Overview

overview

10

Static

static

among.exe

windows7_x64

10

among.exe

windows10_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    25-10-2020 22:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    among.exe

  • Size

    3.0MB

  • MD5

    bd089566ea96fcbff16b58166467c04e

  • SHA1

    600d2248a7a21d13dd407a3c5769c11da46f4269

  • SHA256

    254065f8c104909b9539cfeb5b1fa5641b5871114cb3185be5f533022f7e341c

  • SHA512

    c9f96b23b7e62f65579c01ad95543992c187b2c92c6d5935af8d6d5368ec1e91becfc23e6c4e9ad84d8077090392a0c29d29a3c2b350876db5760d7131095ccb

Score
10/10
macrostealerspywareechelondiscovery

Malware Config

Signatures

  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    stealerspywareechelon
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Echelon log file 1 IoCs

    Detects a log file produced by Echelon.

  • ServiceHost packer 48 IoCs

    Detects ServiceHost packer used for .NET malware

  • Blacklisted process makes network request 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

    macro
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • JavaScript code in executable 2 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 7 IoCs
  • Program crash 2 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\among.exe
    "C:\Users\Admin\AppData\Local\Temp\among.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3980
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\among_us_hack_492781.msi"
      2⤵
      • Blacklisted process makes network request
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1036
    • C:\Users\Admin\AppData\Local\Temp\File.exe
      "C:\Users\Admin\AppData\Local\Temp\File.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1040
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1040 -s 2332
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:724
    • C:\Users\Admin\AppData\Local\Temp\lol.scr
      "C:\Users\Admin\AppData\Local\Temp\lol.scr" /S
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1236
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1236 -s 2132
        3⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1520
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2828
    • C:\Users\Admin\AppData\Roaming\NativeDorstenia\NativeDorstenia.exe
      "C:\Users\Admin\AppData\Roaming\NativeDorstenia\NativeDorstenia.exe" "C:\Users\Admin\AppData\Local\Temp\among_us_hack_492781.msi"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3896
      • C:\Program Files (x86)\DorsteniaNativecaiInstall\DorsteniapNative.exe
        "C:\Program Files (x86)\DorsteniaNativecaiInstall\DorsteniapNative.exe" 090802407721985424 nmaXKwEFusTYE6mVo9yZUJeKpIq/qgxg5hRFiOkTuKuaIdmPrWHXNCQ/lnUiIsVBA308geUF8XFYVTy/GcwuOxLAxJJkGSGkDXtiqYiTK1bYuqI9+0OFn73hjPOpcYgi5jEpU2v5zg0MaX2rc7sY1SM6hSP5w+LbtvOF5xezN5vCY0paAUxCuU6LC+VQVtqC/kfa9OHxD89WVWaMfpwjog== xfKXwSuyDFk2A4aRGWv1S3arMRqIjMatZF3G+xXWsiMJM6XkPIbXUsFNtXqdhfOmECk2eiuRumoY1vORZL8JcTMl0y+XQE8+RMrQ/qQRrxursoOuzGldaBs2rr+zPbyv
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:864
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /d /c timeout 5 & cmd /d /c del /f /q "C:\Users\Admin\AppData\Roaming\NativeDorstenia\NativeDorstenia.exe" & cmd /d /c del /f /q "C:\Users\Admin\AppData\Local\Temp\among_us_hack_492781.msi""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\Windows\SysWOW64\timeout.exe
          timeout 5
          4⤵
          • Delays execution with timeout.exe
          PID:1244
        • C:\Windows\SysWOW64\cmd.exe
          cmd /d /c del /f /q "C:\Users\Admin\AppData\Roaming\NativeDorstenia\NativeDorstenia.exe"
          4⤵
            PID:4392
          • C:\Windows\SysWOW64\cmd.exe
            cmd /d /c del /f /q "C:\Users\Admin\AppData\Local\Temp\among_us_hack_492781.msi""
            4⤵
              PID:4444

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      2
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\DorsteniaNativecaiInstall\DorsteniapNative.exe
        MD5

        f043baf22717c77655fe3813771841e1

        SHA1

        4d2dd16f9de05bdcca8fbde686578d2c010fd544

        SHA256

        811e586a3e3d85f7533b33a77e04d357dffd87c0a15b0937e4b5218b8b9a42a6

        SHA512

        610e329ee717cb9bc848965188953bb2a90ea57958d207c8498202a219fe7e38ae842bde6471a7fbee5b62db38e62aab3e0374ca085830fa9247a5056d1c20ee

        Download Submit
      • C:\Program Files (x86)\DorsteniaNativecaiInstall\DorsteniapNative.exe
        MD5

        f043baf22717c77655fe3813771841e1

        SHA1

        4d2dd16f9de05bdcca8fbde686578d2c010fd544

        SHA256

        811e586a3e3d85f7533b33a77e04d357dffd87c0a15b0937e4b5218b8b9a42a6

        SHA512

        610e329ee717cb9bc848965188953bb2a90ea57958d207c8498202a219fe7e38ae842bde6471a7fbee5b62db38e62aab3e0374ca085830fa9247a5056d1c20ee

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0972B7C417F696E06E186AEB26286F01_D0A15851E78F28E33467584A33BA5369
        MD5

        7ea8bd94e53a071fea4b34ee330904e6

        SHA1

        3898e4991531c663589c48a7f48da1519761c736

        SHA256

        122d22c599b82bffa8102a6f57574dd94212e3e3b351892b67a31d2d2baf5a02

        SHA512

        943b0b6404ff02d3eb5a04fedda258aebc942f143ec01cb080102d96e018509ba87b305842771f30a525362e51149cdb37d2bb8ffad87366c72375653f6e9eab

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F
        MD5

        31557aefdc59dbcca3ce81d4e3b1970f

        SHA1

        5c81cd4496ff5651013a30998b9a565c2347a005

        SHA256

        e752ca0c6bac74541a9a51358123cf436433320e8e7f3e1c737fb57c323dde07

        SHA512

        62cd65b76a7813fc6b666483c65e63185893e90a78269aeff1ac8e662b930910018f16f7b910648bec152c6ebcd7737e6145b1171c198b80871117bb533a50cb

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0972B7C417F696E06E186AEB26286F01_D0A15851E78F28E33467584A33BA5369
        MD5

        51496e6a5394d3aa8deecdd68c9ccf10

        SHA1

        fec1245c21a1fd341f2579ad1e4c2b94f43364ea

        SHA256

        0ec0b8ff43a7c169afa0ae023a7cf13ea20567c72203b7d161ede75720983ef9

        SHA512

        a99f273a0c459cdbafb26a4877e6a5a33ddef548284068e186406fb99bbbffa22d51b415de5b54ee23753cc3b9c7494a2d4ca186a2b0a0d79dfcbb7e85e11652

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F
        MD5

        a46b1a2a288137cb8d39b231fec1f235

        SHA1

        e1de109e7a63d68d31252fcf3904e2673fc66999

        SHA256

        71da28138da0e0d5d4906f15bde569de174d20a6e5be46880859c2760f249e1f

        SHA512

        5f8639475625e5e6c839a0d38c99b2712b40867dc41f74a78175d91c8f1f042a1aa7db06a7028faeba561dd53dd17cffaf8f061372f2de995757c4edc315fde3

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\File.exe
        MD5

        42d51e625544236266f22b3eebfb2916

        SHA1

        c629b576834ada632f4cb7f1f9a42dcaed775468

        SHA256

        10d9bfb8ffd8604bd88edfa7ec3f70f24f551ad6720016320377afcad9a6f735

        SHA512

        8a340465dcc7cead86908c6286f6eb03ebc0f340c8e9574eb1241dd810c1242b3957260e934fa994bf003c07e0fe7978ea6ec493c076fbccfb4772dc0a37279f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\File.exe
        MD5

        42d51e625544236266f22b3eebfb2916

        SHA1

        c629b576834ada632f4cb7f1f9a42dcaed775468

        SHA256

        10d9bfb8ffd8604bd88edfa7ec3f70f24f551ad6720016320377afcad9a6f735

        SHA512

        8a340465dcc7cead86908c6286f6eb03ebc0f340c8e9574eb1241dd810c1242b3957260e934fa994bf003c07e0fe7978ea6ec493c076fbccfb4772dc0a37279f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\among_us_hack_492781.msi
        MD5

        c6bda3eb7bed85863b0c8a2ffed22751

        SHA1

        0c3ed7891da82fd8170b11cb77787de474700b4b

        SHA256

        bbb95f2e2fff202e4c53e2d21b3bb3953d0694c91d87ca5f5a4d54114085f354

        SHA512

        331fd5099f74969792dc857c61a3886e8e0dd39f4adcd304a670e30a0c2d97f5804ef506bc190efe0f54c645a5d35cf4a4da078956a96a86d56d7d4f237cd9fc

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\lol.scr
        MD5

        e48fdb255f9c2500763846100ff1a9e7

        SHA1

        a029408c57765551a71082c5fbff2c43fbaa75d2

        SHA256

        4236d4e30db63172f84a53fd501253b010564e65703059125362ffd37c3c677b

        SHA512

        55940093d23569e21bb090dbb4277712e58e705d7805a7e9e36481fbda09064224cfb21d9bda1feb9737ee593bb692487f8b7b0149dd6b7a002102c6fb6e86d4

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\lol.scr
        MD5

        e48fdb255f9c2500763846100ff1a9e7

        SHA1

        a029408c57765551a71082c5fbff2c43fbaa75d2

        SHA256

        4236d4e30db63172f84a53fd501253b010564e65703059125362ffd37c3c677b

        SHA512

        55940093d23569e21bb090dbb4277712e58e705d7805a7e9e36481fbda09064224cfb21d9bda1feb9737ee593bb692487f8b7b0149dd6b7a002102c6fb6e86d4

        Download Submit
      • C:\Users\Admin\AppData\Roaming\NativeDorstenia\NativeDorstenia.exe
        MD5

        a4ca15d48f389c223c9d1d9a04ca0e44

        SHA1

        74ca1174d182c70f249767d1fa93c47fa9bd50be

        SHA256

        278b73121a224e100d81ef238daa93effb3b38d0340beb217f06b00ed2b2b276

        SHA512

        113a2dc7d49055786b36dd992ace378da84b119e10ac80b21f7579f8da8b5084370a580a44a49dc348be863cfc761bcdf8e2fdeb293cf8eb9b65fa9ecc25f766

        Download Submit
      • C:\Users\Admin\AppData\Roaming\NativeDorstenia\NativeDorstenia.exe
        MD5

        a4ca15d48f389c223c9d1d9a04ca0e44

        SHA1

        74ca1174d182c70f249767d1fa93c47fa9bd50be

        SHA256

        278b73121a224e100d81ef238daa93effb3b38d0340beb217f06b00ed2b2b276

        SHA512

        113a2dc7d49055786b36dd992ace378da84b119e10ac80b21f7579f8da8b5084370a580a44a49dc348be863cfc761bcdf8e2fdeb293cf8eb9b65fa9ecc25f766

        Download Submit
      • \Users\Admin\AppData\Local\Temp\nsi35EC.tmp\LangDLL.dll
        MD5

        ab1db56369412fe8476fefffd11e4cc0

        SHA1

        daad036a83b2ee2fa86d840a34a341100552e723

        SHA256

        6f14c8f01f50a30743dac68c5ac813451463dfb427eb4e35fcdfe2410e1a913b

        SHA512

        8d886643b4fc24adf78f76b663227d6e61863f89e0cbd49548f40dd040666ca94ea46bec9e336850e4f300995d56e6dc85b689c8e09ff46758822d280f06b03d

        Download Submit
      • memory/724-36-0x000001E15E1E0000-0x000001E15E1E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/724-35-0x000001E15E1E0000-0x000001E15E1E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/724-88-0x000001E15F050000-0x000001E15F051000-memory.dmp
        Filesize

