Analysis

  • max time kernel
    135s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    16-11-2020 12:54

General

  • Target

    COMSurrogate.exe

  • Size

    1.2MB

  • MD5

    35a9f8c5b3850ac2ec7c563b6f6a7734

  • SHA1

    6535eafce547f569183ef892064f80e541c7d3ea

  • SHA256

    3a1c0770a629e2cd0fcb462456e176a48f89d12bfdaebd5c8a9d63b1f3ff5151

  • SHA512

    90df2f90916f49294c02844059def480c31e84efcadccd7328fea95a5ceb34d72efc39963b5252caaac47cbec3b1b2993b6553a0ba3408dd84bc9ba517e8f963

Malware Config

Signatures

  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

  • Echelon log file 1 IoCs

    Detects a log file produced by Echelon.

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
  • Delays execution with timeout.exe 1 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\COMSurrogate.exe
    "C:\Users\Admin\AppData\Local\Temp\COMSurrogate.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7D3B.tmp.cmd""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Windows\system32\timeout.exe
        timeout 4
        3⤵
        • Delays execution with timeout.exe
        PID:1324

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp7D3B.tmp.cmd

    MD5

    1d1346fbb5b1b18b71c451845879afca

    SHA1

    0ff0eca26a2011ed90680f14df59643661bfec71

    SHA256

    6213f7e34a1ac51097ec5016a835d93613559f3df05fa7e5c8c12bf54bd4c1c9

    SHA512

    5287b34d691aff91556e8e53fc2f2f68eea5522e877803746248ba1e3923ebe6a6e2d85e1e0aa3090f1f4d281667dfe512ed1c02f72aceaceadf472322254ae6

  • memory/1324-5-0x0000000000000000-mapping.dmp

  • memory/1656-3-0x0000000000000000-mapping.dmp

  • memory/1904-0-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

    Filesize

    9.9MB

  • memory/1904-1-0x00000000000E0000-0x00000000000E1000-memory.dmp

    Filesize

    4KB