blackguard | c81e2a3b15785a5fb548c5552be839fd92e2fc5423b372fba2f890ad488371b9

General

Target

UMF.Installer.exe
Size

10.4MB
MD5

5a7ecc12107019e47294f27f4d40572c
SHA1

01891d681fd8b6baa0599e335999d427e55179db
SHA256

c81e2a3b15785a5fb548c5552be839fd92e2fc5423b372fba2f890ad488371b9
SHA512

77da7350f3cc4358e07250ee9c6cbd035a9a27a934c019967942841cbf3d49839cb765dc6a22bc121e34ef1494b33050dc5752beff5e1938b82848b3190d4ad1
SSDEEP

196608:DJ06wpSjt1RoahEDQH6TdBy5AY6TdVp/6TdvpPC:d0xpqloDQajPTpCppPC

Score

10^/10

blackguard stealer

Malware Config

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

WINWORD.EXEEXCEL.EXE

pid process

4864 WINWORD.EXE
4864 WINWORD.EXE
956 EXCEL.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

UMF.Installer.exe

pid process

1056 UMF.Installer.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

UMF.Installer.exeAUDIODG.EXE

description pid process

Token: SeDebugPrivilege 1056 UMF.Installer.exe
Token: 33 1140 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 1140 AUDIODG.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

956 EXCEL.EXE
956 EXCEL.EXE

pid	process
1056	UMF.Installer.exe

description	pid	process
Token: SeDebugPrivilege	1056	UMF.Installer.exe
Token: 33	1140	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1140	AUDIODG.EXE

pid	process
956	EXCEL.EXE
956	EXCEL.EXE

Suspicious use of SetWindowsHookEx 32 IoCs

Processes:

WINWORD.EXEEXCEL.EXE

pid	process
4864	WINWORD.EXE
4864	WINWORD.EXE
4864	WINWORD.EXE
4864	WINWORD.EXE
4864	WINWORD.EXE
4864	WINWORD.EXE
4864	WINWORD.EXE
4864	WINWORD.EXE
4864	WINWORD.EXE
4864	WINWORD.EXE
4864	WINWORD.EXE
4864	WINWORD.EXE
4864	WINWORD.EXE
4864	WINWORD.EXE
4864	WINWORD.EXE
4864	WINWORD.EXE
4864	WINWORD.EXE
4864	WINWORD.EXE
4864	WINWORD.EXE
956	EXCEL.EXE
956	EXCEL.EXE
956	EXCEL.EXE
956	EXCEL.EXE
956	EXCEL.EXE
956	EXCEL.EXE
956	EXCEL.EXE
956	EXCEL.EXE
956	EXCEL.EXE
956	EXCEL.EXE
956	EXCEL.EXE
956	EXCEL.EXE
956	EXCEL.EXE

C:\Users\Admin\AppData\Local\Temp\UMF.Installer.exe
"C:\Users\Admin\AppData\Local\Temp\UMF.Installer.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x46c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\RemoveTrace.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4864

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\SkipUnlock.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:956

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize
471B

MD5
9597ee77c49ab9ddbb21f79f347da929

SHA1
69b46af36fe413bcfdc74b8ecf5c99539d0e5aa7

SHA256
8a5ef475d93adf889d8ef5e879ce498773c43ab35da5b0b26e09832055cbcf7d

SHA512
5237207ee3cba33e6343b80503d5ef9459e376f4faf78903261ee1a00b909868e99246e37847661ff81aa1fe89a640659f2a7f30ddd49613da28ed4c73161133

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize
412B

MD5
24837df48398b61c9600f8202cdcf4ff

SHA1
22d59641da2b10b00f737b3801ab61fb967fe643

SHA256
80ebfff0cd88755607941aee73902e34606ecce88af0ef8c807400dca1fe6333

SHA512
6f5f86970b9e0ae6085d7d44aea2ef48cd667e726929a1779e5f8c4798114b1c8395119fa157114878e0373e80a1708748a20107a5eeeb1053b10325ebf2dc28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6A3E7C87-763D-4F91-A94F-62A0ACE5FEE1
Filesize
159KB

MD5
fb30335e3432fb04681bea0f39bfd93e

SHA1
2097543616640bdd9de6cc04591615afc8bc3ae5

SHA256
cc2d379217501ab1d7db60d8e5fb210b8d915eb083f468dc6656f63b920fb091

SHA512
5a0e30bcdc6fa4214ad7e9df018aec5e10124bbc1b5f5239a26697a0c2a0246644636a388e8feae3f97395db08b7153b5626632287590d56db8989d4c6d4b01b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
3de490003601a02e9cdb5705b20f6874

SHA1
3e3ef93d99d78a1992a8ed29d29646f342581104

SHA256
d19c297caf4059fa9115fb3c41e75513d1e910b4f381af16cc0ca9438715fa74

SHA512
fe12c44838f42a94ca12d0d6ff72d7e5eab9a94b993b0cd93eb80223b7d6518008d050a65b9a94d8dfe39ef8c2a1a9028844a869b8bd36c560ac39b16b4cc316

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
11bfd5bd9d1e2eb53f89498ab78bc1b7

SHA1
7b303e28eef4758409eb77dc708441292d1de825

SHA256
264403640f1fde2b6ed699aa2106808b8591c21fe05f26753e23126a516cc77d

SHA512
81f943831652bcbf432dfdb77bc5f829c8daaee4019c6e2bdca10d1fd1e0d13a33db459c2d6cef9b42efabf647ef66446bb9822ec2e774c7989ecd32591fe887

