blackguard | hxxps://github[.]com/not-seil/fudzi[.]app/raw/main/donotwatch[.]exe

Resubmissions

03-07-2024 06:45

240703-hjh8jswaml 10

02-07-2024 14:50

240702-r71beaxdre 8

02-07-2024 14:46

240702-r5jwms1gjl 10

Analysis

max time kernel
22s
max time network
8s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
03-07-2024 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/not-seil/fudzi.app/raw/main/donotwatch.exe

Score

10^/10

blackguard persistence spyware stealer

Malware Config

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

donotwatch.exeSkyperr_protected.exe

pid process

3488 donotwatch.exe
5084 Skyperr_protected.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3488	donotwatch.exe
5084	Skyperr_protected.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Skyperr_protected.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\%Program Files%\\Skyperr_protected.exe\""	Skyperr_protected.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

1 raw.githubusercontent.com
6 raw.githubusercontent.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 freegeoip.app
9 api.ipify.org
11 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Skyperr_protected.exe

pid process

5084 Skyperr_protected.exe
5084 Skyperr_protected.exe

flow	ioc
1	raw.githubusercontent.com
6	raw.githubusercontent.com

flow	ioc
8	freegeoip.app
9	api.ipify.org
11	freegeoip.app

pid	process
5084	Skyperr_protected.exe
5084	Skyperr_protected.exe

Drops file in Program Files directory 4 IoCs

Processes:

donotwatch.exe

description	ioc	process
File opened for modification	C:\Program Files\%Program Files%	donotwatch.exe
File created	C:\Program Files\%Program Files%\__tmp_rar_sfx_access_check_240618515	donotwatch.exe
File created	C:\Program Files\%Program Files%\Skyperr_protected.exe	donotwatch.exe
File opened for modification	C:\Program Files\%Program Files%\Skyperr_protected.exe	donotwatch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3172 5084 WerFault.exe Skyperr_protected.exe

pid	pid_target	process	target process
3172	5084	WerFault.exe	Skyperr_protected.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133644627628623272"	chrome.exe

NTFS ADS 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\donotwatch.exe:Zone.Identifier chrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\donotwatch.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

chrome.exeSkyperr_protected.exetaskmgr.exe

pid	process
5076	chrome.exe
5076	chrome.exe
5084	Skyperr_protected.exe
5084	Skyperr_protected.exe
5084	Skyperr_protected.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

5076 chrome.exe
5076 chrome.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

chrome.exeSkyperr_protected.exetaskmgr.exe

description	pid	process
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeDebugPrivilege	5084	Skyperr_protected.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeDebugPrivilege	1584	taskmgr.exe
Token: SeSystemProfilePrivilege	1584	taskmgr.exe
Token: SeCreateGlobalPrivilege	1584	taskmgr.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe
Token: SeShutdownPrivilege	5076	chrome.exe
Token: SeCreatePagefilePrivilege	5076	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe

Suspicious use of SendNotifyMessage 41 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
5076	chrome.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe
1584	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Skyperr_protected.exe

pid process

5084 Skyperr_protected.exe

pid	process
5084	Skyperr_protected.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 5076 wrote to memory of 1468	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1468	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1800	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 4988	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 4988	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe
PID 5076 wrote to memory of 1044	5076	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/not-seil/fudzi.app/raw/main/donotwatch.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb6178ab58,0x7ffb6178ab68,0x7ffb6178ab78
  2⤵
  PID:1468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1760,i,14364629754971465519,16947402750984511720,131072 /prefetch:2
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1760,i,14364629754971465519,16947402750984511720,131072 /prefetch:8
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2100 --field-trial-handle=1760,i,14364629754971465519,16947402750984511720,131072 /prefetch:8
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1760,i,14364629754971465519,16947402750984511720,131072 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1760,i,14364629754971465519,16947402750984511720,131072 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 --field-trial-handle=1760,i,14364629754971465519,16947402750984511720,131072 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4640 --field-trial-handle=1760,i,14364629754971465519,16947402750984511720,131072 /prefetch:8
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4820 --field-trial-handle=1760,i,14364629754971465519,16947402750984511720,131072 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 --field-trial-handle=1760,i,14364629754971465519,16947402750984511720,131072 /prefetch:8
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4492 --field-trial-handle=1760,i,14364629754971465519,16947402750984511720,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4776 --field-trial-handle=1760,i,14364629754971465519,16947402750984511720,131072 /prefetch:8
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4904 --field-trial-handle=1760,i,14364629754971465519,16947402750984511720,131072 /prefetch:8
  2⤵
  PID:1456
- C:\Users\Admin\Downloads\donotwatch.exe
  "C:\Users\Admin\Downloads\donotwatch.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3488
- - C:\Program Files\%Program Files%\Skyperr_protected.exe
    "C:\Program Files\%Program Files%\Skyperr_protected.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5084
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1880
      4⤵
      Program crash
      PID:3172

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5084 -ip 5084
1⤵
PID:408

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\%Program Files%\Skyperr_protected.exe

Filesize
1.2MB

MD5
3b6fc56278c4cc78d120ae23a0dd88c4

SHA1
7c0e2373f5aa592235439067ed2c43599537a524

SHA256
477ef21d4f261a396bce4a66422ae1f36fefca9eb45b142e526eb0f95b6ecf99

SHA512
8c5f0ebcf093f65474cb6bc37a9a8157bb80790b7974d793a10c5f3f83f69db47e5f733566dce06bb96493b9a9a9407e4f4fd12f9516e0a32657638fc7d4ca51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\7a462d53-e62f-48fe-a7da-e520d219fbc9.tmp

Filesize
129KB

MD5
a2d27069c09ff6c13bcb44601497c337

SHA1
bf6a0fd6ec4a718223f4e272acdb309172f5a08f

SHA256
c4e55ef6f5eca6e4fe75d8e583214175da84b01fac1c21ada148b0a8849b2849

SHA512
4af496b4a34ae160457b4333602d1658e8209e5b0870b53fadd7a8f4a7145f3b1cda5d0204a5c8a46700471000b90fb52a5ceddfd3a573641aa43eb4f870b6ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\6c4b60bc-751b-4a3b-9b54-86414f6d79eb.tmp

Filesize
691B

MD5
71c0fc50d4eb5124c44324122f564a8a

SHA1
33ab86897fb725aa1d5a3513ba691ff31861c10d

SHA256
00dfcd8b657263703f7bd2abdf64520f824349548ff9bc0a49624190f0f206b0

SHA512
c7efc376f1a199c761c1289c92b9329672591fe94d24b969530244c98d72e132567750fc3ce4bda89712cb00e7420cf571082a6d22e4a184dfcd630be453f5ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e56343d8e1147528157f90a988789ac8

SHA1
85c8c57739df1ea2232d874ecf0b920de755b91b

SHA256
cd5fc820d72bf2d30c9d76dad80dedbf7b7a9ea160bf9f02a1454995cf068829

SHA512
56b044a226dc872fe99437bbb1cb78b58646dfb14e53d473f3458b7de81d7ddcec64813f17ea8725fbca62aebb4241fa27b36e060067181dcced63f4b76dacb9

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 529834.crdownload

Filesize
1.6MB

MD5
b3d51f7547f5ca01471dafccce25a7b4

SHA1
f51775c48540a6805ffd0e9a87bab045d5c67c07

SHA256
1dfb0c02777894980aab7de14a7c4275292f3203073c7757fe22249820f7337e

SHA512
8d146f34c9f0f6dd5aa6f828dcc7cb4204b38127751be7391ab966a9884eecc5c3700d1e81bb5fb2f9ef01ed8244a00fbaa4128647e7550bcddf05d927b12dcb

Download Submit
C:\Users\Admin\Downloads\donotwatch.exe:Zone.Identifier

Filesize
108B

MD5
919e68c90e573488012c46ba89fe80d5

SHA1
79f2bd1f71ee7fecbf3fd9f5bfd21aca41a6206e

SHA256
26c2ccbb38722b7889ad16551477a7b9533bec70accf33621286e890ee41223e

SHA512
d39e1b903765933433f1790bb8f56c945e421f0d0927a90b7e055c9e52b9824232041da56d2355b68b183ccb57e89d6498e719c95c5e6e3949affd6a597720a6

Download Submit
\??\pipe\crashpad_5076_LOVAVLDYTVEJGYAJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1584-111-0x000002464CE90000-0x000002464CE91000-memory.dmp

Filesize
4KB

Download
memory/1584-109-0x000002464CE90000-0x000002464CE91000-memory.dmp

Filesize
4KB

Download
memory/1584-99-0x000002464CE90000-0x000002464CE91000-memory.dmp

Filesize
4KB

Download
memory/1584-101-0x000002464CE90000-0x000002464CE91000-memory.dmp

Filesize
4KB

Download
memory/1584-100-0x000002464CE90000-0x000002464CE91000-memory.dmp

Filesize
4KB

Download
memory/1584-105-0x000002464CE90000-0x000002464CE91000-memory.dmp

Filesize
4KB

Download
memory/1584-110-0x000002464CE90000-0x000002464CE91000-memory.dmp

Filesize
4KB

Download
memory/1584-107-0x000002464CE90000-0x000002464CE91000-memory.dmp

Filesize
4KB

Download
memory/1584-106-0x000002464CE90000-0x000002464CE91000-memory.dmp

Filesize
4KB

Download
memory/1584-108-0x000002464CE90000-0x000002464CE91000-memory.dmp

Filesize
4KB

Download
memory/5084-96-0x0000000006FE0000-0x0000000007072000-memory.dmp

Filesize
584KB

Download
memory/5084-98-0x0000000000240000-0x00000000005F8000-memory.dmp

Filesize
3.7MB

Download
memory/5084-62-0x0000000000240000-0x00000000005F8000-memory.dmp

Filesize
3.7MB

Download
memory/5084-61-0x0000000000240000-0x00000000005F8000-memory.dmp

Filesize
3.7MB

Download
memory/5084-60-0x0000000000240000-0x00000000005F8000-memory.dmp

Filesize
3.7MB

Download