blackguard | db1499fa5ea0d7bc198609ef58218e8c95a63e19a4c59bcd5f6e81a0439beb1b

General

Target

db1499fa5ea0d7bc198609ef58218e8c95a63e19a4c59bcd5f6e81a0439beb1b.exe
Size

456KB
MD5

0ce6472a1caf1e18f0c87c6f405c6441
SHA1

d6f0f1a7cfb43cadeace56f7624e3ca91bb46b8f
SHA256

db1499fa5ea0d7bc198609ef58218e8c95a63e19a4c59bcd5f6e81a0439beb1b
SHA512

5398f90b48a360f3ee4b8e5668f561fea209abdbdd426e58617d498257a4a204fb7a2687a771f1d907c3adee4b03511bb459ae6acec2401f6adf257a2e9be510

Score

10^/10

blackguard persistence spyware stealer

Malware Config

Extracted

Family

blackguard

C2

https://umpulumpu.ru/

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
744	tmp3C26.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
744	tmp3C26.tmp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\Testings.exe = "C:\\Users\\Admin\\AppData\\RoamingTestings.exe"	db1499fa5ea0d7bc198609ef58218e8c95a63e19a4c59bcd5f6e81a0439beb1b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1536	744	WerFault.exe	34

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	db1499fa5ea0d7bc198609ef58218e8c95a63e19a4c59bcd5f6e81a0439beb1b.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	db1499fa5ea0d7bc198609ef58218e8c95a63e19a4c59bcd5f6e81a0439beb1b.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1324	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1852	db1499fa5ea0d7bc198609ef58218e8c95a63e19a4c59bcd5f6e81a0439beb1b.exe
1852	db1499fa5ea0d7bc198609ef58218e8c95a63e19a4c59bcd5f6e81a0439beb1b.exe
744	tmp3C26.tmp.exe
744	tmp3C26.tmp.exe
744	tmp3C26.tmp.exe
744	tmp3C26.tmp.exe
744	tmp3C26.tmp.exe
744	tmp3C26.tmp.exe
744	tmp3C26.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1852	db1499fa5ea0d7bc198609ef58218e8c95a63e19a4c59bcd5f6e81a0439beb1b.exe
Token: SeDebugPrivilege	744	tmp3C26.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 884	1852	db1499fa5ea0d7bc198609ef58218e8c95a63e19a4c59bcd5f6e81a0439beb1b.exe	31
PID 1852 wrote to memory of 884	1852	db1499fa5ea0d7bc198609ef58218e8c95a63e19a4c59bcd5f6e81a0439beb1b.exe	31
PID 1852 wrote to memory of 884	1852	db1499fa5ea0d7bc198609ef58218e8c95a63e19a4c59bcd5f6e81a0439beb1b.exe	31
PID 884 wrote to memory of 1324	884	cmd.exe	33
PID 884 wrote to memory of 1324	884	cmd.exe	33
PID 884 wrote to memory of 1324	884	cmd.exe	33
PID 1852 wrote to memory of 744	1852	db1499fa5ea0d7bc198609ef58218e8c95a63e19a4c59bcd5f6e81a0439beb1b.exe	34
PID 1852 wrote to memory of 744	1852	db1499fa5ea0d7bc198609ef58218e8c95a63e19a4c59bcd5f6e81a0439beb1b.exe	34
PID 1852 wrote to memory of 744	1852	db1499fa5ea0d7bc198609ef58218e8c95a63e19a4c59bcd5f6e81a0439beb1b.exe	34
PID 744 wrote to memory of 1536	744	tmp3C26.tmp.exe	35
PID 744 wrote to memory of 1536	744	tmp3C26.tmp.exe	35
PID 744 wrote to memory of 1536	744	tmp3C26.tmp.exe	35

