Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-11-2024 01:38
Behavioral task
behavioral1
Sample
e7ee15c99ecdcade1ad0bbde675173b48366d32cd474a3f344720b0e41e9e0e7.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e7ee15c99ecdcade1ad0bbde675173b48366d32cd474a3f344720b0e41e9e0e7.exe
Resource
win10v2004-20241007-en
General
-
Target
e7ee15c99ecdcade1ad0bbde675173b48366d32cd474a3f344720b0e41e9e0e7.exe
-
Size
1.9MB
-
MD5
24db71137c56055391066fecfc2b4e10
-
SHA1
f19806993a3aa851647a013ad51cc2ce9fa367af
-
SHA256
e7ee15c99ecdcade1ad0bbde675173b48366d32cd474a3f344720b0e41e9e0e7
-
SHA512
ff7790d326e5e2c3754a403cbbb4cdca47f9f4aaa2af8de64ce98d4b7cc37c182d3933fc8a7f6f767920673d0e8045f87d7bca1520e8909a3df9b3653fd938c3
-
SSDEEP
24576:HSpaHGEwHgH+pHWewH+7wH+Qs/lyRpgOI0m4WegOags5Lk4/UvlH6t8Y/D1ga4fX:yp4uO30iAM
Malware Config
Signatures
-
BlackGuard
Infostealer first seen in Late 2021.
-
Blackguard family
-
Program crash 1 IoCs
pid pid_target Process procid_target 3028 2368 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e7ee15c99ecdcade1ad0bbde675173b48366d32cd474a3f344720b0e41e9e0e7.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2368 wrote to memory of 3028 2368 e7ee15c99ecdcade1ad0bbde675173b48366d32cd474a3f344720b0e41e9e0e7.exe 30 PID 2368 wrote to memory of 3028 2368 e7ee15c99ecdcade1ad0bbde675173b48366d32cd474a3f344720b0e41e9e0e7.exe 30 PID 2368 wrote to memory of 3028 2368 e7ee15c99ecdcade1ad0bbde675173b48366d32cd474a3f344720b0e41e9e0e7.exe 30 PID 2368 wrote to memory of 3028 2368 e7ee15c99ecdcade1ad0bbde675173b48366d32cd474a3f344720b0e41e9e0e7.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7ee15c99ecdcade1ad0bbde675173b48366d32cd474a3f344720b0e41e9e0e7.exe"C:\Users\Admin\AppData\Local\Temp\e7ee15c99ecdcade1ad0bbde675173b48366d32cd474a3f344720b0e41e9e0e7.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 5282⤵
- Program crash
PID:3028
-