Analysis Overview
SHA256
045ce5f3e750d27127ac6dd5683533b1e42748c7cb47a38a06a42f7f1dfb15d7
Threat Level: Known bad
The file lagstress.exe was found to be: Known bad.
Malicious Activity Summary
Echelon
Executes dropped EXE
Reads user/profile data of web browsers
Looks up external IP address via web service
Enumerates physical storage devices
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-03-06 18:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-03-06 18:21
Reported
2021-03-06 18:24
Platform
win7v20201028
Max time kernel
16s
Max time network
18s
Command Line
Signatures
Echelon
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Decoder.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lagstress.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lagstress.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\lagstress.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\lagstress.exe
"C:\Users\Admin\AppData\Local\Temp\lagstress.exe"
C:\ProgramData\Decoder.exe
"C:\ProgramData\Decoder.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
C:\Windows\system32\timeout.exe
timeout 4
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 50.19.242.215:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | www.download.windowsupdate.com | udp |
| N/A | 8.8.8.8:53 | f0514725.xsph.ru | udp |
| N/A | 141.8.192.151:80 | f0514725.xsph.ru | tcp |
Files
memory/1632-2-0x000007FEF60D0000-0x000007FEF6ABC000-memory.dmp
memory/1632-3-0x0000000000B50000-0x0000000000B51000-memory.dmp
memory/1632-5-0x0000000000610000-0x0000000000681000-memory.dmp
memory/1632-6-0x000000001B1D0000-0x000000001B1D2000-memory.dmp
memory/1160-7-0x0000000000000000-mapping.dmp
C:\ProgramData\Decoder.exe
| MD5 | 6bd60496fa24ada50ca869be53467c7c |
| SHA1 | 5afdeb2dade4a35e6d8feef1ef24e30075302d6c |
| SHA256 | 25dfe0485d9e8fc9380bd7fc63cfca88c3b9b8fc23c75349a68ecfea056ba04b |
| SHA512 | bacd106d5f211a1c24ead24ef32266a68550c3be8dde75e7ef509e165590c058b590edb20c060f5a8ecaa3b785b0e9e2edd3e458146f042c1f12821f66735806 |
memory/916-9-0x0000000000000000-mapping.dmp
C:\ProgramData\Decoder.exe
| MD5 | 6bd60496fa24ada50ca869be53467c7c |
| SHA1 | 5afdeb2dade4a35e6d8feef1ef24e30075302d6c |
| SHA256 | 25dfe0485d9e8fc9380bd7fc63cfca88c3b9b8fc23c75349a68ecfea056ba04b |
| SHA512 | bacd106d5f211a1c24ead24ef32266a68550c3be8dde75e7ef509e165590c058b590edb20c060f5a8ecaa3b785b0e9e2edd3e458146f042c1f12821f66735806 |
C:\Users\Admin\AppData\Local\Temp\.cmd
| MD5 | 73712247036b6a24d16502c57a3e5679 |
| SHA1 | 65ca9edadb0773fc34db7dfefe9e6416f1ac17fa |
| SHA256 | 8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0 |
| SHA512 | 548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de |
memory/692-12-0x0000000000000000-mapping.dmp
memory/1160-13-0x00000000745C0000-0x0000000074CAE000-memory.dmp
memory/1160-14-0x0000000000DE0000-0x0000000000DE1000-memory.dmp
memory/1160-16-0x0000000076341000-0x0000000076343000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-03-06 18:21
Reported
2021-03-06 18:24
Platform
win10v20201028
Max time kernel
17s
Max time network
112s
Command Line
Signatures
Echelon
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Decoder.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lagstress.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lagstress.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\lagstress.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3116 wrote to memory of 2792 | N/A | C:\Users\Admin\AppData\Local\Temp\lagstress.exe | C:\ProgramData\Decoder.exe |
| PID 3116 wrote to memory of 2792 | N/A | C:\Users\Admin\AppData\Local\Temp\lagstress.exe | C:\ProgramData\Decoder.exe |
| PID 3116 wrote to memory of 2792 | N/A | C:\Users\Admin\AppData\Local\Temp\lagstress.exe | C:\ProgramData\Decoder.exe |
| PID 3116 wrote to memory of 1960 | N/A | C:\Users\Admin\AppData\Local\Temp\lagstress.exe | C:\Windows\system32\cmd.exe |
| PID 3116 wrote to memory of 1960 | N/A | C:\Users\Admin\AppData\Local\Temp\lagstress.exe | C:\Windows\system32\cmd.exe |
| PID 1960 wrote to memory of 2540 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\timeout.exe |
| PID 1960 wrote to memory of 2540 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\timeout.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\lagstress.exe
"C:\Users\Admin\AppData\Local\Temp\lagstress.exe"
C:\ProgramData\Decoder.exe
"C:\ProgramData\Decoder.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
C:\Windows\system32\timeout.exe
timeout 4
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 50.19.242.215:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | f0514725.xsph.ru | udp |
| N/A | 141.8.192.151:80 | f0514725.xsph.ru | tcp |
Files
memory/3116-2-0x00007FF8207C0000-0x00007FF8211AC000-memory.dmp
memory/3116-3-0x0000000000CC0000-0x0000000000CC1000-memory.dmp
memory/3116-5-0x000000001C0B0000-0x000000001C121000-memory.dmp
memory/3116-6-0x000000001B940000-0x000000001B942000-memory.dmp
memory/2792-7-0x0000000000000000-mapping.dmp
C:\ProgramData\Decoder.exe
| MD5 | 6bd60496fa24ada50ca869be53467c7c |
| SHA1 | 5afdeb2dade4a35e6d8feef1ef24e30075302d6c |
| SHA256 | 25dfe0485d9e8fc9380bd7fc63cfca88c3b9b8fc23c75349a68ecfea056ba04b |
| SHA512 | bacd106d5f211a1c24ead24ef32266a68550c3be8dde75e7ef509e165590c058b590edb20c060f5a8ecaa3b785b0e9e2edd3e458146f042c1f12821f66735806 |
memory/1960-9-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\.cmd
| MD5 | 73712247036b6a24d16502c57a3e5679 |
| SHA1 | 65ca9edadb0773fc34db7dfefe9e6416f1ac17fa |
| SHA256 | 8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0 |
| SHA512 | 548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de |
memory/2540-11-0x0000000000000000-mapping.dmp
C:\ProgramData\Decoder.exe
| MD5 | 6bd60496fa24ada50ca869be53467c7c |
| SHA1 | 5afdeb2dade4a35e6d8feef1ef24e30075302d6c |
| SHA256 | 25dfe0485d9e8fc9380bd7fc63cfca88c3b9b8fc23c75349a68ecfea056ba04b |
| SHA512 | bacd106d5f211a1c24ead24ef32266a68550c3be8dde75e7ef509e165590c058b590edb20c060f5a8ecaa3b785b0e9e2edd3e458146f042c1f12821f66735806 |
memory/2792-13-0x0000000073840000-0x0000000073F2E000-memory.dmp
memory/2792-14-0x0000000000210000-0x0000000000211000-memory.dmp