d52d8379f8d58fedff2a7b0c750a18a1e5e84da79e794ff5a612de405c774213d7d2615eb52ccbfb7d8a47b870aebfa
-
Filesize
17KB
MD589dd6e72358a669b7d6e2348307a7af7
SHA10db348f3c6114a45d71f4d218e0e088b71c7bb0a
SHA256ad34794058212006ae974fcc6a0242598e6d020f08044439e3512773cd402b7e
SHA51293b8a47686d7491281a0809b138a6244a535302ba0d6b2146849e9888632c72b6223ae8eb7a24f1006aaf57ab947a8f43719cff4837df559e7bf42f52c63856b
-
Filesize
136KB
-
Filesize
392KB
-
Filesize
304KB
-
Filesize
32KB
-
Filesize
624KB
-
Filesize
4.8MB
-
Filesize
664KB