Analysis
-
max time kernel
123s -
max time network
137s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-11-2020 15:41
Static task
static1
Behavioral task
behavioral1
Sample
526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5.exe
Resource
win7v20201028
General
-
Target
526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5.exe
-
Size
2.0MB
-
MD5
fc91265d814957f8963ca2ff8de8b689
-
SHA1
18ce51ccfff15e04b958f95fd1ee3c82cdb2784f
-
SHA256
526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5
-
SHA512
5044b473116881cbf0c74a9758b1dbd88cd273d2a928ebac57a0d3a828ece13bdda8448e33b28c54caa0d44bdd3a5ab2ba2b44c09fd3bf6f6383689caf73286a
Malware Config
Signatures
-
Echelon log file 1 IoCs
Detects a log file produced by Echelon.
Processes:
yara_rule echelon_log_file -
Executes dropped EXE 1 IoCs
Processes:
images.exepid process 836 images.exe -
Loads dropped DLL 9 IoCs
Processes:
526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5.exeWerFault.exepid process 1056 526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5.exe 1056 526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5.exe 1056 526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5.exe 1056 526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5.exe 1164 WerFault.exe 1164 WerFault.exe 1164 WerFault.exe 1164 WerFault.exe 1164 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 api.ipify.org 8 api.ipify.org 11 ip-api.com 13 api.ipify.org -
Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs
Processes:
images.exepid process 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1164 836 WerFault.exe images.exe -
Processes:
images.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B images.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a11800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 images.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
images.exeWerFault.exepid process 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 836 images.exe 1164 WerFault.exe 1164 WerFault.exe 1164 WerFault.exe 1164 WerFault.exe 1164 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
images.exeWerFault.exedescription pid process Token: SeDebugPrivilege 836 images.exe Token: SeDebugPrivilege 1164 WerFault.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
images.exepid process 836 images.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5.exeimages.exedescription pid process target process PID 1056 wrote to memory of 836 1056 526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5.exe images.exe PID 1056 wrote to memory of 836 1056 526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5.exe images.exe PID 1056 wrote to memory of 836 1056 526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5.exe images.exe PID 1056 wrote to memory of 836 1056 526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5.exe images.exe PID 836 wrote to memory of 1164 836 images.exe WerFault.exe PID 836 wrote to memory of 1164 836 images.exe WerFault.exe PID 836 wrote to memory of 1164 836 images.exe WerFault.exe PID 836 wrote to memory of 1164 836 images.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5.exe"C:\Users\Admin\AppData\Local\Temp\526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Public\Downloads\images.exe"C:\Users\Public\Downloads\images.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 27443⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3f7049b2c628eac94f17629f3e7d5830
SHA161ad825e39e19472d06a3080367a858e18187d05
SHA256af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7
SHA5126a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff
-
MD5
3f7049b2c628eac94f17629f3e7d5830
SHA161ad825e39e19472d06a3080367a858e18187d05
SHA256af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7
SHA5126a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff
-
MD5
3f7049b2c628eac94f17629f3e7d5830
SHA161ad825e39e19472d06a3080367a858e18187d05
SHA256af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7
SHA5126a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff
-
MD5
e3b510207cfbc23a75704583319cc980
SHA13490fded2f970c1e9d3241121000f06202b6f414
SHA25677468a2fce1954c7d99742b680da74a026187e0301af7261171b07701f4c01f6
SHA5122f88c8b7ae5de1f1e866194d15727bad5e23173ee106c3193065a4052619513e78e142361f871a7edfae2b4e96b072bbb8f3e2be87505a0b56d5a7e0b4c7785a
-
MD5
a4a3d46d0733f76de3d4abb95bf5d496
SHA1014108422c33b0dd17cf67dd14b74a6b745ba3c6
SHA2569957960796e3e31b666c7acd747fd96ef3079a2df47b02b1c8633e769c8c9e76
SHA512bca0ba1d54ebc96dba29218d400aab692d01c282a43e91caa3d90c99baebfb99f8d270ffa02b20cf6864a5673200bfb07860a3478fec867c11ab6edc471a4b32
-
MD5
0384ed14314d3f1df8431d6d10ff5c17
SHA163000ec68ab6e2b3a5e2ec0c5cdd07ec0f534d5c
SHA256218972e8a8f6fb7cca70d87d07877fe0cb7b479bd57b933b6e346a8bfeb554e6
SHA512d0722281fb46e387d6a68a9c1827e3b4bc169ed9303be60fb8ce847c66f02fbbc1f1e2a1e8b860c42ef13cbc988ecc01b97defadaa0e9827c56174f5256c518b
-
MD5
2baff503cb680fb75c2ae0822388d43a
SHA142bf3698fd2a080703ac6aee601866f1c2ceb020
SHA25684c33fc4cf3fc70c8a3c27ea00dd39fc0fa8d611a1c36cbb01a2a0cc616c59ff
SHA512645ef8fb1fe69ef7304fb54693e323c291151e25245f61140548d23a501292e29b0302073d5e22920f1dce97a8bca03422a10116c29591a10230c8b25bd897b2
-
MD5
3f7049b2c628eac94f17629f3e7d5830
SHA161ad825e39e19472d06a3080367a858e18187d05
SHA256af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7
SHA5126a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff
-
MD5
3f7049b2c628eac94f17629f3e7d5830
SHA161ad825e39e19472d06a3080367a858e18187d05
SHA256af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7
SHA5126a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff
-
MD5
3f7049b2c628eac94f17629f3e7d5830
SHA161ad825e39e19472d06a3080367a858e18187d05
SHA256af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7
SHA5126a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff
-
MD5
2c2bff1a2d86553d21a7b05ceabfa2bc
SHA1660e695634437c34d4d36ed966b32933ff7836fe
SHA256b9a6c2dbbd96b351fcf3ff2a1a86bd9b626990110ef4ac2013be2cb215d022d4
SHA512236361ee16030e8f788cbac06140f0a9e094f9a88a24313ae63325e536b9105bd3b6f4d9a4d1a4596cf909e4870df0e23c38c06042d3c7b4dd2d694366b22b1f