Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
64s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
06/03/2022, 12:18
Static task
static1
Behavioral task
behavioral1
Sample
cleaner.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
cleaner.exe
Resource
win10v2004-en-20220112
General
-
Target
cleaner.exe
-
Size
2.6MB
-
MD5
38892c681fbfba55e79f825cad8b0674
-
SHA1
ee1e86add82844c30c003899ea819d5edcd07df3
-
SHA256
76b90299713b5d4ffd3c92b2cd66b3de68148c3133f927dfa385b075fd00d5b1
-
SHA512
4f013a16318f6b16cc1b1c38e0911d073752e1081a7f8f799cf2b192282d408a1a423eb8b11438685221e988b3c8e3f9be3d2e13b1e3d424a051691dbbe70b1c
Malware Config
Extracted
blackguard
https://api.telegram.org/bot1840568117:AAGlvKQeSfXkObSE7__yYc5jM9o8qSrkFUw/sendMessage?chat_id=1039923904
Signatures
-
BlackGuard
Infostealer first seen in Late 2021.
-
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
pid Process 1784 cleaner.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1784 cleaner.exe 1784 cleaner.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2804 1784 WerFault.exe 57 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe 1784 cleaner.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1784 cleaner.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cleaner.exe"C:\Users\Admin\AppData\Local\Temp\cleaner.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1784 -s 22722⤵
- Program crash
PID:2804
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 424 -p 1784 -ip 17841⤵PID:2904