Analysis Overview
SHA256
5846a8f96c27b089cbb3cba02aeb3b60a8b4fb0a9083b1414474e86ca92c79d0
Threat Level: Known bad
The file Lucky_Execute.bin was found to be: Known bad.
Malicious Activity Summary
Echelon
Reads user/profile data of web browsers
Looks up external IP address via web service
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-04-08 11:57
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2021-04-08 11:57
Reported
2021-04-08 11:59
Platform
win10v20201028
Max time kernel
14s
Max time network
115s
Command Line
Signatures
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Lucky_Execute.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Lucky_Execute.bin.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Lucky_Execute.bin.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Lucky_Execute.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Lucky_Execute.bin.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 52.109.8.19:443 | tcp | |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 50.19.242.215:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | a0525271.xsph.ru | udp |
| N/A | 141.8.192.163:80 | a0525271.xsph.ru | tcp |
Files
memory/3244-114-0x0000016C7C570000-0x0000016C7C571000-memory.dmp
memory/3244-116-0x0000016C7EBA0000-0x0000016C7EC11000-memory.dmp
memory/3244-117-0x0000016C7C9B0000-0x0000016C7C9B2000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2021-04-08 11:57
Reported
2021-04-08 11:59
Platform
win7v20201028
Max time kernel
15s
Max time network
17s
Command Line
Signatures
Echelon
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Lucky_Execute.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Lucky_Execute.bin.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Lucky_Execute.bin.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Lucky_Execute.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Lucky_Execute.bin.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.83.248:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | a0525271.xsph.ru | udp |
| N/A | 141.8.192.163:80 | a0525271.xsph.ru | tcp |
Files
memory/1680-60-0x0000000000B70000-0x0000000000B71000-memory.dmp
memory/1680-62-0x0000000000AF0000-0x0000000000B61000-memory.dmp
memory/1680-63-0x00000000007C0000-0x00000000007C2000-memory.dmp