Malware Analysis Report

2024-11-15 06:30

Sample ID 210408-tmez342q6j
Target Lucky_Execute.bin
SHA256 5846a8f96c27b089cbb3cba02aeb3b60a8b4fb0a9083b1414474e86ca92c79d0
Tags
spyware stealer echelon
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5846a8f96c27b089cbb3cba02aeb3b60a8b4fb0a9083b1414474e86ca92c79d0

Threat Level: Known bad

The file Lucky_Execute.bin was found to be: Known bad.

Malicious Activity Summary

spyware stealer echelon

Echelon

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-04-08 11:57

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-04-08 11:57

Reported

2021-04-08 11:59

Platform

win10v20201028

Max time kernel

14s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Lucky_Execute.bin.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky_Execute.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky_Execute.bin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky_Execute.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Lucky_Execute.bin.exe

"C:\Users\Admin\AppData\Local\Temp\Lucky_Execute.bin.exe"

Network

Country Destination Domain Proto
N/A 52.109.8.19:443 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 50.19.242.215:443 api.ipify.org tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 a0525271.xsph.ru udp
N/A 141.8.192.163:80 a0525271.xsph.ru tcp

Files

memory/3244-114-0x0000016C7C570000-0x0000016C7C571000-memory.dmp

memory/3244-116-0x0000016C7EBA0000-0x0000016C7EC11000-memory.dmp

memory/3244-117-0x0000016C7C9B0000-0x0000016C7C9B2000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2021-04-08 11:57

Reported

2021-04-08 11:59

Platform

win7v20201028

Max time kernel

15s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Lucky_Execute.bin.exe"

Signatures

Echelon

stealer spyware echelon

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky_Execute.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky_Execute.bin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky_Execute.bin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Lucky_Execute.bin.exe

"C:\Users\Admin\AppData\Local\Temp\Lucky_Execute.bin.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.235.83.248:443 api.ipify.org tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 a0525271.xsph.ru udp
N/A 141.8.192.163:80 a0525271.xsph.ru tcp

Files

memory/1680-60-0x0000000000B70000-0x0000000000B71000-memory.dmp

memory/1680-62-0x0000000000AF0000-0x0000000000B61000-memory.dmp

memory/1680-63-0x00000000007C0000-0x00000000007C2000-memory.dmp