Analysis

  • max time kernel
    55s
  • max time network
    57s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    24-06-2021 00:22

General

  • Target

    cd4ba6a5ecbcbaa727b4da9e16c9f960.exe

  • Size

    1.2MB

  • MD5

    cd4ba6a5ecbcbaa727b4da9e16c9f960

  • SHA1

    9da58c60081a3c3120460d7d8923be3bd65882bc

  • SHA256

    699724f6a8610c280586bf239477584de4e456b8e6f2aff27fce8c0b41bb56c9

  • SHA512

    f327b53e47d08637d2421c26abed83079c45a67f945bf0440cae0c4817b842be1b32684d9546bd7f1d442e9b9009d2e9fc518262759be86f35a430bc8eb42c37

Score
10/10

Malware Config

Signatures

  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd4ba6a5ecbcbaa727b4da9e16c9f960.exe
    "C:\Users\Admin\AppData\Local\Temp\cd4ba6a5ecbcbaa727b4da9e16c9f960.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:980
    • C:\Users\Admin\AppData\Local\Temp\Borns.exe
      "C:\Users\Admin\AppData\Local\Temp\Borns.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\ProgramData\Decoder.exe
        "C:\ProgramData\Decoder.exe"
        3⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:328
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:684
        • C:\Windows\system32\timeout.exe
          timeout 4
          4⤵
          • Delays execution with timeout.exe
          PID:436

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Decoder.exe

    MD5

    c29c0d495ed13e703f433d53bdffdab8

    SHA1

    74ed36e6b6027b61abcfe2956670ffd9de7fd71a

    SHA256

    20309707aa6fc678963aace7685a37839d439c850b1ba399bdbfbbeddc10ed4b

    SHA512

    fea4c1066ee6df3ebb29a354678a3d0f1398cd216b92b261296fcff580b00e19cefe24d975beebcc41854cceef3df2702d569811358dae4203a924fb52cf5426

  • C:\Users\Admin\AppData\Local\Temp\.cmd

    MD5

    73712247036b6a24d16502c57a3e5679

    SHA1

    65ca9edadb0773fc34db7dfefe9e6416f1ac17fa

    SHA256

    8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0

    SHA512

    548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

  • C:\Users\Admin\AppData\Local\Temp\Borns.exe

    MD5

    884529a75c3268c5322822bac31a78b0

    SHA1

    ebe46ead5ea6c147aad4b746bf7db3d065291960

    SHA256

    76cd69d4dc6d55742fe48e31ac983cc34e3fc7c8ff6e08dd451a87d5e613d2dd

    SHA512

    fc2f43fd9dee0f4a2cde51539d6be525be3a98cba37e119b24df0a62e7993eccb4bdd075f1cd6ce8f4f3dfa0cfe013d6451531e518ec08bb1bfcd9e8549236ca

  • C:\Users\Admin\AppData\Local\Temp\Borns.exe

    MD5

    884529a75c3268c5322822bac31a78b0

    SHA1

    ebe46ead5ea6c147aad4b746bf7db3d065291960

    SHA256

    76cd69d4dc6d55742fe48e31ac983cc34e3fc7c8ff6e08dd451a87d5e613d2dd

    SHA512

    fc2f43fd9dee0f4a2cde51539d6be525be3a98cba37e119b24df0a62e7993eccb4bdd075f1cd6ce8f4f3dfa0cfe013d6451531e518ec08bb1bfcd9e8549236ca

  • memory/328-78-0x0000000002092000-0x0000000002093000-memory.dmp

    Filesize

    4KB

  • memory/328-79-0x0000000002093000-0x0000000002094000-memory.dmp

    Filesize

    4KB

  • memory/328-75-0x0000000002091000-0x0000000002092000-memory.dmp

    Filesize

    4KB

  • memory/328-77-0x0000000004810000-0x00000000048A4000-memory.dmp

    Filesize

    592KB

  • memory/328-80-0x0000000002094000-0x0000000002096000-memory.dmp

    Filesize

    8KB

  • memory/328-70-0x0000000000000000-mapping.dmp

  • memory/328-76-0x00000000048B0000-0x0000000004946000-memory.dmp

    Filesize

    600KB

  • memory/328-81-0x0000000004DF0000-0x0000000004E60000-memory.dmp

    Filesize

    448KB

  • memory/436-74-0x0000000000000000-mapping.dmp

  • memory/684-72-0x0000000000000000-mapping.dmp

  • memory/980-60-0x0000000001330000-0x0000000001331000-memory.dmp

    Filesize

    4KB

  • memory/980-65-0x000000001B060000-0x000000001B062000-memory.dmp

    Filesize

    8KB

  • memory/2000-69-0x000000001AEF0000-0x000000001AEF2000-memory.dmp

    Filesize

    8KB

  • memory/2000-68-0x000000001A940000-0x000000001A9B1000-memory.dmp

    Filesize

    452KB

  • memory/2000-66-0x00000000012B0000-0x00000000012B1000-memory.dmp

    Filesize

    4KB

  • memory/2000-62-0x0000000000000000-mapping.dmp