Analysis

  • max time kernel
    74s
  • max time network
    74s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    16-11-2020 12:54

General

  • Target

    COMSurrogate.exe

  • Size

    1.2MB

  • MD5

    35a9f8c5b3850ac2ec7c563b6f6a7734

  • SHA1

    6535eafce547f569183ef892064f80e541c7d3ea

  • SHA256

    3a1c0770a629e2cd0fcb462456e176a48f89d12bfdaebd5c8a9d63b1f3ff5151

  • SHA512

    90df2f90916f49294c02844059def480c31e84efcadccd7328fea95a5ceb34d72efc39963b5252caaac47cbec3b1b2993b6553a0ba3408dd84bc9ba517e8f963

Malware Config

Signatures

  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

  • Echelon log file 1 IoCs

    Detects a log file produced by Echelon.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\COMSurrogate.exe
    "C:\Users\Admin\AppData\Local\Temp\COMSurrogate.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:640
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC25B.tmp.cmd""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2060
      • C:\Windows\system32\timeout.exe
        timeout 4
        3⤵
        • Delays execution with timeout.exe
        PID:2056

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpC25B.tmp.cmd

    MD5

    c9cc82912bb1157f115168240fa9de2c

    SHA1

    686592e23b5b714230ad68d7f1bc1ca0d1f237a7

    SHA256

    b80474d6fd0469cc0d0274a766619f09f9cbbbd8e4ee18fecbcb94bbc5622ac2

    SHA512

    435a636d3c2d3de3177f01d66d2af73ae7ff065fc7fa85af1b2c68f82fc181078ee99a0853c24af5b670c5a3c7723f92f83c15829176aea37ce04e0a1f61b213

  • memory/640-0-0x00007FF9EA080000-0x00007FF9EAA6C000-memory.dmp

    Filesize

    9.9MB

  • memory/640-1-0x0000000000A60000-0x0000000000A61000-memory.dmp

    Filesize

    4KB

  • memory/640-3-0x000000001BD90000-0x000000001BD91000-memory.dmp

    Filesize

    4KB

  • memory/2056-6-0x0000000000000000-mapping.dmp

  • memory/2060-4-0x0000000000000000-mapping.dmp