Malware Analysis Report

2024-11-15 06:30

Sample ID 210306-13cfyd3pex
Target lagstress.exe
SHA256 045ce5f3e750d27127ac6dd5683533b1e42748c7cb47a38a06a42f7f1dfb15d7
Tags
echelon spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

045ce5f3e750d27127ac6dd5683533b1e42748c7cb47a38a06a42f7f1dfb15d7

Threat Level: Known bad

The file lagstress.exe was found to be: Known bad.

Malicious Activity Summary

echelon spyware stealer

Echelon

Executes dropped EXE

Reads user/profile data of web browsers

Looks up external IP address via web service

Enumerates physical storage devices

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-03-06 18:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-03-06 18:21

Reported

2021-03-06 18:24

Platform

win7v20201028

Max time kernel

16s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\lagstress.exe"

Signatures

Echelon

stealer spyware echelon

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Decoder.exe N/A

Reads user/profile data of web browsers

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lagstress.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lagstress.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lagstress.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\lagstress.exe

"C:\Users\Admin\AppData\Local\Temp\lagstress.exe"

C:\ProgramData\Decoder.exe

"C:\ProgramData\Decoder.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""

C:\Windows\system32\timeout.exe

timeout 4

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 50.19.242.215:443 api.ipify.org tcp
N/A 8.8.8.8:53 www.download.windowsupdate.com udp
N/A 8.8.8.8:53 f0514725.xsph.ru udp
N/A 141.8.192.151:80 f0514725.xsph.ru tcp

Files

memory/1632-2-0x000007FEF60D0000-0x000007FEF6ABC000-memory.dmp

memory/1632-3-0x0000000000B50000-0x0000000000B51000-memory.dmp

memory/1632-5-0x0000000000610000-0x0000000000681000-memory.dmp

memory/1632-6-0x000000001B1D0000-0x000000001B1D2000-memory.dmp

memory/1160-7-0x0000000000000000-mapping.dmp

C:\ProgramData\Decoder.exe

MD5 6bd60496fa24ada50ca869be53467c7c
SHA1 5afdeb2dade4a35e6d8feef1ef24e30075302d6c
SHA256 25dfe0485d9e8fc9380bd7fc63cfca88c3b9b8fc23c75349a68ecfea056ba04b
SHA512 bacd106d5f211a1c24ead24ef32266a68550c3be8dde75e7ef509e165590c058b590edb20c060f5a8ecaa3b785b0e9e2edd3e458146f042c1f12821f66735806

memory/916-9-0x0000000000000000-mapping.dmp

C:\ProgramData\Decoder.exe

MD5 6bd60496fa24ada50ca869be53467c7c
SHA1 5afdeb2dade4a35e6d8feef1ef24e30075302d6c
SHA256 25dfe0485d9e8fc9380bd7fc63cfca88c3b9b8fc23c75349a68ecfea056ba04b
SHA512 bacd106d5f211a1c24ead24ef32266a68550c3be8dde75e7ef509e165590c058b590edb20c060f5a8ecaa3b785b0e9e2edd3e458146f042c1f12821f66735806

C:\Users\Admin\AppData\Local\Temp\.cmd

MD5 73712247036b6a24d16502c57a3e5679
SHA1 65ca9edadb0773fc34db7dfefe9e6416f1ac17fa
SHA256 8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0
SHA512 548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

memory/692-12-0x0000000000000000-mapping.dmp

memory/1160-13-0x00000000745C0000-0x0000000074CAE000-memory.dmp

memory/1160-14-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

memory/1160-16-0x0000000076341000-0x0000000076343000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-03-06 18:21

Reported

2021-03-06 18:24

Platform

win10v20201028

Max time kernel

17s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\lagstress.exe"

Signatures

Echelon

stealer spyware echelon

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Decoder.exe N/A

Reads user/profile data of web browsers

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lagstress.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lagstress.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lagstress.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\lagstress.exe

"C:\Users\Admin\AppData\Local\Temp\lagstress.exe"

C:\ProgramData\Decoder.exe

"C:\ProgramData\Decoder.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""

C:\Windows\system32\timeout.exe

timeout 4

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 50.19.242.215:443 api.ipify.org tcp
N/A 8.8.8.8:53 f0514725.xsph.ru udp
N/A 141.8.192.151:80 f0514725.xsph.ru tcp

Files

memory/3116-2-0x00007FF8207C0000-0x00007FF8211AC000-memory.dmp

memory/3116-3-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

memory/3116-5-0x000000001C0B0000-0x000000001C121000-memory.dmp

memory/3116-6-0x000000001B940000-0x000000001B942000-memory.dmp

memory/2792-7-0x0000000000000000-mapping.dmp

C:\ProgramData\Decoder.exe

MD5 6bd60496fa24ada50ca869be53467c7c
SHA1 5afdeb2dade4a35e6d8feef1ef24e30075302d6c
SHA256 25dfe0485d9e8fc9380bd7fc63cfca88c3b9b8fc23c75349a68ecfea056ba04b
SHA512 bacd106d5f211a1c24ead24ef32266a68550c3be8dde75e7ef509e165590c058b590edb20c060f5a8ecaa3b785b0e9e2edd3e458146f042c1f12821f66735806

memory/1960-9-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\.cmd

MD5 73712247036b6a24d16502c57a3e5679
SHA1 65ca9edadb0773fc34db7dfefe9e6416f1ac17fa
SHA256 8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0
SHA512 548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

memory/2540-11-0x0000000000000000-mapping.dmp

C:\ProgramData\Decoder.exe

MD5 6bd60496fa24ada50ca869be53467c7c
SHA1 5afdeb2dade4a35e6d8feef1ef24e30075302d6c
SHA256 25dfe0485d9e8fc9380bd7fc63cfca88c3b9b8fc23c75349a68ecfea056ba04b
SHA512 bacd106d5f211a1c24ead24ef32266a68550c3be8dde75e7ef509e165590c058b590edb20c060f5a8ecaa3b785b0e9e2edd3e458146f042c1f12821f66735806

memory/2792-13-0x0000000073840000-0x0000000073F2E000-memory.dmp

memory/2792-14-0x0000000000210000-0x0000000000211000-memory.dmp