Overview

overview

10

Static

static

3

PacketActivation.exe

windows7-x64

10

PacketActivation.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-06-2024 08:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PacketActivation.exe

  • Size

    4.1MB

  • MD5

    87fa0fe0593a2ef299681a633404dd7d

  • SHA1

    bc9013fa509f6c4ed023d9e8abc7a6e93815e6c5

  • SHA256

    41f44fdc7eb02120732d137d63c0d4783c29d1776b019418ce603dbf57211fcc

  • SHA512

    94e471f564bf5769f97645c8e29a7e8b9d8bffa18961709ea55e8e7bc5ca63607d0e00c0ab39a1c52cac7748827963db6a23ebd4e83dbe812fec38bc1dfac4f5

  • SSDEEP

    98304:qNHUrw3RvYaqAhL8l+4gq5weeAtEkQM/BGPI4TEJeM4f19D:qFUsYaXhL6M5OEQbeZD

Score
10/10
blackguardspywarestealer

Malware Config

Extracted

Family

blackguard

C2

https://api.telegram.org/bot7140928156:AAEztW6njaBSBQenLVfrMSGqlfVmVwIcmu4/sendMessage?chat_id=6264855427

Signatures

  • BlackGuard

    Infostealer first seen in Late 2021.

    stealerblackguard
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\PacketActivation.exe
    "C:\Users\Admin\AppData\Local\Temp\PacketActivation.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Users\Admin\AppData\Local\Temp\windows.exe
      "C:\Users\Admin\AppData\Local\Temp\windows.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:216
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4532
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4416
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3132
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4712
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4712.0.1794931168\830573565" -parentBuildID 20230214051806 -prefsHandle 1792 -prefMapHandle 1784 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b80838dc-dff1-42c2-997b-9754e4064f50} 4712 "\\.\pipe\gecko-crash-server-pipe.4712" 1884 20ebfe26a58 gpu
          3⤵
            PID:3488
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4712.1.1099011682\2062154857" -parentBuildID 20230214051806 -prefsHandle 2424 -prefMapHandle 2416 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4e697b7-228d-4e03-a14e-51dd2ce1493f} 4712 "\\.\pipe\gecko-crash-server-pipe.4712" 2452 20eb2f89058 socket
            3⤵
              PID:3636
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4712.2.622521740\308835730" -childID 1 -isForBrowser -prefsHandle 3084 -prefMapHandle 3080 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84d27660-87ab-44eb-ba4d-747301f2660d} 4712 "\\.\pipe\gecko-crash-server-pipe.4712" 3096 20ec2c05758 tab
              3⤵
                PID:1104
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4712.3.219177292\1103059878" -childID 2 -isForBrowser -prefsHandle 3668 -prefMapHandle 3664 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b74a489-63dc-4c79-93a2-83212c12fbcf} 4712 "\\.\pipe\gecko-crash-server-pipe.4712" 3680 20ec4af2f58 tab
                3⤵
                  PID:3812
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4712.4.1993614264\392707590" -childID 3 -isForBrowser -prefsHandle 5060 -prefMapHandle 5084 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4602c4ee-b3bc-49d2-abb0-4523d925d1d3} 4712 "\\.\pipe\gecko-crash-server-pipe.4712" 5096 20ec6862758 tab
                  3⤵
                    PID:3624
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4712.5.1296344054\2065480743" -childID 4 -isForBrowser -prefsHandle 5216 -prefMapHandle 5220 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cafee989-430e-47d9-9f49-146615fee091} 4712 "\\.\pipe\gecko-crash-server-pipe.4712" 5204 20ec6864e58 tab
                    3⤵
                      PID:4264
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4712.6.2102984910\1752445905" -childID 5 -isForBrowser -prefsHandle 5416 -prefMapHandle 5200 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4b71138-4795-4bf1-a5b3-895aefe6f400} 4712 "\\.\pipe\gecko-crash-server-pipe.4712" 5404 20ec6863c58 tab
                      3⤵
                        PID:2748
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4712.7.133039869\443276476" -childID 6 -isForBrowser -prefsHandle 3632 -prefMapHandle 3628 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa01b4c2-b7d7-4f3e-9af5-be8f5cec5737} 4712 "\\.\pipe\gecko-crash-server-pipe.4712" 4976 20ec5788158 tab
                        3⤵
                          PID:3188
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k SDRSVC
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:844

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\activity-stream.discovery_stream.json.tmp
                      Filesize

                      23KB

                      MD5

                      0d06c2daa3cd60b56b2238d3fc64af1e

                      SHA1

                      c9d977d8cac013bcecb8e00c7b0999c1fa2362ce

                      SHA256

                      fa135239ce63951634538a554bb32d1b11e7eb1ad2254478f2744a25c48bb3ac

                      SHA512

                      8a82ea28c05e4277d88e535556a4fb1cef85e7733b1ec1c4f1f07fed9cff559468c971e67ac8e9f65576c5596ee3153cdae8f8e3eb78ed15322631cf25e9e98e

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\BouncyCastle.Crypto.dll
                      Filesize

                      3.2MB

                      MD5

                      0cf454b6ed4d9e46bc40306421e4b800

                      SHA1

                      9611aa929d35cbd86b87e40b628f60d5177d2411

                      SHA256

                      e51721dc0647f4838b1abc592bd95fd8cb924716e8a64f83d4b947821fa1fa42

                      SHA512

                      85262f1bc67a89911640f59a759b476b30ca644bd1a1d9cd3213cc8aae16d7cc6ea689815f19b146db1d26f7a75772ceb48e71e27940e3686a83eb2cf7e46048

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
                      Filesize

                      695KB

                      MD5

                      195ffb7167db3219b217c4fd439eedd6

                      SHA1

                      1e76e6099570ede620b76ed47cf8d03a936d49f8

                      SHA256

                      e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

                      SHA512

                      56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll
                      Filesize

                      1.7MB

                      MD5

                      a73fdfb6815b151848257eca042a42ef

                      SHA1

                      73f18e6b4d1f638e7ce2a7ad36635018482f2c55

                      SHA256

                      10c9ccec863ed80850c7b7080e4f2e34b133ce259d1ae3ea7a305cebf6e2940d

                      SHA512

                      111f5a7bd916ab317fc127cbf49a2a81c2a614ce3a655a0446f2ebf3c2e61509db5633a391bef06c4ba0b58a71c752262ec2467a09abc56827263c647b08a09d

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll
                      Filesize

                      402KB

                      MD5

                      b0911d27918a1e20088b4e6b6ec29ad3

                      SHA1

                      93a285c96a4d391ea4fe6655caaa0bbf2ee52683

                      SHA256

                      24043ef4472d9d035cd1a8294f68d2bbfdf76f5455af80c09c89e64f6ed15917

                      SHA512

                      518da2e73b849be38570d7db218adeb47f85fde89c15dac577eb1446a9a55bb4cfaf31d371428b9c4f0c69c0be3e2cb10fafcadbec24e8ab793b639392e3f029

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tmp74DF.tmp.dat
                      Filesize

                      116KB

                      MD5

                      f70aa3fa04f0536280f872ad17973c3d

                      SHA1

                      50a7b889329a92de1b272d0ecf5fce87395d3123

                      SHA256

                      8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

                      SHA512

                      30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tmp74E2.tmp.dat
                      Filesize

                      124KB

                      MD5

                      9618e15b04a4ddb39ed6c496575f6f95

                      SHA1

                      1c28f8750e5555776b3c80b187c5d15a443a7412

                      SHA256

                      a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

                      SHA512

                      f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\windows.exe
                      Filesize

                      396KB

                      MD5

                      c7c3fd7172b10b8691792272b06b3e17

                      SHA1

                      fd21f5ab5d44d1a9b47a963c7c2f7b7c70a6f0a3

                      SHA256

                      8f05bed500fff1cfab1c4f482579209129070c7d6350ee99621b1fd8e5e9a767

                      SHA512

                      448b5ab67cf1b51614f093258b6479854dfea4ab13ba27665770c2a31b0e051e13427cd1356afbb0462c165b180430462284a7812e48a48168ed9bd04a292413

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\prefs-1.js
                      Filesize

                      7KB

                      MD5

                      3ece70123d655a83dc1bb194ba33afed

                      SHA1

                      1ad792e8ce3d3199deef2f29c7802ac67c1c0473

                      SHA256

                      2ad8c2f446fd223c6293a7e0d14a2072f80a7d70d01cdba216770eac3724b989

                      SHA512

                      e45a6ce5bdd1bfbcb4611a5f07e0f670841820dad8d222a1f588bb90d2de01b73404a29b44defc4edd8960e9c7f2052f39d7625d823458f511602ea976e919f4

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      1KB

                      MD5

                      cf6372bdec6edd63cf1154de0e545c8e

                      SHA1

                      8d06f277af39502b1e7c4eef23e132056729fea0

                      SHA256

                      11c89c52df06ad9d075c01d59d197318367cd756f63e74495f21c7b9ca3f47d5

                      SHA512

                      e1d5e4571fca6c5af6a67c5122a4d6e09b160342abaad3b6fea7b4949783b2c09393e0af001e7311efc6c9bffac3bf779c304e110652df9638e7cd6e5f1f49e8

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      1KB

                      MD5

                      6c6ac14c6252ec8e4afd34318070c262

                      SHA1

                      a2543f76a976fced3168faca3fb4a65319708d2b

                      SHA256

                      51ef095713d280669764ec16ad9749e7c4416f98f1b4ae86f3622528d18bbc87

                      SHA512

                      e166316879d8b7ec2a98b43843228d6315953e5147cf520bb15b40fae51432a84c26e88fa08ea2e60704a17d466b581d71bda2814922ffc161c2a32b9bd73b9c

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      1KB

                      MD5

                      07e9be281b2e39acd905ed77a2a10a91

                      SHA1

                      74db0fc1e185c4d59c368713c79cb25e3c0d4edd

                      SHA256

                      9c4930bc64a0fe7eb61739235480d085e5a441c010e3074ea248ff1eaddb99df

                      SHA512

                      04daf188209647df504fded190356d7945aeff4cb8254962177dfc7cc021ce6c1ae112649158c114ce17db0297de8f708ffb9c4f3738f1869e227e54aa84547e

                      Download Submit

                    • memory/216-94-0x000001C624EE0000-0x000001C624F06000-memory.dmp

                      Filesize

                      152KB

                      Download

                    • memory/216-81-0x000001C63F310000-0x000001C63F3C2000-memory.dmp

                      Filesize

                      712KB

                      Download

                    • memory/216-89-0x000001C63F860000-0x000001C63FB8E000-memory.dmp

                      Filesize

                      3.2MB

                      Download

                    • memory/216-84-0x000001C624EB0000-0x000001C624ED2000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/216-83-0x000001C63EEF0000-0x000001C63EF40000-memory.dmp

                      Filesize

                      320KB

                      Download

                    • memory/216-93-0x000001C63F570000-0x000001C63F5AA000-memory.dmp

                      Filesize

                      232KB

                      Download

                    • memory/216-99-0x000001C63FB90000-0x000001C63FD52000-memory.dmp

                      Filesize

                      1.8MB

                      Download

                    • memory/216-100-0x00007FF99A800000-0x00007FF99B2C1000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/216-21-0x00007FF99A803000-0x00007FF99A805000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/216-20-0x000001C624870000-0x000001C6248DA000-memory.dmp

                      Filesize

                      424KB

                      Download

                    • memory/216-22-0x00007FF99A800000-0x00007FF99B2C1000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/216-86-0x000001C63F4C0000-0x000001C63F526000-memory.dmp

                      Filesize

                      408KB

                      Download

                    • memory/216-82-0x000001C63F3D0000-0x000001C63F446000-memory.dmp

                      Filesize

                      472KB

                      Download

                    • memory/4532-111-0x00000213BA630000-0x00000213BA631000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4532-108-0x00000213BA630000-0x00000213BA631000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4532-107-0x00000213BA630000-0x00000213BA631000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4532-113-0x00000213BA630000-0x00000213BA631000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4532-112-0x00000213BA630000-0x00000213BA631000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4532-109-0x00000213BA630000-0x00000213BA631000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4532-110-0x00000213BA630000-0x00000213BA631000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4532-103-0x00000213BA630000-0x00000213BA631000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4532-102-0x00000213BA630000-0x00000213BA631000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4532-101-0x00000213BA630000-0x00000213BA631000-memory.dmp

                      Filesize

                      4KB

                      Download