Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
22-05-2024 07:46
Behavioral task
behavioral1
Sample
Valkyria.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Valkyria.exe
Resource
win10v2004-20240426-en
General
-
Target
Valkyria.exe
-
Size
8.2MB
-
MD5
1626922cadeeedea404cadfe628d7e16
-
SHA1
9323dbefdd49c84ae79e188b79bac5cee2ab6a6e
-
SHA256
202faa66219e927a3b57d90ee9b2b4fbd309ed72ff89a7e28d7668ca08d0fd49
-
SHA512
80d0d6b93a8b85e2ed0fb6dee775b6f40f6d39381640c8e8ab3309f58e84d8b17e86b321849a2ffdfa4b7dd39736730b5a1d822f95a20153c1d41d52b604a9e0
-
SSDEEP
196608:68oppJhh2fJB0ZOFkGEWZd7HFApko0eYOiKddHB2icEPld6aGXAr5xN:6jppJEJB0ZOFNVZRlekSFPvHlQAxN
Malware Config
Extracted
blackguard
https://api.telegram.org/bot5865379362:AAEUbyvhTdYJ7SmCp7YyfRe8OBV_Jrj9iqg/sendMessage?chat_id=5481385928
Signatures
-
BlackGuard
Infostealer first seen in Late 2021.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2060 netsh.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Realtek HD Audio Universal Service.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Realtek HD Audio Universal Service.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\07fe81bb92603a7ba50e57049dc09693Realtek Semiconductor.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\07fe81bb92603a7ba50e57049dc09693Realtek Semiconductor.exe server.exe -
Executes dropped EXE 4 IoCs
pid Process 3976 zkzkzkz.exe 592 Everything.exe 2924 Natasha.exe 4424 server.exe -
Loads dropped DLL 5 IoCs
pid Process 2924 Natasha.exe 2924 Natasha.exe 2924 Natasha.exe 2924 Natasha.exe 2924 Natasha.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com 2 freegeoip.app 1 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Natasha.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Natasha.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2924 Natasha.exe 2924 Natasha.exe 2924 Natasha.exe 2924 Natasha.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4424 server.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 2924 Natasha.exe Token: SeDebugPrivilege 4424 server.exe Token: 33 4424 server.exe Token: SeIncBasePriorityPrivilege 4424 server.exe Token: 33 4424 server.exe Token: SeIncBasePriorityPrivilege 4424 server.exe Token: 33 4424 server.exe Token: SeIncBasePriorityPrivilege 4424 server.exe Token: 33 4424 server.exe Token: SeIncBasePriorityPrivilege 4424 server.exe Token: 33 4424 server.exe Token: SeIncBasePriorityPrivilege 4424 server.exe Token: 33 4424 server.exe Token: SeIncBasePriorityPrivilege 4424 server.exe Token: 33 4424 server.exe Token: SeIncBasePriorityPrivilege 4424 server.exe Token: 33 4424 server.exe Token: SeIncBasePriorityPrivilege 4424 server.exe Token: 33 4424 server.exe Token: SeIncBasePriorityPrivilege 4424 server.exe Token: 33 4424 server.exe Token: SeIncBasePriorityPrivilege 4424 server.exe Token: 33 4424 server.exe Token: SeIncBasePriorityPrivilege 4424 server.exe Token: 33 4424 server.exe Token: SeIncBasePriorityPrivilege 4424 server.exe Token: 33 4424 server.exe Token: SeIncBasePriorityPrivilege 4424 server.exe Token: 33 4424 server.exe Token: SeIncBasePriorityPrivilege 4424 server.exe Token: 33 4424 server.exe Token: SeIncBasePriorityPrivilege 4424 server.exe Token: 33 4424 server.exe Token: SeIncBasePriorityPrivilege 4424 server.exe Token: 33 4424 server.exe Token: SeIncBasePriorityPrivilege 4424 server.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4004 wrote to memory of 3976 4004 Valkyria.exe 79 PID 4004 wrote to memory of 3976 4004 Valkyria.exe 79 PID 4004 wrote to memory of 3976 4004 Valkyria.exe 79 PID 4004 wrote to memory of 592 4004 Valkyria.exe 80 PID 4004 wrote to memory of 592 4004 Valkyria.exe 80 PID 4004 wrote to memory of 592 4004 Valkyria.exe 80 PID 592 wrote to memory of 2924 592 Everything.exe 81 PID 592 wrote to memory of 2924 592 Everything.exe 81 PID 592 wrote to memory of 2924 592 Everything.exe 81 PID 3976 wrote to memory of 4424 3976 zkzkzkz.exe 83 PID 3976 wrote to memory of 4424 3976 zkzkzkz.exe 83 PID 3976 wrote to memory of 4424 3976 zkzkzkz.exe 83 PID 4424 wrote to memory of 2060 4424 server.exe 85 PID 4424 wrote to memory of 2060 4424 server.exe 85 PID 4424 wrote to memory of 2060 4424 server.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\Valkyria.exe"C:\Users\Admin\AppData\Local\Temp\Valkyria.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\zkzkzkz.exe"C:\Users\Admin\AppData\Local\Temp\zkzkzkz.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:2060
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Everything.exe"C:\Users\Admin\AppData\Local\Temp\Everything.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Users\Admin\AppData\Local\Temp\Natasha.exe"C:\Users\Admin\AppData\Local\Temp\Natasha.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.7MB
MD537f6f35584fac7f216e69e813d4b7c10
SHA1ddb093f14e5f2beb0512ac828448ff06d0237312
SHA256cc17414b5bd2db809411f93256535e78d0c97f42fe86b6cc3119aa7c33c6e3c3
SHA512917368e662428827f8477cc5915e41f6a06324f0e49721f807a6003740749261a219a25cd3d9a43d1a5714c73930e4b2da1240d2a9f108a62b11f990dc42a09e
-
Filesize
270KB
MD50ad61d702d2aca6801a833ec1d4bf5f7
SHA1d4117c6c5c0ae71ee0ccd2554ab40fe69796c519
SHA256e4668273e4cafe5a9a083eaa0d4d52ca1ba707e37ecb715c1b97de1dbb67faf4
SHA512a0743430cabc74edb8600c71a4513ab83d21542a8088d230cd15e070d6b2b2d70dab057dd1bbd1968836bc0f3b3aceb90b98024b889503c6a28926475185e6ec
-
Filesize
571KB
MD5169b6d383b7c650ab3ae2129397a6cf3
SHA1fcaef7defb04301fd55fb1421bb15ef96d7040d6
SHA256b896083feb2bdedc1568b62805dbd354c55e57f2d2469a52aec6c98f4ec2dedf
SHA5127a7a7bdb508b8bf177249251c83b65a2ef4a5d8b29397cab130cb8444b23888678673a9a2e4b1c74cc095b358f923b9e7e5a91bfa8c240412d95765851f1dd87
-
Filesize
1.3MB
MD50a1e95b0b1535203a1b8479dff2c03ff
SHA120c4b4406e8a3b1b35ca739ed59aa07ba867043d
SHA256788d748b4d35dfd091626529457d91e9ebc8225746211086b14fb4a25785a51e
SHA512854abcca8d807a98a9ad0ca5d2e55716c3ce26fae7ee4642796baf415c3cfad522b658963eafe504ecaed6c2ecdcdf332c9b01e43dfa342fcc5ca0fbedfe600e
-
Filesize
410KB
MD5056d3fcaf3b1d32ff25f513621e2a372
SHA1851740bca46bab71d0b1d47e47f3eb8358cbee03
SHA25666b64362664030bff1596cda2ec5bd5df48cc7c8313c32f771db4aa30a3f86f9
SHA512ce47c581538f48a46d70279a62c702195beacbfafb48a5a862b3922625fe56f6887d1679c6d9366f946d3d2124cb31c2a3eacbbd14d601ea56e66575cdf46180
-
Filesize
93KB
MD5ac79af1c488ed1bc1b289e0eb8d89714
SHA1913ceaaaf7664bb83a496ebe746b6d12bb1e5e9a
SHA256dc8e217ced1f36323ce6c237fdaa330e342063a819c13defe3b248ee84c1d492
SHA512cd09c7c5e60ba946f7c83001876f3d5c48eab06c259324a7941161978531a175d00142cd486ff7cf0d2d461a651745808361e894346259ac079cc90eb42022cc
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
752B
MD5ced7fe9f00d3e465e8d3a2d8e7c59f24
SHA10ec11e6ff38725ab7620fa0b4665dfd696ef1a46
SHA25623370126af8427ab231f2ed5a85f56ce709ff05c75e8807b840f21c3877689da
SHA5127e78607e90d03748ca89cc1b89b1a50f8e755bb6cb5189697ca119be90b3c924aca42f4937d8a2429133806b350a51cc36921bf45ea019e72135e2d7ecf253b2
-
Filesize
1KB
MD598978e88a1cd1e64f67419f7c0ff51bf
SHA1795968f7f89ee87374f473cee64fda6fa4798de6
SHA256aebcae525313ae0791823da3f3f109de97feb4671e979e17be16fd397c963398
SHA5124b00ce5ac5db772af395bbfda316338e918d33a09117607d0a3e4be195340dd5e7f9502463e9bfe3ea671b22b6f727323f5251b3c3d6bdd1fc6790ad5623760e
-
Filesize
5B
MD5d43c5b07c128b116b7bc8faf7b8efa9d
SHA1dd3540ad4ae14b21b665d108cf4570c2dfa6a6fa
SHA25680ad1cc7b3a784dad618a445af0c8cf3efa903f82a814756f2aaa7b57f45791f
SHA512618b01e2b808e1954d011635dfdf63bc75855145208fc5cae33ce09c7e5b43cf978f6511beb311765e6920e728a290c9f9ced7563e40e8ff8d093d50fdc18334