        4KB

        Download
      • memory/724-90-0x000001E15F050000-0x000001E15F051000-memory.dmp
        Filesize

        4KB

        Download
      • memory/864-28-0x0000000000000000-mapping.dmp
        Download
      • memory/1036-0-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-51-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-85-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-43-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-18-0x000000001B250000-0x000000001B510000-memory.dmp
        Filesize

        2.8MB

        Download
      • memory/1040-45-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-27-0x000000001AFA0000-0x000000001AFA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1040-1-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-53-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-57-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-15-0x0000000000910000-0x0000000000911000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1040-79-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-86-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-19-0x0000000000990000-0x0000000000991000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1040-84-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-10-0x0000000000160000-0x0000000000161000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1040-83-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-40-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-81-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-41-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-77-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-75-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-69-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-47-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-49-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-5-0x00007FF8DFD60000-0x00007FF8E074C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/1040-71-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-55-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-73-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-65-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-60-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-62-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-64-0x0000000000000000-mapping.dmp
        Download
      • memory/1040-67-0x0000000000000000-mapping.dmp
        Download
      • memory/1236-11-0x000001F07D360000-0x000001F07D361000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1236-82-0x0000000000000000-mapping.dmp
        Download
      • memory/1236-58-0x0000000000000000-mapping.dmp
        Download
      • memory/1236-68-0x0000000000000000-mapping.dmp
        Download
      • memory/1236-74-0x0000000000000000-mapping.dmp
        Download
      • memory/1236-72-0x0000000000000000-mapping.dmp
        Download
      • memory/1236-56-0x0000000000000000-mapping.dmp
        Download
      • memory/1236-52-0x0000000000000000-mapping.dmp
        Download
      • memory/1236-46-0x0000000000000000-mapping.dmp
        Download
      • memory/1236-63-0x0000000000000000-mapping.dmp
        Download
      • memory/1236-61-0x0000000000000000-mapping.dmp
        Download
      • memory/1236-59-0x0000000000000000-mapping.dmp
        Download
      • memory/1236-44-0x0000000000000000-mapping.dmp
        Download
      • memory/1236-39-0x0000000000000000-mapping.dmp
        Download
      • memory/1236-78-0x0000000000000000-mapping.dmp
        Download
      • memory/1236-42-0x0000000000000000-mapping.dmp
        Download
      • memory/1236-48-0x0000000000000000-mapping.dmp
        Download
      • memory/1236-17-0x000001F07EF10000-0x000001F07EF11000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1236-70-0x0000000000000000-mapping.dmp
        Download
      • memory/1236-50-0x0000000000000000-mapping.dmp
        Download
      • memory/1236-4-0x0000000000000000-mapping.dmp
        Download
      • memory/1236-33-0x000001F0183B0000-0x000001F0183B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1236-8-0x00007FF8DFD60000-0x00007FF8E074C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/1236-80-0x0000000000000000-mapping.dmp
        Download
      • memory/1236-14-0x000001F07D590000-0x000001F07D591000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1236-76-0x0000000000000000-mapping.dmp
        Download
      • memory/1236-16-0x000001F07D5A0000-0x000001F07D5EA000-memory.dmp
        Filesize

        296KB

        Download
      • memory/1236-54-0x0000000000000000-mapping.dmp
        Download
      • memory/1236-66-0x0000000000000000-mapping.dmp
        Download
      • memory/1236-26-0x000001F07F8C0000-0x000001F07F8C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1244-34-0x0000000000000000-mapping.dmp
        Download
      • memory/1520-87-0x000001EFD1BE0000-0x000001EFD1BE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1520-38-0x000001EFD0D70000-0x000001EFD0D71000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2832-29-0x0000000000000000-mapping.dmp
        Download
      • memory/3896-24-0x0000000000000000-mapping.dmp
        Download
      • memory/4392-89-0x0000000000000000-mapping.dmp
        Download
      • memory/4444-93-0x0000000000000000-mapping.dmp
        Download