Analysis
-
max time kernel
138s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-11-2020 15:41
Static task
static1
Behavioral task
behavioral1
Sample
526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5.exe
Resource
win7v20201028
General
-
Target
526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5.exe
-
Size
2.0MB
-
MD5
fc91265d814957f8963ca2ff8de8b689
-
SHA1
18ce51ccfff15e04b958f95fd1ee3c82cdb2784f
-
SHA256
526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5
-
SHA512
5044b473116881cbf0c74a9758b1dbd88cd273d2a928ebac57a0d3a828ece13bdda8448e33b28c54caa0d44bdd3a5ab2ba2b44c09fd3bf6f6383689caf73286a
Malware Config
Signatures
-
Echelon log file 1 IoCs
Detects a log file produced by Echelon.
Processes:
yara_rule echelon_log_file -
ServiceHost packer 26 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/3992-25-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3992-24-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3992-26-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3992-27-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3992-28-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3992-29-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3992-31-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3992-32-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3992-33-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3992-30-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3992-34-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3992-35-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3992-36-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3992-37-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3992-38-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3992-39-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3992-40-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3992-41-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3992-42-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3992-43-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3992-44-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3992-45-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3992-46-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3992-47-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3992-48-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/3992-49-0x0000000000000000-mapping.dmp servicehost -
Executes dropped EXE 1 IoCs
Processes:
images.exepid process 3992 images.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 api.ipify.org 19 api.ipify.org 20 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs
Processes:
images.exepid process 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3172 3992 WerFault.exe images.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
images.exeWerFault.exepid process 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3992 images.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
images.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3992 images.exe Token: SeRestorePrivilege 3172 WerFault.exe Token: SeBackupPrivilege 3172 WerFault.exe Token: SeDebugPrivilege 3172 WerFault.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
images.exepid process 3992 images.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5.exedescription pid process target process PID 636 wrote to memory of 3992 636 526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5.exe images.exe PID 636 wrote to memory of 3992 636 526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5.exe images.exe PID 636 wrote to memory of 3992 636 526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5.exe images.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5.exe"C:\Users\Admin\AppData\Local\Temp\526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Users\Public\Downloads\images.exe"C:\Users\Public\Downloads\images.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3992 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 14883⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3f7049b2c628eac94f17629f3e7d5830
SHA161ad825e39e19472d06a3080367a858e18187d05
SHA256af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7
SHA5126a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff
-
MD5
3f7049b2c628eac94f17629f3e7d5830
SHA161ad825e39e19472d06a3080367a858e18187d05
SHA256af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7
SHA5126a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff