Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
14-02-2022 15:09
Static task
static1
Behavioral task
behavioral1
Sample
f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe
Resource
win10v2004-en-20220112
General
-
Target
f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe
-
Size
1.9MB
-
MD5
2d28df44857d0be0b1ca1e5b4987894e
-
SHA1
a442fa9d272cfdbbcb406c8ef02c9a5d669c6fed
-
SHA256
f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d
-
SHA512
7a6b19655597832c7c75518fe7f01f9916b30d70b61b0d617e93fb3209aafc2ce99687e0dcbaea3d46ac68f315a43a8fd7308dfd215854f706c7ebe9c0518d5a
Malware Config
Extracted
blackguard
https://onetwostep.at/
Signatures
-
BlackGuard
Infostealer first seen in Late 2021.
-
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
pid Process 1552 f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1552 f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1552 f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe"C:\Users\Admin\AppData\Local\Temp\f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe"1⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1552
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5616827a61d7a49ce5389c5d96443e35d
SHA1d522ee5607e122e775d77641dba09711146db739
SHA25654d4025bc175de5367d0ace1a78fec7edf06b642892691cf85afb02b8ab166d5
SHA512fd6a53cb9851e56b8dc6a40627058852f2949688b73dacf6f3e0fcf932453b8c52a3bfefb12c80c38397a89f1038ad8fad329ea2798b86457ce5d8fe7ba87312