Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-11-2020 14:17
Static task
static1
Behavioral task
behavioral1
Sample
File.exe
Resource
win7v20201028
General
-
Target
File.exe
-
Size
1.8MB
-
MD5
42d51e625544236266f22b3eebfb2916
-
SHA1
c629b576834ada632f4cb7f1f9a42dcaed775468
-
SHA256
10d9bfb8ffd8604bd88edfa7ec3f70f24f551ad6720016320377afcad9a6f735
-
SHA512
8a340465dcc7cead86908c6286f6eb03ebc0f340c8e9574eb1241dd810c1242b3957260e934fa994bf003c07e0fe7978ea6ec493c076fbccfb4772dc0a37279f
Malware Config
Signatures
-
Echelon log file 1 IoCs
Detects a log file produced by Echelon.
Processes:
yara_rule echelon_log_file -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 api.ipify.org 10 api.ipify.org 11 ip-api.com -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1756 636 WerFault.exe File.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
File.exeWerFault.exepid process 636 File.exe 636 File.exe 1756 WerFault.exe 1756 WerFault.exe 1756 WerFault.exe 1756 WerFault.exe 1756 WerFault.exe 1756 WerFault.exe 1756 WerFault.exe 1756 WerFault.exe 1756 WerFault.exe 1756 WerFault.exe 1756 WerFault.exe 1756 WerFault.exe 1756 WerFault.exe 1756 WerFault.exe 1756 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
File.exeWerFault.exedescription pid process Token: SeDebugPrivilege 636 File.exe Token: SeDebugPrivilege 1756 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 636 -s 23442⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/636-0-0x00007FFA31FB0000-0x00007FFA3299C000-memory.dmpFilesize
9.9MB
-
memory/636-1-0x00000000009E0000-0x00000000009E1000-memory.dmpFilesize
4KB
-
memory/636-3-0x0000000001190000-0x0000000001191000-memory.dmpFilesize
4KB
-
memory/636-4-0x000000001BAA0000-0x000000001BD60000-memory.dmpFilesize
2.8MB
-
memory/636-5-0x00000000011A0000-0x00000000011A1000-memory.dmpFilesize
4KB
-
memory/636-6-0x000000001D260000-0x000000001D261000-memory.dmpFilesize
4KB
-
memory/1756-7-0x000001AE5BD70000-0x000001AE5BD71000-memory.dmpFilesize
4KB
-
memory/1756-8-0x000001AE5BD70000-0x000001AE5BD71000-memory.dmpFilesize
4KB
-
memory/1756-10-0x000001AE5CDB0000-0x000001AE5CDB1000-memory.dmpFilesize
4KB
-
memory/1756-11-0x000001AE5CDB0000-0x000001AE5CDB1000-memory.dmpFilesize
4KB