blackguard | e31bf9a8289456a919dd8956bf6be04ff99943649cee6d4f57a92cd47791a34d

General

Target

e31bf9a8289456a919dd8956bf6be04ff99943649cee6d4f57a92cd47791a34d.exe
Size

202KB
MD5

06068dab89c0f8c8a25f738ef05249e1
SHA1

b0c853f73f32b0dd3733c2193185eabfa50014a9
SHA256

e31bf9a8289456a919dd8956bf6be04ff99943649cee6d4f57a92cd47791a34d
SHA512

432ef3fa26ebf04a6f75b797d9e19a3c6061b135b12b0a0ca7df4fcdb0bbaec846e7a2f420cf1bb90baf4878d0fbc3e7d157f349a1e699894ed3bac22c439ed3

Score

10^/10

blackguard persistence stealer suricata

Malware Config

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
suricata: ET MALWARE Generic Request to gate.php Dotted-Quad
suricata: ET MALWARE Generic Request to gate.php Dotted-Quad
suricata
suricata: ET MALWARE Generic gate .php GET with minimal headers
suricata: ET MALWARE Generic gate .php GET with minimal headers
suricata

Executes dropped EXE 1 IoCs

pid	Process
896	USBconnectordriver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\USB connector driver v6.67 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\USB connector driver v6.67\\USBconnectordriver.exe"	e31bf9a8289456a919dd8956bf6be04ff99943649cee6d4f57a92cd47791a34d.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3620	896	WerFault.exe	85

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3212	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3600	timeout.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4840	e31bf9a8289456a919dd8956bf6be04ff99943649cee6d4f57a92cd47791a34d.exe
Token: SeDebugPrivilege	896	USBconnectordriver.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 3148	4840	e31bf9a8289456a919dd8956bf6be04ff99943649cee6d4f57a92cd47791a34d.exe	80
PID 4840 wrote to memory of 3148	4840	e31bf9a8289456a919dd8956bf6be04ff99943649cee6d4f57a92cd47791a34d.exe	80
PID 3148 wrote to memory of 3600	3148	cmd.exe	82
PID 3148 wrote to memory of 3600	3148	cmd.exe	82
PID 3148 wrote to memory of 3212	3148	cmd.exe	84
PID 3148 wrote to memory of 3212	3148	cmd.exe	84
PID 3148 wrote to memory of 896	3148	cmd.exe	85
PID 3148 wrote to memory of 896	3148	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\e31bf9a8289456a919dd8956bf6be04ff99943649cee6d4f57a92cd47791a34d.exe
"C:\Users\Admin\AppData\Local\Temp\e31bf9a8289456a919dd8956bf6be04ff99943649cee6d4f57a92cd47791a34d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDAF3.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Windows\system32\timeout.exe
    timeout 6
    3⤵
    - Delays execution with timeout.exe
    PID:3600
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /create /f /sc MINUTE /mo 5 /tn "USB connector driver v6.67" /tr "'C:\Users\Admin\AppData\Local\Temp\\USB connector driver v6.67\USBconnectordriver.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:3212
- - C:\Users\Admin\AppData\Local\Temp\USB connector driver v6.67\USBconnectordriver.exe
    "C:\Users\Admin\AppData\Local\Temp\\USB connector driver v6.67\USBconnectordriver.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:896
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 896 -s 1576
      4⤵
      Program crash
      PID:3620

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 896 -ip 896
1⤵
PID:4184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\USB connector driver v6.67\USBconnectordriver.exe

Filesize
457.8MB

MD5
6a23d3e8653b7a4b1ecf790152c4ef0a

SHA1
1acf6ae25a2e4a1da36527ab14b631ea06dba716

SHA256
1743cbc8929c756fc63b2966c24eba014fb57c7b6c77feb2bec37ed8602a7fbe

SHA512
86e6bc6d1983465cb28be1aa92e9a37da266b35a2f40d76f37cc2b412263c0e443b0fbb57ca647f6c427eb2530872649f9b6da3ccee5a23e449eaa88ec847c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\USB connector driver v6.67\USBconnectordriver.exe

Filesize
481.9MB

MD5
155cc9b5ca05785f7198f1711dc08286

SHA1
9ce517790f7f91bfea6678a899193f88a7cadc1d

SHA256
4a1bf6aaaff75cce624403a781d766e4ccdff446f0e4c46b24eccb496c38f7f1

SHA512
a811c8ce3b7a373c926949358a6910ead75e96767378b44d7002b7d7e511f68145e4ce6961547a8c53639aaab67849631ca285f9186d85f9e9581336adf315b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDAF3.tmp.bat

Filesize
477B

MD5
265a77373bb0b5f0b8a0527fe55d958f

SHA1
f4e954421891b408bc62ad7e0689c1af444f702e

SHA256
900ece4eba32aa8f3a98d2463ef639192e109b468c20a7ebbdfce4d3ff556761

SHA512
cc492ede34048036b60d5676bd589f229a1ab3e89f8e031313cb51e7bf10d182e30b749ffd8721b2dccb4c791e0df331557b1cc8cb9bfe8379acd9770373ef72

Download Submit
memory/896-141-0x00007FFF9A210000-0x00007FFF9ACD1000-memory.dmp

Filesize
10.8MB

Download
memory/896-142-0x00007FFF9A210000-0x00007FFF9ACD1000-memory.dmp

Filesize
10.8MB

Download
memory/4840-134-0x00007FFF9A210000-0x00007FFF9ACD1000-memory.dmp

Filesize
10.8MB

Download
memory/4840-130-0x000001D865430000-0x000001D865468000-memory.dmp

Filesize
224KB

Download
memory/4840-132-0x00007FFF9A210000-0x00007FFF9ACD1000-memory.dmp

Filesize
10.8MB

Download
memory/4840-131-0x00007FFF9A210000-0x00007FFF9ACD1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads