Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-06-2024 08:51

General

  • Target

    PacketActivation.exe

  • Size

    4.1MB

  • MD5

    87fa0fe0593a2ef299681a633404dd7d

  • SHA1

    bc9013fa509f6c4ed023d9e8abc7a6e93815e6c5

  • SHA256

    41f44fdc7eb02120732d137d63c0d4783c29d1776b019418ce603dbf57211fcc

  • SHA512

    94e471f564bf5769f97645c8e29a7e8b9d8bffa18961709ea55e8e7bc5ca63607d0e00c0ab39a1c52cac7748827963db6a23ebd4e83dbe812fec38bc1dfac4f5

  • SSDEEP

    98304:qNHUrw3RvYaqAhL8l+4gq5weeAtEkQM/BGPI4TEJeM4f19D:qFUsYaXhL6M5OEQbeZD

Malware Config

Extracted

Family

blackguard

C2

https://api.telegram.org/bot7140928156:AAEztW6njaBSBQenLVfrMSGqlfVmVwIcmu4/sendMessage?chat_id=6264855427

Signatures

  • BlackGuard

    Infostealer first seen in Late 2021.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PacketActivation.exe
    "C:\Users\Admin\AppData\Local\Temp\PacketActivation.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Users\Admin\AppData\Local\Temp\windows.exe
      "C:\Users\Admin\AppData\Local\Temp\windows.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2692 -s 1512
        3⤵
          PID:2472
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1476

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

      Filesize

      695KB

      MD5

      195ffb7167db3219b217c4fd439eedd6

      SHA1

      1e76e6099570ede620b76ed47cf8d03a936d49f8

      SHA256

      e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

      SHA512

      56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

    • C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

      Filesize

      402KB

      MD5

      b0911d27918a1e20088b4e6b6ec29ad3

      SHA1

      93a285c96a4d391ea4fe6655caaa0bbf2ee52683

      SHA256

      24043ef4472d9d035cd1a8294f68d2bbfdf76f5455af80c09c89e64f6ed15917

      SHA512

      518da2e73b849be38570d7db218adeb47f85fde89c15dac577eb1446a9a55bb4cfaf31d371428b9c4f0c69c0be3e2cb10fafcadbec24e8ab793b639392e3f029

    • \Users\Admin\AppData\Local\Temp\windows.exe

      Filesize

      396KB

      MD5

      c7c3fd7172b10b8691792272b06b3e17

      SHA1

      fd21f5ab5d44d1a9b47a963c7c2f7b7c70a6f0a3

      SHA256

      8f05bed500fff1cfab1c4f482579209129070c7d6350ee99621b1fd8e5e9a767

      SHA512

      448b5ab67cf1b51614f093258b6479854dfea4ab13ba27665770c2a31b0e051e13427cd1356afbb0462c165b180430462284a7812e48a48168ed9bd04a292413

    • memory/1476-51-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

    • memory/1476-52-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

    • memory/1476-53-0x0000000002050000-0x0000000002060000-memory.dmp

      Filesize

      64KB

    • memory/1476-54-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

    • memory/2692-15-0x000007FEF58F3000-0x000007FEF58F4000-memory.dmp

      Filesize

      4KB

    • memory/2692-16-0x0000000000CE0000-0x0000000000D4A000-memory.dmp

      Filesize

      424KB

    • memory/2692-19-0x0000000000B50000-0x0000000000C02000-memory.dmp

      Filesize

      712KB

    • memory/2692-49-0x000000001A800000-0x000000001A866000-memory.dmp

      Filesize

      408KB

    • memory/2692-50-0x000007FEF58F3000-0x000007FEF58F4000-memory.dmp

      Filesize

      4KB