Overview

overview

10

Static

static

10

UMF.Installer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    02-05-2024 17:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    UMF.Installer.exe

  • Size

    10.4MB

  • MD5

    5a7ecc12107019e47294f27f4d40572c

  • SHA1

    01891d681fd8b6baa0599e335999d427e55179db

  • SHA256

    c81e2a3b15785a5fb548c5552be839fd92e2fc5423b372fba2f890ad488371b9

  • SHA512

    77da7350f3cc4358e07250ee9c6cbd035a9a27a934c019967942841cbf3d49839cb765dc6a22bc121e34ef1494b33050dc5752beff5e1938b82848b3190d4ad1

  • SSDEEP

    196608:DJ06wpSjt1RoahEDQH6TdBy5AY6TdVp/6TdvpPC:d0xpqloDQajPTpCppPC

Score
10/10
blackguardstealer

Malware Config

Signatures

  • BlackGuard

    Infostealer first seen in Late 2021.

    stealerblackguard
  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\UMF.Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\UMF.Installer.exe"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2044
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x410 0x150
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1628
  • C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4368
    • C:\Windows\system32\ipconfig.exe
      ipconfig
      2⤵
      • Gathers network information
      PID:3112
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2328
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.0.1423958855\860800048" -parentBuildID 20230214051806 -prefsHandle 1760 -prefMapHandle 1752 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f82dcdb-516b-4ec3-8981-abc0e67df683} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 1852 21dfe70c858 gpu
        3⤵
          PID:1976
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.1.2036987783\1895367749" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2380 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {acc93ed1-b300-45ee-a552-1659733d2b5e} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 2420 21df198a558 socket
          3⤵
          • Checks processor information in registry
          PID:4784
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.2.1012192399\352822466" -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 3000 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8857066-c3ac-4940-afea-cca97eb84985} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 2696 21d81af5558 tab
          3⤵
            PID:1480
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.3.757454328\966332496" -childID 2 -isForBrowser -prefsHandle 3684 -prefMapHandle 3680 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96be046b-726e-4338-9892-e6bbc3e0bc3e} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 3696 21d84248558 tab
            3⤵
              PID:532
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.4.1146609385\43116785" -childID 3 -isForBrowser -prefsHandle 5132 -prefMapHandle 5136 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {675a0e55-c24f-4cb4-94ed-b6e577de05ce} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 5152 21d84b78e58 tab
              3⤵
                PID:2108
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.5.1009413966\1633932619" -childID 4 -isForBrowser -prefsHandle 5296 -prefMapHandle 5300 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc640e5f-e66d-496d-a231-08833b2e9a49} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 5284 21d860c5258 tab
                3⤵
                  PID:1868
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.6.579320362\312069488" -childID 5 -isForBrowser -prefsHandle 5284 -prefMapHandle 5464 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1acfd69-bcca-46ab-bf4a-72d1f76d4b81} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 5508 21d860c2858 tab
                  3⤵
                    PID:4196
              • C:\Windows\System32\rundll32.exe
                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                1⤵
                  PID:2384

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  23KB

                  MD5

                  c669f6f95272ee53c54170cdb299e7a7

                  SHA1

                  9a642eddd083b260098edad53f22f0d9b6db3363

                  SHA256

                  8865715175a49110ceef9c023211d5187e8400d7bd9a02d11e7963a1f27709a7

                  SHA512

                  b5ba3a2171f07382561021df8d5709e9193b801ffbf3e83f96389d570fbb5fa621b5be9812b4850b0d47169b0bf41623640e02832518055de08ebcc1858fe9e3

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  24KB

                  MD5

                  242c237d2e8ac2557d575c75b8e23828

                  SHA1

                  1a453cf9fd418e144e27dfd1f8c19ae8ef7d73ea

                  SHA256

                  11874d0b3b7a0d91150073d9cdc5c248f6ac152d8d6c3e7164c6da10cb7d9075

                  SHA512

                  e4073d0ad3075e08cdcf0bcee8e6ec73a18cf589ad9024b4cbd9e8019b41f4a111e988b2bb793c34a55d551f81006c8956a8af479da469372bdeabf26efbdfb9

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\prefs-1.js
                  Filesize

                  6KB

                  MD5

                  7ff7c6df1b69d314f942daa9f69879b3

                  SHA1

                  4d8d943a51c564d568d8d667e4da67c181cb8a20

                  SHA256

                  7f0c1f314999417aa69df9fc03533fd6e85612d936dd239963043a4c27a0ac3d

                  SHA512

                  b61787a18f09b927a57876913c4a44c5349b1595e89135b0b85d8d86ca9a326036acf8e2a3f9f7345e2af1bf36477da5691badaeaf8f9559feb7d2aafd4ae0ea

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  1KB

                  MD5

                  bda55eb2a4eecf9fb09ce8caf9885265

                  SHA1

                  465c3c3eb4601680778adc6856b400311f97e68a

                  SHA256

                  d974725920a032a93e521365b42c63d91eaadc21338bdc23750770d3a7c70100

                  SHA512

                  5df9bdff9a72e69955e153b50237c43899ee1dccfd4a696a51ba097b1b00ecca65df48893f467834a9b80726e07855370618ab1fec54844ca7be439137aaa62a

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore.jsonlz4
                  Filesize

                  913B

                  MD5

                  1f06fc6255ed9f63a4fb046587a30782

                  SHA1

                  1465fc478b6add59f6d0a153486b33502c63512a

                  SHA256

                  537b279b2f39d6bf6a34cfc74e44870577e7911899a0c1851f42a78002630134

                  SHA512

                  31af5f5e2d25d269402b19aec26fca6a96d4eb683b419a94cc525977394c2d789e298387f9db0f7fb4303ac17e1fc1e570642e9f1d96976502f2ba52cf13f36b

                  Download Submit

                • memory/2044-7-0x00007FFBCD5C3000-0x00007FFBCD5C5000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2044-0-0x00007FFBCD5C3000-0x00007FFBCD5C5000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2044-8-0x00007FFBCD5C0000-0x00007FFBCE081000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/2044-9-0x00007FFBCD5C0000-0x00007FFBCE081000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/2044-10-0x00007FFBCD5C0000-0x00007FFBCE081000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/2044-5-0x00007FFBCD5C0000-0x00007FFBCE081000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/2044-4-0x00007FFBCD5C0000-0x00007FFBCE081000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/2044-3-0x00007FFBCD5C0000-0x00007FFBCE081000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/2044-2-0x00007FFBCD5C0000-0x00007FFBCE081000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/2044-1-0x000001DD95790000-0x000001DD9620A000-memory.dmp

                  Filesize

                  10.5MB

                  Download