Malware Analysis Report

2024-11-15 06:31

Sample ID 210305-wa3qv16ayn
Target Build.exe
SHA256 c3ee35c8830cb3f6083fe15cd7325e14edbf77880b227473b6c3e39999b41493
Tags
echelon discovery evasion spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3ee35c8830cb3f6083fe15cd7325e14edbf77880b227473b6c3e39999b41493

Threat Level: Known bad

The file Build.exe was found to be: Known bad.

Malicious Activity Summary

echelon discovery evasion spyware stealer themida trojan

Echelon

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Echelon log file

themida

Reads user/profile data of web browsers

Checks BIOS information in registry

Checks whether UAC is enabled

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-03-05 18:22

Signatures

themida

themida
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-03-05 18:22

Reported

2021-03-05 18:24

Platform

win7v20201028

Max time kernel

28s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Build.exe"

Signatures

Echelon

stealer spyware echelon

Echelon log file

Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Build.exe N/A

Reads user/profile data of web browsers

spyware

themida

themida
Description Indicator Process Target
N/A N/A N/A N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Build.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Build.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Build.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Build.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Build.exe

"C:\Users\Admin\AppData\Local\Temp\Build.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 23.21.126.66:443 api.ipify.org tcp
N/A 8.8.8.8:53 www.download.windowsupdate.com udp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 ifreegive.gq udp
N/A 104.21.78.161:80 ifreegive.gq tcp

Files

memory/384-2-0x0000000076241000-0x0000000076243000-memory.dmp

memory/384-4-0x0000000074390000-0x0000000074A7E000-memory.dmp

memory/384-5-0x0000000000D90000-0x0000000000D91000-memory.dmp

memory/384-7-0x0000000006190000-0x0000000006191000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-03-05 18:22

Reported

2021-03-05 18:24

Platform

win10v20201028

Max time kernel

10s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Build.exe"

Signatures

Echelon

stealer spyware echelon

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Build.exe N/A

themida

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Build.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Build.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Build.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Build.exe

"C:\Users\Admin\AppData\Local\Temp\Build.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 1860

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.msftconnecttest.com udp
N/A 13.107.4.52:80 www.msftconnecttest.com tcp

Files

memory/4640-3-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/4640-4-0x0000000000B80000-0x0000000000B81000-memory.dmp

memory/4640-6-0x0000000077CD4000-0x0000000077CD5000-memory.dmp

memory/4640-7-0x0000000005570000-0x0000000005571000-memory.dmp

memory/4640-8-0x00000000056B0000-0x00000000056B1000-memory.dmp

memory/4204-9-0x00000000046F0000-0x00000000046F1000-memory.dmp

memory/4204-10-0x00000000046F0000-0x00000000046F1000-memory.dmp