Analysis
-
max time kernel
138s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-11-2020 14:32
Static task
static1
Behavioral task
behavioral1
Sample
b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3.exe
Resource
win7v20201028
General
-
Target
b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3.exe
-
Size
585KB
-
MD5
2f84065b4d10029d655fe5240b918a82
-
SHA1
160d060a7dca7dff8e4ededa01b1981faf84fcfb
-
SHA256
b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3
-
SHA512
ef00a3926dd3a60b33fa6ea4eeadebc55be77100ce0425250de471b7293cb46a4336f94952399bada7f82e084d9ecb7c27b0c6272fd1bfe07e4b4fda62f87995
Malware Config
Signatures
-
Echelon log file 1 IoCs
Detects a log file produced by Echelon.
Processes:
yara_rule echelon_log_file -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 api.ipify.org 8 api.ipify.org 11 ip-api.com -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3740 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3.exepid process 580 b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3.exe 580 b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3.exedescription pid process Token: SeDebugPrivilege 580 b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3.execmd.exedescription pid process target process PID 580 wrote to memory of 1364 580 b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3.exe cmd.exe PID 580 wrote to memory of 1364 580 b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3.exe cmd.exe PID 1364 wrote to memory of 3740 1364 cmd.exe timeout.exe PID 1364 wrote to memory of 3740 1364 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3.exe"C:\Users\Admin\AppData\Local\Temp\b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8E3C.tmp.cmd""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8E3C.tmp.cmdMD5
05f3be4c6ff6f57d4d4fdcd79d21306a
SHA19d700b4ba20a39b47d6deabe14434760b08068b8
SHA256889ba3364926044804b1dfa407fef9ce7c6172650e65959f770ff42f6f0f3977
SHA5126eec235ea8a2cb41a2ff78f3f1cdab47848a81ad0c7a1051c261e01ff055852b05b1f7750abeeb9cf9caf4997d00c231c513654acab98e73fce608ed0a8e0197
-
memory/580-0-0x00007FFC34C00000-0x00007FFC355EC000-memory.dmpFilesize
9.9MB
-
memory/580-1-0x000002123FD10000-0x000002123FD11000-memory.dmpFilesize
4KB
-
memory/580-3-0x000002125A330000-0x000002125A3A0000-memory.dmpFilesize
448KB
-
memory/1364-4-0x0000000000000000-mapping.dmp
-
memory/3740-6-0x0000000000000000-mapping.dmp