Analysis
-
max time kernel
103s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:54
Static task
static1
Behavioral task
behavioral1
Sample
anticheats.exe
Resource
win7v20201028
General
-
Target
anticheats.exe
-
Size
417KB
-
MD5
fb2d06f3a2c9d4b9ec1064af3bf9f357
-
SHA1
aef3c1737f45eb8c1438b759d12d4eae9ce514ba
-
SHA256
95ab142281af83bca92a9919b0691e3966218a96273452c15b701485af44ad0b
-
SHA512
a7a083bbc238a061346f0fc884ab3eda39a23de4301e07112a758882d11b6a98d7c536649d3a6e01161c0ceadf4efb806f713be95a6185b5c10d0dfb06e5a063
Malware Config
Signatures
-
Echelon log file 1 IoCs
Detects a log file produced by Echelon.
Processes:
yara_rule echelon_log_file -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 api.ipify.org 8 api.ipify.org 12 ip-api.com -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2588 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
anticheats.exepid process 728 anticheats.exe 728 anticheats.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
anticheats.exedescription pid process Token: SeDebugPrivilege 728 anticheats.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
anticheats.execmd.exedescription pid process target process PID 728 wrote to memory of 3524 728 anticheats.exe cmd.exe PID 728 wrote to memory of 3524 728 anticheats.exe cmd.exe PID 3524 wrote to memory of 2588 3524 cmd.exe timeout.exe PID 3524 wrote to memory of 2588 3524 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\anticheats.exe"C:\Users\Admin\AppData\Local\Temp\anticheats.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA4B2.tmp.cmd""2⤵
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2588
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fd29162478d33edcdff3b14547f3e40b
SHA1106f17bac053a8a6b9835660b6de9f300cda9098
SHA256b7d82488482a4ebf8af528fb8f107bbe85f770d89042c2dfebf65063ce6d0680
SHA512358bcbe53afa1b8f1f9fa2150c3fd03c79ac95205701698b7a912911a547383edef072ab08b1d2a8308545cafc89b5c6db8e05d84dae756f22cea8e835425224