Analysis
-
max time kernel
20s -
max time network
22s -
platform
windows10_x64 -
resource
win10 -
submitted
19-10-2020 20:33
Static task
static1
General
-
Target
WAREN HACK v 1.20.exe
-
Size
1.1MB
-
MD5
d3ed7434a5619379b47da8b79641479f
-
SHA1
51a7a3dc32640bf2160425256b64a55d0ce20ccd
-
SHA256
11060800a86a66ff505e7771b9ccc8f711edcedf0df0ca1f594651dfc09dcd89
-
SHA512
6fb53a67c6b927f7d682d30ab2d5420e7fc58219708df3199aefdd1db4a95bf1ac1e45d486f740c6fdecdfb1cbf13cb57206523dd14b5219651224eed37fbdad
Malware Config
Signatures
-
Echelon log file 1 IoCs
Detects a log file produced by Echelon.
Processes:
yara_rule echelon_log_file -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 7 api.ipify.org 11 ip-api.com 15 ip-api.com -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2884 2168 WerFault.exe WAREN HACK v 1.20.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
WAREN HACK v 1.20.exeWerFault.exepid process 2168 WAREN HACK v 1.20.exe 2168 WAREN HACK v 1.20.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WAREN HACK v 1.20.exeWerFault.exedescription pid process Token: SeDebugPrivilege 2168 WAREN HACK v 1.20.exe Token: SeDebugPrivilege 2884 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WAREN HACK v 1.20.exe"C:\Users\Admin\AppData\Local\Temp\WAREN HACK v 1.20.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2168 -s 21602⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2168-0-0x00007FFDC0E90000-0x00007FFDC187C000-memory.dmpFilesize
9.9MB
-
memory/2168-1-0x0000000000950000-0x0000000000951000-memory.dmpFilesize
4KB
-
memory/2168-3-0x000000001BA30000-0x000000001BA31000-memory.dmpFilesize
4KB
-
memory/2884-4-0x000001D28A180000-0x000001D28A181000-memory.dmpFilesize
4KB
-
memory/2884-5-0x000001D28ADC0000-0x000001D28ADC1000-memory.dmpFilesize
4KB
-
memory/2884-6-0x000001D28ADC0000-0x000001D28ADC1000-memory.dmpFilesize
4KB
-
memory/2884-8-0x000001D28ADC0000-0x000001D28ADC1000-memory.dmpFilesize
4KB