blackguard | 91380be57c9e845bd46ab84a966793a76de0fc4ee7022b52316930fe4f17281c

Analysis

max time kernel
122s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2022 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

3.9MB
MD5

3d5ec1d0d651df913d6148081a72acb9
SHA1

66b1f6233e5e3c21977307bd526abebb5a1f5051
SHA256

91380be57c9e845bd46ab84a966793a76de0fc4ee7022b52316930fe4f17281c
SHA512

1213b49181cef1899122abf129e0f0c9f6807fa2b9ccce9963f7e9a49e330062d34cd7c9fff6d2b1d418ef8aeb29d86cd21c5cfb50cc12dc4e10d44e02349c13
SSDEEP

98304:iNuSZTKA0t9FFPE0yr0V/YVrsk9N8ivyhAdsPSQxSBtq0f4:ubk9fcvAcVN8iNIS7Hqw

Score

10^/10

blackguard collection spyware stealer

Malware Config

Extracted

Family

blackguard

https://clinokrp.online

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	file.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hornyupdater.exe	file.exe

Loads dropped DLL 1 IoCs

pid	Process
3352	file.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	file.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	file.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3352	file.exe
3352	file.exe
3352	file.exe
3352	file.exe
704	msedge.exe
704	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1264	msedge.exe
1264	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3352	file.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 4760	3352	file.exe	80
PID 3352 wrote to memory of 4760	3352	file.exe	80
PID 4760 wrote to memory of 3472	4760	msedge.exe	81
PID 4760 wrote to memory of 3472	4760	msedge.exe	81
PID 3352 wrote to memory of 1264	3352	file.exe	82
PID 3352 wrote to memory of 1264	3352	file.exe	82
PID 1264 wrote to memory of 2432	1264	msedge.exe	83
PID 1264 wrote to memory of 2432	1264	msedge.exe	83
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 1144	1264	msedge.exe	86
PID 1264 wrote to memory of 704	1264	msedge.exe	87
PID 1264 wrote to memory of 704	1264	msedge.exe	87
PID 1264 wrote to memory of 4348	1264	msedge.exe	88
PID 1264 wrote to memory of 4348	1264	msedge.exe	88
PID 1264 wrote to memory of 4348	1264	msedge.exe	88
PID 1264 wrote to memory of 4348	1264	msedge.exe	88
PID 1264 wrote to memory of 4348	1264	msedge.exe	88
PID 1264 wrote to memory of 4348	1264	msedge.exe	88
PID 1264 wrote to memory of 4348	1264	msedge.exe	88
PID 1264 wrote to memory of 4348	1264	msedge.exe	88
PID 1264 wrote to memory of 4348	1264	msedge.exe	88
PID 1264 wrote to memory of 4348	1264	msedge.exe	88
PID 1264 wrote to memory of 4348	1264	msedge.exe	88
PID 1264 wrote to memory of 4348	1264	msedge.exe	88
PID 1264 wrote to memory of 4348	1264	msedge.exe	88
PID 1264 wrote to memory of 4348	1264	msedge.exe	88

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	file.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9fdd546f8,0x7ff9fdd54708,0x7ff9fdd54718
    3⤵
    PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" http://127.0.0.1:12567
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9fdd546f8,0x7ff9fdd54708,0x7ff9fdd54718
    3⤵
    PID:2432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,13112606399120489701,16495829080037836884,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2324 /prefetch:2
    3⤵
    PID:1144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,13112606399120489701,16495829080037836884,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,13112606399120489701,16495829080037836884,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
    3⤵
    PID:4348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13112606399120489701,16495829080037836884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
    3⤵
    PID:420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13112606399120489701,16495829080037836884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
    3⤵
    PID:4372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,13112606399120489701,16495829080037836884,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5212 /prefetch:8
    3⤵
    PID:5084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64\SQLite.Interop.dll

Filesize
1.7MB

MD5
1288823e8e1fca09bb490ce46988188d

SHA1
b07fe4a5d032296e3a7d0727216af8c1d2166e91

SHA256
6514973856d1767ccb375dcb253400e710fb4f91feb758041d8defe92b1886c5

SHA512
88967f64116951092a54118055eab462082f16676ea7565f42515e88765813b53cdfbba5181318e73b668e04ddd030a0bfcf5cf47936772f68df85488b865acd

Download Submit
memory/3352-137-0x00000148434E0000-0x0000014843A08000-memory.dmp

Filesize
5.2MB

Download
memory/3352-136-0x0000014842C90000-0x0000014842D06000-memory.dmp

Filesize
472KB

Download
memory/3352-133-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/3352-141-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/3352-140-0x0000014842D80000-0x0000014842DBA000-memory.dmp

Filesize
232KB

Download
memory/3352-138-0x0000014828970000-0x000001482898E000-memory.dmp

Filesize
120KB

Download
memory/3352-132-0x00000148281B0000-0x0000014828594000-memory.dmp

Filesize
3.9MB

Download
memory/3352-134-0x0000014842DE0000-0x0000014842FA2000-memory.dmp

Filesize
1.8MB

Download
memory/3352-135-0x0000014842B60000-0x0000014842BB0000-memory.dmp

Filesize
320KB

Download