blackguard | 8103180d40cccad7d6a069b0860ace5ba8340047b8572519ea486ffdf8708b0d | Triage

Analysis

max time kernel
33s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
16-01-2023 02:57

Sharing

Report Analysis Logs

General

Target

suspicious.exe
Size

4.2MB
MD5

bbb9de0f35d59374d7267f983a3f362b
SHA1

0c4df9e1941b1f555b867b016148409b51f49f63
SHA256

c98e24c174130bba4836e08d24170866aa7128d62d3e2b25f3bc8562fdc74a66
SHA512

4f0138f6bc8c2c015bc37b2a8178bf0fa043af90e6d1a487f7f739486e16d53d0d3ba86d8d30a060d93a038f63bc6cad23531bba90ff3c3aa7c9fc76f2858097
SSDEEP

49152:ghpEf4/4hyBYKMD+SNfXCwJtezvOd0HSC3souk1b36rH4cseBzjyxeb:ghpEwMD+SNfCWtwlcAxC

Score

10^/10

blackguard stealer

Malware Config

Extracted

Family

blackguard

C2

https://win.mirtonewbacker.com/

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1252	1356	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	suspicious.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 1252	1356	suspicious.exe	29
PID 1356 wrote to memory of 1252	1356	suspicious.exe	29
PID 1356 wrote to memory of 1252	1356	suspicious.exe	29

C:\Users\Admin\AppData\Local\Temp\suspicious.exe
"C:\Users\Admin\AppData\Local\Temp\suspicious.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1356 -s 692
  2⤵
  - Program crash
  PID:1252

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1356-54-0x0000000001380000-0x00000000013CA000-memory.dmp

Filesize
296KB

Download