Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    27-08-2020 07:48

General

  • Target

    Hack.exe

  • Size

    1.2MB

  • MD5

    fed2a8736c84eda9dcc8533b5019f7d8

  • SHA1

    b2dbb7a42d46f9f694912b9d0554e10c0240952a

  • SHA256

    264662e60005a099f9aaaa88e1dcee1381a3a187a158fdfbc40bbd5024407cb1

  • SHA512

    ae7778829b3fb66b2e7bed20e6ae1e8ae86b3f7d4279b554416cc1cc71df4a766cd0199ba914b2de31b3bba4db42d0b99bd07f7228aaacf5a80ed582e00c9ec3

Malware Config

Signatures

  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

  • Echelon log file 1 IoCs

    Detects a log file produced by Echelon.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Hack.exe
    "C:\Users\Admin\AppData\Local\Temp\Hack.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3908

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3908-0-0x00007FF9C6000000-0x00007FF9C69EC000-memory.dmp

    Filesize

    9.9MB

  • memory/3908-1-0x0000000000B10000-0x0000000000B11000-memory.dmp

    Filesize

    4KB