Malware Analysis Report

2024-11-15 06:31

Sample ID 201109-bltppdkmwa
Target anticheats.exe
SHA256 95ab142281af83bca92a9919b0691e3966218a96273452c15b701485af44ad0b
Tags
echelon discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

95ab142281af83bca92a9919b0691e3966218a96273452c15b701485af44ad0b

Threat Level: Known bad

The file anticheats.exe was found to be: Known bad.

Malicious Activity Summary

echelon discovery spyware stealer

Echelon

Echelon log file

Reads user/profile data of web browsers

Checks installed software on the system

Looks up external IP address via web service

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-11-09 20:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-09 20:54

Reported

2020-11-11 03:05

Platform

win7v20201028

Max time kernel

134s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\anticheats.exe"

Signatures

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\anticheats.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\anticheats.exe

"C:\Users\Admin\AppData\Local\Temp\anticheats.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp492D.tmp.cmd""

C:\Windows\system32\timeout.exe

timeout 1

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 174.129.214.20:443 api.ipify.org tcp
N/A 8.8.8.8:53 www.download.windowsupdate.com udp

Files

memory/1804-0-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

memory/1804-1-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

memory/1804-3-0x000000001B490000-0x000000001B526000-memory.dmp

memory/340-4-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp492D.tmp.cmd

MD5 04867b3b20337c4b1893442a2f44d68f
SHA1 0e24bc3957286e95d1d7ef08e590b49f0186737d
SHA256 abcb09bafb7caec6f025c8e742cc16280093b3412a74ccc518b9230a97410393
SHA512 9ae9b68d84b4ca3f0a48e8f9b25f62b1480843110a415df653b578314b12359baaecaa7587d5f7569ddba9407e799c6289e90beaa1c1175a7ca7a5732bdb2e6a

memory/436-6-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-09 20:54

Reported

2020-11-11 03:05

Platform

win10v20201028

Max time kernel

103s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\anticheats.exe"

Signatures

Echelon

stealer spyware echelon

Echelon log file

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\anticheats.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\anticheats.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\anticheats.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 728 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\anticheats.exe C:\Windows\system32\cmd.exe
PID 728 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\anticheats.exe C:\Windows\system32\cmd.exe
PID 3524 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3524 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\anticheats.exe

"C:\Users\Admin\AppData\Local\Temp\anticheats.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA4B2.tmp.cmd""

C:\Windows\system32\timeout.exe

timeout 1

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.204.14.42:443 api.ipify.org tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 179s.ru udp
N/A 45.147.197.110:80 179s.ru tcp

Files

memory/728-0-0x00007FFD72180000-0x00007FFD72B6C000-memory.dmp

memory/728-1-0x0000000000770000-0x0000000000771000-memory.dmp

memory/728-3-0x000000001B200000-0x000000001B296000-memory.dmp

memory/728-4-0x000000001C2A0000-0x000000001C310000-memory.dmp

memory/3524-5-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA4B2.tmp.cmd

MD5 fd29162478d33edcdff3b14547f3e40b
SHA1 106f17bac053a8a6b9835660b6de9f300cda9098
SHA256 b7d82488482a4ebf8af528fb8f107bbe85f770d89042c2dfebf65063ce6d0680
SHA512 358bcbe53afa1b8f1f9fa2150c3fd03c79ac95205701698b7a912911a547383edef072ab08b1d2a8308545cafc89b5c6db8e05d84dae756f22cea8e835425224

memory/2588-7-0x0000000000000000-mapping.dmp