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
306B

MD5
ab6f06bb8b677d48de8fbea9ee2b83ca

SHA1
eec7705a7d2007658951b89d36538c93d331d539

SHA256
96c785b94751d3ead4cc8c624dca432efec181ade605f2a28527b8e0233fb577

SHA512
236cbc41a6e7f712db98e7aa1f3a982b378148a3ecfa3eeb879cd21cda53ddda6875154ed1ba392ca63ed2e58e3979db249a395c4762179ff1f90d9b3196110c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
255B

MD5
37e70b9e5f18351a27a5e99d8bd9d68e

SHA1
be828514bcd1398586ee2025297c32caa672519b

SHA256
85b40365c2ad1c5d4e34b2ecc1794ad462c5db6adff2aa8c83027c37e195e41d

SHA512
b8b02df8cd6cf7506208fb7b90777801bb12d8be57da2f44dc02d43834e52403d7a3032bfa65279a5573a91aa1ff678ae90f562170296814f3e452f9d3360b30

Download Submit
memory/956-131-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/956-92-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/956-85-0x00007FFC8E110000-0x00007FFC8E120000-memory.dmp

Filesize
64KB

Download
memory/956-129-0x00007FFC8E110000-0x00007FFC8E120000-memory.dmp

Filesize
64KB

Download
memory/956-130-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/956-128-0x00007FFC8E110000-0x00007FFC8E120000-memory.dmp

Filesize
64KB

Download
memory/956-127-0x00007FFC8E110000-0x00007FFC8E120000-memory.dmp

Filesize
64KB

Download
memory/956-126-0x00007FFC8E110000-0x00007FFC8E120000-memory.dmp

Filesize
64KB

Download
memory/956-87-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/956-86-0x00007FFC8E110000-0x00007FFC8E120000-memory.dmp

Filesize
64KB

Download
memory/956-89-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/956-88-0x00007FFC8E110000-0x00007FFC8E120000-memory.dmp

Filesize
64KB

Download
memory/956-91-0x00007FFC8E110000-0x00007FFC8E120000-memory.dmp

Filesize
64KB

Download
memory/956-90-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/956-93-0x00007FFC8E110000-0x00007FFC8E120000-memory.dmp

Filesize
64KB

Download
memory/956-98-0x00007FFC8B980000-0x00007FFC8B990000-memory.dmp

Filesize
64KB

Download
memory/956-97-0x00007FFC8B980000-0x00007FFC8B990000-memory.dmp

Filesize
64KB

Download
memory/956-96-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/956-95-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/956-94-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/1056-2-0x0000026BC2990000-0x0000026BC29A0000-memory.dmp

Filesize
64KB

Download
memory/1056-3-0x0000026BC2990000-0x0000026BC29A0000-memory.dmp

Filesize
64KB

Download
memory/1056-11-0x00007FFCAF740000-0x00007FFCB0201000-memory.dmp

Filesize
10.8MB

Download
memory/1056-4-0x00007FFCAF740000-0x00007FFCB0201000-memory.dmp

Filesize
10.8MB

Download
memory/1056-5-0x0000026BC2990000-0x0000026BC29A0000-memory.dmp

Filesize
64KB

Download
memory/1056-0-0x0000026BA79E0000-0x0000026BA845A000-memory.dmp

Filesize
10.5MB

Download
memory/1056-7-0x0000026BC2990000-0x0000026BC29A0000-memory.dmp

Filesize
64KB

Download
memory/1056-1-0x00007FFCAF740000-0x00007FFCB0201000-memory.dmp

Filesize
10.8MB

Download
memory/1056-8-0x0000026BC2990000-0x0000026BC29A0000-memory.dmp

Filesize
64KB

Download
memory/4864-19-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/4864-80-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/4864-83-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/4864-79-0x00007FFC8E110000-0x00007FFC8E120000-memory.dmp

Filesize
64KB

Download
memory/4864-84-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/4864-81-0x00007FFC8E110000-0x00007FFC8E120000-memory.dmp

Filesize
64KB

Download
memory/4864-82-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/4864-78-0x00007FFC8E110000-0x00007FFC8E120000-memory.dmp

Filesize
64KB

Download
memory/4864-77-0x00007FFC8E110000-0x00007FFC8E120000-memory.dmp

Filesize
64KB

Download
memory/4864-33-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/4864-34-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/4864-32-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/4864-30-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/4864-31-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/4864-29-0x00007FFC8B980000-0x00007FFC8B990000-memory.dmp

Filesize
64KB

Download
memory/4864-28-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/4864-27-0x00007FFC8B980000-0x00007FFC8B990000-memory.dmp

Filesize
64KB

Download
memory/4864-26-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/4864-25-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/4864-24-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/4864-23-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/4864-22-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/4864-21-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/4864-20-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/4864-18-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/4864-17-0x00007FFC8E110000-0x00007FFC8E120000-memory.dmp

Filesize
64KB

Download
memory/4864-16-0x00007FFC8E110000-0x00007FFC8E120000-memory.dmp

Filesize
64KB

Download
memory/4864-15-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

Filesize
2.0MB

Download
memory/4864-14-0x00007FFC8E110000-0x00007FFC8E120000-memory.dmp

Filesize
64KB

Download
memory/4864-13-0x00007FFC8E110000-0x00007FFC8E120000-memory.dmp

Filesize
64KB

Download
memory/4864-12-0x00007FFC8E110000-0x00007FFC8E120000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads