Analysis
-
max time kernel
134s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 07:33
Behavioral task
behavioral1
Sample
Valkyria.exe
Resource
win7-20240508-en
General
-
Target
Valkyria.exe
-
Size
8.2MB
-
MD5
1626922cadeeedea404cadfe628d7e16
-
SHA1
9323dbefdd49c84ae79e188b79bac5cee2ab6a6e
-
SHA256
202faa66219e927a3b57d90ee9b2b4fbd309ed72ff89a7e28d7668ca08d0fd49
-
SHA512
80d0d6b93a8b85e2ed0fb6dee775b6f40f6d39381640c8e8ab3309f58e84d8b17e86b321849a2ffdfa4b7dd39736730b5a1d822f95a20153c1d41d52b604a9e0
-
SSDEEP
196608:68oppJhh2fJB0ZOFkGEWZd7HFApko0eYOiKddHB2icEPld6aGXAr5xN:6jppJEJB0ZOFNVZRlekSFPvHlQAxN
Malware Config
Extracted
njrat
0.7d
SvHost
hakim32.ddns.net:2000
rates-alfred.gl.at.ply.gg:39912
07fe81bb92603a7ba50e57049dc09693
-
reg_key
07fe81bb92603a7ba50e57049dc09693
-
splitter
|'|'|
Extracted
blackguard
https://api.telegram.org/bot5865379362:AAEUbyvhTdYJ7SmCp7YyfRe8OBV_Jrj9iqg/sendMessage?chat_id=5481385928
Signatures
-
BlackGuard
Infostealer first seen in Late 2021.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1732 netsh.exe -
Drops startup file 4 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Realtek HD Audio Universal Service.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Realtek HD Audio Universal Service.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\07fe81bb92603a7ba50e57049dc09693Realtek Semiconductor.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\07fe81bb92603a7ba50e57049dc09693Realtek Semiconductor.exe server.exe -
Executes dropped EXE 4 IoCs
Processes:
zkzkzkz.exeEverything.exeNatasha.exeserver.exepid process 896 zkzkzkz.exe 2628 Everything.exe 2204 Natasha.exe 1028 server.exe -
Loads dropped DLL 14 IoCs
Processes:
Valkyria.exeEverything.exeNatasha.exezkzkzkz.exepid process 2972 Valkyria.exe 2972 Valkyria.exe 2972 Valkyria.exe 2972 Valkyria.exe 2628 Everything.exe 2204 Natasha.exe 2204 Natasha.exe 2204 Natasha.exe 2204 Natasha.exe 2204 Natasha.exe 2204 Natasha.exe 2204 Natasha.exe 896 zkzkzkz.exe 896 zkzkzkz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip-api.com 2 freegeoip.app 3 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Natasha.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Natasha.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Natasha.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Natasha.exepid process 2204 Natasha.exe 2204 Natasha.exe 2204 Natasha.exe 2204 Natasha.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 1028 server.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
Natasha.exeserver.exedescription pid process Token: SeDebugPrivilege 2204 Natasha.exe Token: SeDebugPrivilege 1028 server.exe Token: 33 1028 server.exe Token: SeIncBasePriorityPrivilege 1028 server.exe Token: 33 1028 server.exe Token: SeIncBasePriorityPrivilege 1028 server.exe Token: 33 1028 server.exe Token: SeIncBasePriorityPrivilege 1028 server.exe Token: 33 1028 server.exe Token: SeIncBasePriorityPrivilege 1028 server.exe Token: 33 1028 server.exe Token: SeIncBasePriorityPrivilege 1028 server.exe Token: 33 1028 server.exe Token: SeIncBasePriorityPrivilege 1028 server.exe Token: 33 1028 server.exe Token: SeIncBasePriorityPrivilege 1028 server.exe Token: 33 1028 server.exe Token: SeIncBasePriorityPrivilege 1028 server.exe Token: 33 1028 server.exe Token: SeIncBasePriorityPrivilege 1028 server.exe Token: 33 1028 server.exe Token: SeIncBasePriorityPrivilege 1028 server.exe Token: 33 1028 server.exe Token: SeIncBasePriorityPrivilege 1028 server.exe Token: 33 1028 server.exe Token: SeIncBasePriorityPrivilege 1028 server.exe Token: 33 1028 server.exe Token: SeIncBasePriorityPrivilege 1028 server.exe Token: 33 1028 server.exe Token: SeIncBasePriorityPrivilege 1028 server.exe Token: 33 1028 server.exe Token: SeIncBasePriorityPrivilege 1028 server.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Valkyria.exeEverything.exezkzkzkz.exeserver.exedescription pid process target process PID 2972 wrote to memory of 896 2972 Valkyria.exe zkzkzkz.exe PID 2972 wrote to memory of 896 2972 Valkyria.exe zkzkzkz.exe PID 2972 wrote to memory of 896 2972 Valkyria.exe zkzkzkz.exe PID 2972 wrote to memory of 896 2972 Valkyria.exe zkzkzkz.exe PID 2972 wrote to memory of 2628 2972 Valkyria.exe Everything.exe PID 2972 wrote to memory of 2628 2972 Valkyria.exe Everything.exe PID 2972 wrote to memory of 2628 2972 Valkyria.exe Everything.exe PID 2972 wrote to memory of 2628 2972 Valkyria.exe Everything.exe PID 2628 wrote to memory of 2204 2628 Everything.exe Natasha.exe PID 2628 wrote to memory of 2204 2628 Everything.exe Natasha.exe PID 2628 wrote to memory of 2204 2628 Everything.exe Natasha.exe PID 2628 wrote to memory of 2204 2628 Everything.exe Natasha.exe PID 896 wrote to memory of 1028 896 zkzkzkz.exe server.exe PID 896 wrote to memory of 1028 896 zkzkzkz.exe server.exe PID 896 wrote to memory of 1028 896 zkzkzkz.exe server.exe PID 896 wrote to memory of 1028 896 zkzkzkz.exe server.exe PID 1028 wrote to memory of 1732 1028 server.exe netsh.exe PID 1028 wrote to memory of 1732 1028 server.exe netsh.exe PID 1028 wrote to memory of 1732 1028 server.exe netsh.exe PID 1028 wrote to memory of 1732 1028 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Valkyria.exe"C:\Users\Admin\AppData\Local\Temp\Valkyria.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\zkzkzkz.exe"C:\Users\Admin\AppData\Local\Temp\zkzkzkz.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:1732
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Everything.exe"C:\Users\Admin\AppData\Local\Temp\Everything.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\Natasha.exe"C:\Users\Admin\AppData\Local\Temp\Natasha.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:824
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
571KB
MD5169b6d383b7c650ab3ae2129397a6cf3
SHA1fcaef7defb04301fd55fb1421bb15ef96d7040d6
SHA256b896083feb2bdedc1568b62805dbd354c55e57f2d2469a52aec6c98f4ec2dedf
SHA5127a7a7bdb508b8bf177249251c83b65a2ef4a5d8b29397cab130cb8444b23888678673a9a2e4b1c74cc095b358f923b9e7e5a91bfa8c240412d95765851f1dd87
-
Filesize
410KB
MD5056d3fcaf3b1d32ff25f513621e2a372
SHA1851740bca46bab71d0b1d47e47f3eb8358cbee03
SHA25666b64362664030bff1596cda2ec5bd5df48cc7c8313c32f771db4aa30a3f86f9
SHA512ce47c581538f48a46d70279a62c702195beacbfafb48a5a862b3922625fe56f6887d1679c6d9366f946d3d2124cb31c2a3eacbbd14d601ea56e66575cdf46180
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
401B
MD56d15793e9485ebed08c79980328377f1
SHA170b6e607f62bceeb0401a2c6d0211519c8f0e6e4
SHA256cb1c0d401a6f3ecc67ede839eae31a0799cd2f6842f2fdd73cd638b9968a8624
SHA51226c350015b070195e244d62c8cc89e8dc61aa71e638efc2ba76149da4dc4d18f3ccb2fdbc9cf92506b864eff36174964c68d1248aa21a0589394304970d28d0d
-
Filesize
5B
MD5d43c5b07c128b116b7bc8faf7b8efa9d
SHA1dd3540ad4ae14b21b665d108cf4570c2dfa6a6fa
SHA25680ad1cc7b3a784dad618a445af0c8cf3efa903f82a814756f2aaa7b57f45791f
SHA512618b01e2b808e1954d011635dfdf63bc75855145208fc5cae33ce09c7e5b43cf978f6511beb311765e6920e728a290c9f9ced7563e40e8ff8d093d50fdc18334
-
Filesize
7.7MB
MD537f6f35584fac7f216e69e813d4b7c10
SHA1ddb093f14e5f2beb0512ac828448ff06d0237312
SHA256cc17414b5bd2db809411f93256535e78d0c97f42fe86b6cc3119aa7c33c6e3c3
SHA512917368e662428827f8477cc5915e41f6a06324f0e49721f807a6003740749261a219a25cd3d9a43d1a5714c73930e4b2da1240d2a9f108a62b11f990dc42a09e
-
Filesize
270KB
MD50ad61d702d2aca6801a833ec1d4bf5f7
SHA1d4117c6c5c0ae71ee0ccd2554ab40fe69796c519
SHA256e4668273e4cafe5a9a083eaa0d4d52ca1ba707e37ecb715c1b97de1dbb67faf4
SHA512a0743430cabc74edb8600c71a4513ab83d21542a8088d230cd15e070d6b2b2d70dab057dd1bbd1968836bc0f3b3aceb90b98024b889503c6a28926475185e6ec
-
Filesize
1.3MB
MD50a1e95b0b1535203a1b8479dff2c03ff
SHA120c4b4406e8a3b1b35ca739ed59aa07ba867043d
SHA256788d748b4d35dfd091626529457d91e9ebc8225746211086b14fb4a25785a51e
SHA512854abcca8d807a98a9ad0ca5d2e55716c3ce26fae7ee4642796baf415c3cfad522b658963eafe504ecaed6c2ecdcdf332c9b01e43dfa342fcc5ca0fbedfe600e
-
Filesize
93KB
MD5ac79af1c488ed1bc1b289e0eb8d89714
SHA1913ceaaaf7664bb83a496ebe746b6d12bb1e5e9a
SHA256dc8e217ced1f36323ce6c237fdaa330e342063a819c13defe3b248ee84c1d492
SHA512cd09c7c5e60ba946f7c83001876f3d5c48eab06c259324a7941161978531a175d00142cd486ff7cf0d2d461a651745808361e894346259ac079cc90eb42022cc