Overview

overview

10

Static

static

RegAsm-Cle...in.exe

windows7_x64

6

RegAsm-Cle...in.exe

windows10_x64

10

Analysis

  • max time kernel
    27s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    21-09-2020 10:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RegAsm-Cleaned.bin.exe

  • Size

    593KB

  • MD5

    916740096f7fb73f2e2b8ee87deaf675

  • SHA1

    90bf01fafbd4353f295ba7987436a1950a138152

  • SHA256

    557f4c234d26b35a5b4a65357b1b05b84e3ece6c59fcb265083b1545343bc854

  • SHA512

    133d638202f19737700ab8d7aecb50d54ff3b0fe92def121c5125b43d2c01a2bf6c70172b0bb68341d97b1fa904378c5dff5115325a6aae6f46f552ff2cf16c5

Score
10/10
echelondiscoveryspywarestealer

Malware Config

Signatures

  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    stealerspywareechelon
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RegAsm-Cleaned.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\RegAsm-Cleaned.bin.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:720
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp45C9.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2068
      • C:\Windows\system32\timeout.exe
        timeout 4
        3⤵
        • Delays execution with timeout.exe
        PID:2668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp45C9.tmp.bat
    MD5

    c6ba3c4189afcf38bb047b43eaccda24

    SHA1

    c2574100e19f96c78f2100e08adff3028f1bea1a

    SHA256

    8cf6bb078e819c00b0a620e47e4a0ce76351c1fc13ad472393aa7813d5d21b65

    SHA512

    17b6a8dbc0d874ed2989e1ea93587ee0b150db00fcbf29a1393c5590d5c3e361a02bbf904c36714d6758996cf57de040c64ac640552e66cd3b76faa10cf4c2da

    Download Submit
  • memory/720-0-0x00007FFFBC9F0000-0x00007FFFBD3DC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/720-1-0x00000126D0C40000-0x00000126D0C41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/720-3-0x00000126D2990000-0x00000126D2A00000-memory.dmp
    Filesize

    448KB

    Download
  • memory/2068-4-0x0000000000000000-mapping.dmp
    Download
  • memory/2668-6-0x0000000000000000-mapping.dmp
    Download