Analysis

  • max time kernel
    102s
  • max time network
    121s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    14-06-2021 10:49

General

  • Target

    https://mega.nz/file/NpQEFDAA#XXNPVgQcDqK348sVaw9rmBtjExQC_STEjyEsky8lx6k

  • Sample

    210614-xvb9zxgc4j

Score
10/10

Malware Config

Signatures

  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://mega.nz/file/NpQEFDAA#XXNPVgQcDqK348sVaw9rmBtjExQC_STEjyEsky8lx6k
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://mega.nz/file/NpQEFDAA#XXNPVgQcDqK348sVaw9rmBtjExQC_STEjyEsky8lx6k
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3184
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3184.0.2139458304\1555540724" -parentBuildID 20200403170909 -prefsHandle 1540 -prefMapHandle 1532 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3184 "\\.\pipe\gecko-crash-server-pipe.3184" 1628 gpu
        3⤵
          PID:4068
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3184.3.62013209\1626786656" -childID 1 -isForBrowser -prefsHandle 2292 -prefMapHandle 2288 -prefsLen 156 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3184 "\\.\pipe\gecko-crash-server-pipe.3184" 2256 tab
          3⤵
            PID:3604
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3184.13.1922853634\1193161395" -childID 2 -isForBrowser -prefsHandle 3560 -prefMapHandle 3052 -prefsLen 7013 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3184 "\\.\pipe\gecko-crash-server-pipe.3184" 3524 tab
            3⤵
              PID:1492
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3184.20.1345227621\544175681" -childID 3 -isForBrowser -prefsHandle 3208 -prefMapHandle 4324 -prefsLen 8017 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3184 "\\.\pipe\gecko-crash-server-pipe.3184" 4572 tab
              3⤵
                PID:4400
          • C:\Users\Admin\Downloads\Bitcoin-Check v1.exe
            "C:\Users\Admin\Downloads\Bitcoin-Check v1.exe"
            1⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4832

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\Downloads\Bitcoin-Check v1.exe

            MD5

            fa72209ff58ceb1248dc80dd9fcf76a0

            SHA1

            ad2d65e196bffdbb79fdf3f5e6df31c6e232a579

            SHA256

            9f92c125c35f93e411bb3e444b8bcb2fc2a906b3658cbac415db95b9246a8ede

            SHA512

            9adbe1f789ccbfd16633e1d799c7a26281259be752fac134eb892d3e0d89cc0aa4152098967fd3a1f5acab7c5f9290913aec2180a7dfcb5d4c9e256f1683248f

          • C:\Users\Admin\Downloads\Bitcoin-Check v1.exe

            MD5

            fa72209ff58ceb1248dc80dd9fcf76a0

            SHA1

            ad2d65e196bffdbb79fdf3f5e6df31c6e232a579

            SHA256

            9f92c125c35f93e411bb3e444b8bcb2fc2a906b3658cbac415db95b9246a8ede

            SHA512

            9adbe1f789ccbfd16633e1d799c7a26281259be752fac134eb892d3e0d89cc0aa4152098967fd3a1f5acab7c5f9290913aec2180a7dfcb5d4c9e256f1683248f

          • memory/1492-124-0x0000000000000000-mapping.dmp

          • memory/3184-114-0x0000000000000000-mapping.dmp

          • memory/3604-121-0x0000000000000000-mapping.dmp

          • memory/4068-116-0x0000000000000000-mapping.dmp

          • memory/4400-126-0x0000000000000000-mapping.dmp

          • memory/4832-129-0x000001FEE1830000-0x000001FEE1831000-memory.dmp

            Filesize

            4KB

          • memory/4832-131-0x000001FEFBEC0000-0x000001FEFBF31000-memory.dmp

            Filesize

            452KB

          • memory/4832-132-0x000001FEE1C40000-0x000001FEE1C42000-memory.dmp

            Filesize

            8KB