Malware Analysis Report

2024-11-15 06:31

Sample ID 210519-5y9cmtm3y2
Target Lucky Fixed.exe
SHA256 6933c5d70f485687742b49b9310074cc4b948a293527ad0c7c78fb60d47efcb1
Tags
echelon spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6933c5d70f485687742b49b9310074cc4b948a293527ad0c7c78fb60d47efcb1

Threat Level: Known bad

The file Lucky Fixed.exe was found to be: Known bad.

Malicious Activity Summary

echelon spyware stealer

Echelon

Executes dropped EXE

Reads user/profile data of web browsers

Looks up external IP address via web service

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-19 19:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-19 19:18

Reported

2021-05-19 19:21

Platform

win7v20210408

Max time kernel

25s

Max time network

64s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Decoder.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe

"C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe"

C:\ProgramData\Decoder.exe

"C:\ProgramData\Decoder.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""

C:\Windows\system32\timeout.exe

timeout 4

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp

Files

memory/2020-59-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

memory/2020-61-0x0000000000A60000-0x0000000000AD1000-memory.dmp

memory/2020-62-0x000000001B010000-0x000000001B012000-memory.dmp

memory/544-63-0x0000000000000000-mapping.dmp

C:\ProgramData\Decoder.exe

MD5 de81e7651c6e62b4c7195ac2e6befbc0
SHA1 1f2dc517abf4b8a789ac4ef9d8c7d1a7f486fe32
SHA256 eef661cffbde254d5b9dba578e91f35cfc0a5fd4c6f25e959eef04ee948f1d5b
SHA512 3cde05ae78fcd5978cd15bf155f650997489c130cf73539b00c45eb36a5582af11e419efedb3f88cb7caca4691bc1f691b8e4e820276ced697fe82198c4f076b

memory/652-65-0x0000000000000000-mapping.dmp

C:\ProgramData\Decoder.exe

MD5 de81e7651c6e62b4c7195ac2e6befbc0
SHA1 1f2dc517abf4b8a789ac4ef9d8c7d1a7f486fe32
SHA256 eef661cffbde254d5b9dba578e91f35cfc0a5fd4c6f25e959eef04ee948f1d5b
SHA512 3cde05ae78fcd5978cd15bf155f650997489c130cf73539b00c45eb36a5582af11e419efedb3f88cb7caca4691bc1f691b8e4e820276ced697fe82198c4f076b

C:\Users\Admin\AppData\Local\Temp\.cmd

MD5 217407484aac2673214337def8886072
SHA1 0f8c4c94064ce1f7538c43987feb5bb2d7fec0c6
SHA256 467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797
SHA512 8466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330

memory/1752-68-0x0000000000000000-mapping.dmp

memory/544-69-0x0000000001390000-0x0000000001391000-memory.dmp

memory/544-71-0x00000000754F1000-0x00000000754F3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-19 19:18

Reported

2021-05-19 19:21

Platform

win10v20210410

Max time kernel

105s

Max time network

111s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe"

Signatures

Echelon

stealer spyware echelon

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe

"C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.243.154.178:443 api.ipify.org tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 api.telegram.org udp
N/A 149.154.167.220:443 api.telegram.org tcp

Files

memory/3892-114-0x0000000000310000-0x0000000000311000-memory.dmp

memory/3892-116-0x000000001B520000-0x000000001B591000-memory.dmp

memory/3892-117-0x0000000000C50000-0x0000000000C52000-memory.dmp