C:\Users\Admin\AppData\Local\Temp\db1499fa5ea0d7bc198609ef58218e8c95a63e19a4c59bcd5f6e81a0439beb1b.exe
"C:\Users\Admin\AppData\Local\Temp\db1499fa5ea0d7bc198609ef58218e8c95a63e19a4c59bcd5f6e81a0439beb1b.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 5 -w 5000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\db1499fa5ea0d7bc198609ef58218e8c95a63e19a4c59bcd5f6e81a0439beb1b.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 5 -w 5000
    3⤵
    - Runs ping.exe
    PID:1324
- C:\Users\Admin\AppData\Local\Temp\tmp3C26.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3C26.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 744 -s 1924
    3⤵
    - Program crash
    PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dfb5638ad8d816371f5e8d087a5cdf16

SHA1
8c51ca99d022aff2ce7bcffdca6e178ca59ecb1e

SHA256
3c9e099a3967fa6efbe371b63d983da00071f69c464a47ed973f04b8d8fa1a91

SHA512
6b37a220fbd07642e089553ff5f8da90ec5ddb944c829153b03f4b87e4a058a071e547b94770709e545aaeea575b1bb4b997d70528fe0c99643c97adb07938d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3C26.tmp.exe

Filesize
1.5MB

MD5
05d3edc56331ce405e49ad2fc4e6c01e

SHA1
0b0491f9b654bb0bc41929456ba2943141be6711

SHA256
ead17dee70549740a4e649a647516c140d303f507e0c42ac4b6856e6a4ff9e14

SHA512
b83c1d21147dce1eaadc5d066c0913ab2f08d1a97c34ffb2f4ee685d7f35979c3894b86bd4c2f470c0ae416aac3d9f57fe9d201721bdca2a64fbb9fff7857e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3C26.tmp.exe

Filesize
1.5MB

MD5
05d3edc56331ce405e49ad2fc4e6c01e

SHA1
0b0491f9b654bb0bc41929456ba2943141be6711

SHA256
ead17dee70549740a4e649a647516c140d303f507e0c42ac4b6856e6a4ff9e14

SHA512
b83c1d21147dce1eaadc5d066c0913ab2f08d1a97c34ffb2f4ee685d7f35979c3894b86bd4c2f470c0ae416aac3d9f57fe9d201721bdca2a64fbb9fff7857e26

Download Submit
\Users\Admin\AppData\Local\Temp\x64\SQLite.Interop.dll

Filesize
1.6MB

MD5
616827a61d7a49ce5389c5d96443e35d

SHA1
d522ee5607e122e775d77641dba09711146db739

SHA256
54d4025bc175de5367d0ace1a78fec7edf06b642892691cf85afb02b8ab166d5

SHA512
fd6a53cb9851e56b8dc6a40627058852f2949688b73dacf6f3e0fcf932453b8c52a3bfefb12c80c38397a89f1038ad8fad329ea2798b86457ce5d8fe7ba87312

Download Submit
memory/744-62-0x0000000000CC0000-0x0000000000D14000-memory.dmp

Filesize
336KB

Download
memory/744-69-0x000000001B006000-0x000000001B007000-memory.dmp

Filesize
4KB

Download
memory/744-59-0x0000000000F30000-0x00000000010B6000-memory.dmp

Filesize
1.5MB

Download
memory/744-61-0x000000001AFE0000-0x000000001AFE2000-memory.dmp

Filesize
8KB

Download
memory/744-60-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/744-63-0x000000001AFE6000-0x000000001B005000-memory.dmp

Filesize
124KB

Download
memory/744-71-0x000000001B007000-0x000000001B009000-memory.dmp

Filesize
8KB

Download
memory/744-65-0x000000001AD30000-0x000000001ADE0000-memory.dmp

Filesize
704KB

Download
memory/744-66-0x000000001B005000-0x000000001B006000-memory.dmp

Filesize
4KB

Download
memory/744-67-0x0000000000D10000-0x0000000000D72000-memory.dmp

Filesize
392KB

Download
memory/744-70-0x000000001AF40000-0x000000001AF65000-memory.dmp

Filesize
148KB

Download
memory/1852-54-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/1852-55-0x0000000001140000-0x00000000011B8000-memory.dmp

Filesize
480KB

Download
memory/1852-56-0x000000001B080000-0x000000001B082000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads