Analysis
-
max time kernel
93s -
max time network
213s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
-
submitted
04-07-2024 20:36
General
-
Target
donotwatch.exe
-
Size
1.6MB
-
MD5
b3d51f7547f5ca01471dafccce25a7b4
-
SHA1
f51775c48540a6805ffd0e9a87bab045d5c67c07
-
SHA256
1dfb0c02777894980aab7de14a7c4275292f3203073c7757fe22249820f7337e
-
SHA512
8d146f34c9f0f6dd5aa6f828dcc7cb4204b38127751be7391ab966a9884eecc5c3700d1e81bb5fb2f9ef01ed8244a00fbaa4128647e7550bcddf05d927b12dcb
-
SSDEEP
24576:K5ZWs+OZVEWry8AF7tOmXwksox5SbJAjstImAZiZJyQy3WRzJ/vfBY/rj1SWF:iZB1G8YJZAroXSbJAjmCiJl7vO97F
Malware Config
Signatures
-
BlackGuard
Infostealer first seen in Late 2021.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\donotwatch.exe"C:\Users\Admin\AppData\Local\Temp\donotwatch.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\%Program Files%\Skyperr_protected.exe"C:\Program Files\%Program Files%\Skyperr_protected.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 18363⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1868 -ip 18681⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD53b6fc56278c4cc78d120ae23a0dd88c4
SHA17c0e2373f5aa592235439067ed2c43599537a524
SHA256477ef21d4f261a396bce4a66422ae1f36fefca9eb45b142e526eb0f95b6ecf99
SHA5128c5f0ebcf093f65474cb6bc37a9a8157bb80790b7974d793a10c5f3f83f69db47e5f733566dce06bb96493b9a9a9407e4f4fd12f9516e0a32657638fc7d4ca51
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
3.7MB
-
Filesize
4KB
-
Filesize
3.7MB
-
Filesize
7.7MB
-
Filesize
3.7MB
-
Filesize
7.7MB