Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-06-2024 08:51
Static task
static1
Behavioral task
behavioral1
Sample
PacketActivation.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
PacketActivation.exe
Resource
win10v2004-20240508-en
General
-
Target
PacketActivation.exe
-
Size
4.1MB
-
MD5
87fa0fe0593a2ef299681a633404dd7d
-
SHA1
bc9013fa509f6c4ed023d9e8abc7a6e93815e6c5
-
SHA256
41f44fdc7eb02120732d137d63c0d4783c29d1776b019418ce603dbf57211fcc
-
SHA512
94e471f564bf5769f97645c8e29a7e8b9d8bffa18961709ea55e8e7bc5ca63607d0e00c0ab39a1c52cac7748827963db6a23ebd4e83dbe812fec38bc1dfac4f5
-
SSDEEP
98304:qNHUrw3RvYaqAhL8l+4gq5weeAtEkQM/BGPI4TEJeM4f19D:qFUsYaXhL6M5OEQbeZD
Malware Config
Extracted
blackguard
https://api.telegram.org/bot7140928156:AAEztW6njaBSBQenLVfrMSGqlfVmVwIcmu4/sendMessage?chat_id=6264855427
Signatures
-
BlackGuard
Infostealer first seen in Late 2021.
-
Executes dropped EXE 1 IoCs
pid Process 2692 windows.exe -
Loads dropped DLL 1 IoCs
pid Process 2724 PacketActivation.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org 6 freegeoip.app 7 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2692 windows.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1476 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2692 windows.exe Token: SeDebugPrivilege 1476 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2724 wrote to memory of 2692 2724 PacketActivation.exe 28 PID 2724 wrote to memory of 2692 2724 PacketActivation.exe 28 PID 2724 wrote to memory of 2692 2724 PacketActivation.exe 28 PID 2724 wrote to memory of 2692 2724 PacketActivation.exe 28 PID 2692 wrote to memory of 2472 2692 windows.exe 29 PID 2692 wrote to memory of 2472 2692 windows.exe 29 PID 2692 wrote to memory of 2472 2692 windows.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\PacketActivation.exe"C:\Users\Admin\AppData\Local\Temp\PacketActivation.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\windows.exe"C:\Users\Admin\AppData\Local\Temp\windows.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2692 -s 15123⤵PID:2472
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1476
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
695KB
MD5195ffb7167db3219b217c4fd439eedd6
SHA11e76e6099570ede620b76ed47cf8d03a936d49f8
SHA256e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
SHA51256eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
-
Filesize
402KB
MD5b0911d27918a1e20088b4e6b6ec29ad3
SHA193a285c96a4d391ea4fe6655caaa0bbf2ee52683
SHA25624043ef4472d9d035cd1a8294f68d2bbfdf76f5455af80c09c89e64f6ed15917
SHA512518da2e73b849be38570d7db218adeb47f85fde89c15dac577eb1446a9a55bb4cfaf31d371428b9c4f0c69c0be3e2cb10fafcadbec24e8ab793b639392e3f029
-
Filesize
396KB
MD5c7c3fd7172b10b8691792272b06b3e17
SHA1fd21f5ab5d44d1a9b47a963c7c2f7b7c70a6f0a3
SHA2568f05bed500fff1cfab1c4f482579209129070c7d6350ee99621b1fd8e5e9a767
SHA512448b5ab67cf1b51614f093258b6479854dfea4ab13ba27665770c2a31b0e051e13427cd1356afbb0462c165b180430462284a7812e48a48168ed9bd04a292413