Analysis Overview
SHA256
a906f50dff710a4a046397eabdc9d5fff06a400769b1c02453e7f2fed1c1fc44
Threat Level: Known bad
The file Lucky update (пароль 123).rar was found to be: Known bad.
Malicious Activity Summary
Echelon
Executes dropped EXE
VMProtect packed file
Reads user/profile data of web browsers
Looks up external IP address via web service
Enumerates physical storage devices
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-03-26 21:14
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-03-26 21:14
Reported
2021-03-26 21:15
Platform
win10v20201028
Max time kernel
13s
Max time network
17s
Command Line
Signatures
Echelon
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Decoder.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Lucky update\Lucky Fixed.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Lucky update\Lucky Fixed.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Lucky update\Lucky Fixed.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1180 wrote to memory of 940 | N/A | C:\Users\Admin\AppData\Local\Temp\Lucky update\Lucky Fixed.exe | C:\ProgramData\Decoder.exe |
| PID 1180 wrote to memory of 940 | N/A | C:\Users\Admin\AppData\Local\Temp\Lucky update\Lucky Fixed.exe | C:\ProgramData\Decoder.exe |
| PID 1180 wrote to memory of 940 | N/A | C:\Users\Admin\AppData\Local\Temp\Lucky update\Lucky Fixed.exe | C:\ProgramData\Decoder.exe |
| PID 1180 wrote to memory of 972 | N/A | C:\Users\Admin\AppData\Local\Temp\Lucky update\Lucky Fixed.exe | C:\Windows\system32\cmd.exe |
| PID 1180 wrote to memory of 972 | N/A | C:\Users\Admin\AppData\Local\Temp\Lucky update\Lucky Fixed.exe | C:\Windows\system32\cmd.exe |
| PID 972 wrote to memory of 496 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\timeout.exe |
| PID 972 wrote to memory of 496 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\timeout.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Lucky update\Lucky Fixed.exe
"C:\Users\Admin\AppData\Local\Temp\Lucky update\Lucky Fixed.exe"
C:\ProgramData\Decoder.exe
"C:\ProgramData\Decoder.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
C:\Windows\system32\timeout.exe
timeout 4
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 107.22.233.72:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | api.telegram.org | udp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/1180-2-0x00007FFE6DE80000-0x00007FFE6E86C000-memory.dmp
memory/1180-3-0x0000000000980000-0x0000000000981000-memory.dmp
memory/1180-5-0x0000000002B70000-0x0000000002BE1000-memory.dmp
memory/1180-6-0x000000001B930000-0x000000001B932000-memory.dmp
memory/940-7-0x0000000000000000-mapping.dmp
C:\ProgramData\Decoder.exe
| MD5 | 2e95885be2e46e197adcc0bc6245c2de |
| SHA1 | 715785863d460d328bb8ec6356dd95e62fe160ce |
| SHA256 | 7667a561f5535aa6ae7de40c0559b15ccb8a3ee1ae4bf9f1d36430768a41d5ee |
| SHA512 | f65f5276cc4e99353a990bb4a784fb542ea6dce4f1c4a9323eb58150efce7c63320d7e91814f731f5342f31794d9d2db284ad2f6bda28a506c2e1c6aab2e6c1f |
memory/972-9-0x0000000000000000-mapping.dmp
C:\ProgramData\Decoder.exe
| MD5 | 2e95885be2e46e197adcc0bc6245c2de |
| SHA1 | 715785863d460d328bb8ec6356dd95e62fe160ce |
| SHA256 | 7667a561f5535aa6ae7de40c0559b15ccb8a3ee1ae4bf9f1d36430768a41d5ee |
| SHA512 | f65f5276cc4e99353a990bb4a784fb542ea6dce4f1c4a9323eb58150efce7c63320d7e91814f731f5342f31794d9d2db284ad2f6bda28a506c2e1c6aab2e6c1f |
C:\Users\Admin\AppData\Local\Temp\.cmd
| MD5 | 73712247036b6a24d16502c57a3e5679 |
| SHA1 | 65ca9edadb0773fc34db7dfefe9e6416f1ac17fa |
| SHA256 | 8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0 |
| SHA512 | 548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de |
memory/496-12-0x0000000000000000-mapping.dmp
memory/940-13-0x0000000073A70000-0x000000007415E000-memory.dmp
memory/940-14-0x00000000009E0000-0x00000000009E1000-memory.dmp