blackguard | 05c2991a5ea29caa99dbf224aaf1cd4b5d3d88430118c6fd4d18d73130c54433

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2023 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ecc21c7a2aadaf74dfac9e52723d41e.exe
Size

7.6MB
MD5

4ecc21c7a2aadaf74dfac9e52723d41e
SHA1

1e39e52aefb0b5c7fa16aaf9c9d870150482a4eb
SHA256

05c2991a5ea29caa99dbf224aaf1cd4b5d3d88430118c6fd4d18d73130c54433
SHA512

9273eed9eaea2638bfb310fa5ed84a0586512b7b85396fb5658e2eb06b7ab81b63cf615674cc4e32130d16a3e173e97b213b8423a5c0c025c36c04d274e85265
SSDEEP

196608:Z0Xi4ZgUmPjE+Agbk9fcGVN8iNISGK71:yXiMgbj7AsGXiw

Score

10^/10

blackguard collection evasion persistence spyware stealer

Malware Config

Extracted

Family

blackguard

http://45.15.156.9

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard

Executes dropped EXE 2 IoCs

pid	Process
1160	Inst.exe
2808	check.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2368	netsh.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	check.exe

Sets file execution options in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DE_Dsefhiws.exe	4ecc21c7a2aadaf74dfac9e52723d41e.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Inst.exe

Loads dropped DLL 2 IoCs

pid	Process
1472	4ecc21c7a2aadaf74dfac9e52723d41e.exe
1164	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4ecc21c7a2aadaf74dfac9e52723d41e.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4ecc21c7a2aadaf74dfac9e52723d41e.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4ecc21c7a2aadaf74dfac9e52723d41e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DE_Dsefhiws = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4ecc21c7a2aadaf74dfac9e52723d41e.exe\""	4ecc21c7a2aadaf74dfac9e52723d41e.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	check.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	check.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	check.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	check.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1472	4ecc21c7a2aadaf74dfac9e52723d41e.exe
1472	4ecc21c7a2aadaf74dfac9e52723d41e.exe
1472	4ecc21c7a2aadaf74dfac9e52723d41e.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
644	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1472	4ecc21c7a2aadaf74dfac9e52723d41e.exe
Token: SeDebugPrivilege	2808	check.exe
Token: SeAuditPrivilege	1164	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2808	check.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 1160	1472	4ecc21c7a2aadaf74dfac9e52723d41e.exe	88
PID 1472 wrote to memory of 1160	1472	4ecc21c7a2aadaf74dfac9e52723d41e.exe	88
PID 1472 wrote to memory of 1160	1472	4ecc21c7a2aadaf74dfac9e52723d41e.exe	88
PID 1160 wrote to memory of 2808	1160	Inst.exe	90
PID 1160 wrote to memory of 2808	1160	Inst.exe	90
PID 1160 wrote to memory of 2808	1160	Inst.exe	90
PID 2808 wrote to memory of 2368	2808	check.exe	95
PID 2808 wrote to memory of 2368	2808	check.exe	95

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4ecc21c7a2aadaf74dfac9e52723d41e.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4ecc21c7a2aadaf74dfac9e52723d41e.exe

C:\Users\Admin\AppData\Local\Temp\4ecc21c7a2aadaf74dfac9e52723d41e.exe
"C:\Users\Admin\AppData\Local\Temp\4ecc21c7a2aadaf74dfac9e52723d41e.exe"
1⤵
- Sets file execution options in registry
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1472
- C:\Users\Admin\AppData\Local\Temp\Inst.exe
  "C:\Users\Admin\AppData\Local\Temp\Inst.exe" x -pBlackTeam000111000111!
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Users\Admin\AppData\Local\Temp\check.exe
    "C:\Users\Admin\AppData\Local\Temp\check.exe" -i
    3⤵
    - Executes dropped EXE
    - Sets DLL path for service in the registry
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\SYSTEM32\netsh.exe
      netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
      4⤵
      Modifies Windows Firewall
      PID:2368

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:4580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RDP Wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inst.exe

Filesize
937KB

MD5
63b04396c6d905ca0a6463b7d5858e5a

SHA1
f4d9321c1ad0cec6ad67d8d80e82da6998f1ae68

SHA256
fda99b27e4ea7b728efe039d282ef7ee26db2380b8effa5a814da986e7ec887e

SHA512
c4a31cb94279622634f05d96e3304aed2287eca85c9a519f79ba9f2f64854d5de08ddcd6b4ce4226db51b6971386da07393d55b7a76fa6953107acfc3e735975

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inst.exe

Filesize
937KB

MD5
63b04396c6d905ca0a6463b7d5858e5a

SHA1
f4d9321c1ad0cec6ad67d8d80e82da6998f1ae68

SHA256
fda99b27e4ea7b728efe039d282ef7ee26db2380b8effa5a814da986e7ec887e

SHA512
c4a31cb94279622634f05d96e3304aed2287eca85c9a519f79ba9f2f64854d5de08ddcd6b4ce4226db51b6971386da07393d55b7a76fa6953107acfc3e735975

Download Submit
C:\Users\Admin\AppData\Local\Temp\check.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\Users\Admin\AppData\Local\Temp\check.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdpwrap.ini

Filesize
325KB

MD5
978614ba750e0bede19be09885076cb1

SHA1
8ac61f5a3c37adff67c6a71a3adea5f4ddba0e63

SHA256
39e76f6ab9fde606bbb277202e0af7cfe6e419a22936da7f3269969b8fb9dcd4

SHA512
846ac9df5838f85a9cdc36edffb599144dd84e3ce0996a1471ca9ae10c88bbfe9de02b7b42664eb2559f3a87cf3263c87e0a6050f08150346cc5294c65d527bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64\SQLite.Interop.dll

Filesize
1.7MB

MD5
a73fdfb6815b151848257eca042a42ef

SHA1
73f18e6b4d1f638e7ce2a7ad36635018482f2c55

SHA256
10c9ccec863ed80850c7b7080e4f2e34b133ce259d1ae3ea7a305cebf6e2940d

SHA512
111f5a7bd916ab317fc127cbf49a2a81c2a614ce3a655a0446f2ebf3c2e61509db5633a391bef06c4ba0b58a71c752262ec2467a09abc56827263c647b08a09d

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Filesize
338KB

MD5
f10fc43d60c6a5c2535c838b4e74f981

SHA1
821f61300c5ece44c740d1b507737845b9896f43

SHA256
cf95d896468d266e403b6ba60b299a78b7901f320a74b7103ef918bfc407c8fb

SHA512
9f9a304a7af6ea1dc2806d162033c9649746a0f5345e2e807b3a10f86cb378ebe7580580a31ca5534504c19bef8cac851d171e5d037f80da4fa789f89271fcf9

Download Submit
memory/1472-138-0x000002ABEE610000-0x000002ABEE660000-memory.dmp

Filesize
320KB

Download
memory/1472-132-0x000002ABD2840000-0x000002ABD2FD8000-memory.dmp

Filesize
7.6MB

Download
memory/1472-144-0x00007FFA25810000-0x00007FFA25A05000-memory.dmp

Filesize
2.0MB

Download
memory/1472-141-0x000002ABD4C10000-0x000002ABD4C2E000-memory.dmp

Filesize
120KB

Download
memory/1472-140-0x000002ABEEEE0000-0x000002ABEF408000-memory.dmp

Filesize
5.2MB

Download
memory/1472-139-0x000002ABEE6E0000-0x000002ABEE756000-memory.dmp

Filesize
472KB

Download
memory/1472-133-0x00007FFA06FA0000-0x00007FFA07A61000-memory.dmp

Filesize
10.8MB

Download
memory/1472-143-0x000002ABEE7A0000-0x000002ABEE7DA000-memory.dmp

Filesize
232KB

Download
memory/1472-137-0x00007FFA25810000-0x00007FFA25A05000-memory.dmp

Filesize
2.0MB

Download
memory/1472-136-0x000002ABEE7E0000-0x000002ABEE9A2000-memory.dmp

Filesize
1.8MB

Download
memory/1472-135-0x00007FFA25810000-0x00007FFA25A05000-memory.dmp

Filesize
2.0MB

Download
memory/1472-134-0x00007FFA06FA0000-0x00007FFA07A61000-memory.dmp

Filesize
10.8MB

Download