Analysis
-
max time kernel
74s -
max time network
74s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
16-11-2020 12:54
Static task
static1
Behavioral task
behavioral1
Sample
COMSurrogate.exe
Resource
win7v20201028
General
-
Target
COMSurrogate.exe
-
Size
1.2MB
-
MD5
35a9f8c5b3850ac2ec7c563b6f6a7734
-
SHA1
6535eafce547f569183ef892064f80e541c7d3ea
-
SHA256
3a1c0770a629e2cd0fcb462456e176a48f89d12bfdaebd5c8a9d63b1f3ff5151
-
SHA512
90df2f90916f49294c02844059def480c31e84efcadccd7328fea95a5ceb34d72efc39963b5252caaac47cbec3b1b2993b6553a0ba3408dd84bc9ba517e8f963
Malware Config
Signatures
-
Echelon log file 1 IoCs
Detects a log file produced by Echelon.
Processes:
yara_rule echelon_log_file -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 api.ipify.org 11 api.ipify.org 12 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
Processes:
COMSurrogate.exepid process 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2056 timeout.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
COMSurrogate.exepid process 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe 640 COMSurrogate.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
COMSurrogate.exedescription pid process Token: SeDebugPrivilege 640 COMSurrogate.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
COMSurrogate.execmd.exedescription pid process target process PID 640 wrote to memory of 2060 640 COMSurrogate.exe cmd.exe PID 640 wrote to memory of 2060 640 COMSurrogate.exe cmd.exe PID 2060 wrote to memory of 2056 2060 cmd.exe timeout.exe PID 2060 wrote to memory of 2056 2060 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\COMSurrogate.exe"C:\Users\Admin\AppData\Local\Temp\COMSurrogate.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC25B.tmp.cmd""2⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\system32\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:2056
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c9cc82912bb1157f115168240fa9de2c
SHA1686592e23b5b714230ad68d7f1bc1ca0d1f237a7
SHA256b80474d6fd0469cc0d0274a766619f09f9cbbbd8e4ee18fecbcb94bbc5622ac2
SHA512435a636d3c2d3de3177f01d66d2af73ae7ff065fc7fa85af1b2c68f82fc181078ee99a0853c24af5b670c5a3c7723f92f83c15829176aea37ce04e0a1f61b213