blackguard | c98e24c174130bba4836e08d24170866aa7128d62d3e2b25f3bc8562fdc74a66 | Triage

Analysis

max time kernel
4294183s
max time network
126s
platform
windows7_x64
resource
win7-20220310-en
submitted
31-03-2022 17:04

Sharing

Report Analysis Logs

General

Target

jameschung.exe
Size

4.2MB
MD5

bbb9de0f35d59374d7267f983a3f362b
SHA1

0c4df9e1941b1f555b867b016148409b51f49f63
SHA256

c98e24c174130bba4836e08d24170866aa7128d62d3e2b25f3bc8562fdc74a66
SHA512

4f0138f6bc8c2c015bc37b2a8178bf0fa043af90e6d1a487f7f739486e16d53d0d3ba86d8d30a060d93a038f63bc6cad23531bba90ff3c3aa7c9fc76f2858097

Score

10^/10

blackguard stealer

Malware Config

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1800	1892	WerFault.exe	26

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1892	jameschung.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 1800	1892	jameschung.exe	30
PID 1892 wrote to memory of 1800	1892	jameschung.exe	30
PID 1892 wrote to memory of 1800	1892	jameschung.exe	30

C:\Users\Admin\AppData\Local\Temp\jameschung.exe
"C:\Users\Admin\AppData\Local\Temp\jameschung.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1892 -s 740
  2⤵
  - Program crash
  PID:1800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1892-54-0x00000000011F0000-0x000000000123A000-memory.dmp

Filesize
296KB

Download
memory/1892-55-0x000000001BCF0000-0x000000001BCF2000-memory.dmp

Filesize
8KB

Download