Analysis
-
max time kernel
117s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
08-02-2022 22:55
Static task
static1
Behavioral task
behavioral1
Sample
8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa.exe
Resource
win10v2004-en-20220112
General
-
Target
8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa.exe
-
Size
4.2MB
-
MD5
13613441b3b4e415ec3e0311c364fca9
-
SHA1
679fdbccd74e0a27c0d42df7a787e1ab0cdfd2a1
-
SHA256
8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa
-
SHA512
0dad186e906cf0c0d6aa943e91f8de6ac864fc278397c986479c7441cbbd9177e8f0c7b9bab58a0d92a67231a7f596e89f89cf2789a829ed772f9fad3e01d12a
Malware Config
Signatures
-
Echelon log file 1 IoCs
Detects a log file produced by Echelon.
Processes:
yara_rule echelon_log_file -
Executes dropped EXE 3 IoCs
Processes:
Encrypted.exeCDS.execrypted.exepid Process 764 Encrypted.exe 576 CDS.exe 1592 crypted.exe -
Loads dropped DLL 13 IoCs
Processes:
8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa.exeEncrypted.exeCDS.exepid Process 1928 8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa.exe 1928 8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa.exe 1928 8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa.exe 1928 8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa.exe 764 Encrypted.exe 764 Encrypted.exe 576 CDS.exe 576 CDS.exe 576 CDS.exe 576 CDS.exe 576 CDS.exe 576 CDS.exe 576 CDS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
crypted.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 crypted.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 crypted.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 crypted.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Encrypted.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce Encrypted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Encrypted.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org 6 ip-api.com 8 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 956 1592 WerFault.exe 30 -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid Process 564 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
crypted.exeCDS.exeWerFault.exepid Process 1592 crypted.exe 1592 crypted.exe 576 CDS.exe 576 CDS.exe 956 WerFault.exe 956 WerFault.exe 956 WerFault.exe 956 WerFault.exe 956 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
crypted.exeWerFault.exedescription pid Process Token: SeDebugPrivilege 1592 crypted.exe Token: SeDebugPrivilege 956 WerFault.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
CDS.exepid Process 576 CDS.exe 576 CDS.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa.exeEncrypted.exeCDS.execrypted.exedescription pid Process procid_target PID 1928 wrote to memory of 764 1928 8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa.exe 27 PID 1928 wrote to memory of 764 1928 8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa.exe 27 PID 1928 wrote to memory of 764 1928 8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa.exe 27 PID 1928 wrote to memory of 764 1928 8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa.exe 27 PID 1928 wrote to memory of 764 1928 8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa.exe 27 PID 1928 wrote to memory of 764 1928 8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa.exe 27 PID 1928 wrote to memory of 764 1928 8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa.exe 27 PID 1928 wrote to memory of 564 1928 8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa.exe 28 PID 1928 wrote to memory of 564 1928 8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa.exe 28 PID 1928 wrote to memory of 564 1928 8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa.exe 28 PID 1928 wrote to memory of 564 1928 8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa.exe 28 PID 1928 wrote to memory of 564 1928 8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa.exe 28 PID 1928 wrote to memory of 564 1928 8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa.exe 28 PID 1928 wrote to memory of 564 1928 8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa.exe 28 PID 764 wrote to memory of 576 764 Encrypted.exe 29 PID 764 wrote to memory of 576 764 Encrypted.exe 29 PID 764 wrote to memory of 576 764 Encrypted.exe 29 PID 764 wrote to memory of 576 764 Encrypted.exe 29 PID 764 wrote to memory of 576 764 Encrypted.exe 29 PID 764 wrote to memory of 576 764 Encrypted.exe 29 PID 764 wrote to memory of 576 764 Encrypted.exe 29 PID 576 wrote to memory of 1592 576 CDS.exe 30 PID 576 wrote to memory of 1592 576 CDS.exe 30 PID 576 wrote to memory of 1592 576 CDS.exe 30 PID 576 wrote to memory of 1592 576 CDS.exe 30 PID 576 wrote to memory of 1592 576 CDS.exe 30 PID 576 wrote to memory of 1592 576 CDS.exe 30 PID 576 wrote to memory of 1592 576 CDS.exe 30 PID 1592 wrote to memory of 956 1592 crypted.exe 35 PID 1592 wrote to memory of 956 1592 crypted.exe 35 PID 1592 wrote to memory of 956 1592 crypted.exe 35 PID 1592 wrote to memory of 956 1592 crypted.exe 35 PID 1592 wrote to memory of 956 1592 crypted.exe 35 -
outlook_office_path 1 IoCs
Processes:
crypted.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 crypted.exe -
outlook_win_path 1 IoCs
Processes:
crypted.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 crypted.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa.exe"C:\Users\Admin\AppData\Local\Temp\8e5db41d7be640cf1a007241568b32f2d1b8105839acb3fae7ade57b86c49efa.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\Encrypted.exe"C:\Users\Admin\AppData\Local\Temp\Encrypted.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1592 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1592 -s 16165⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956
-
-
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\txt.txt2⤵
- Opens file in notepad (likely ransom note)
PID:564
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
79112cb6a47b53ae2844d502f0a5d7c2
SHA143509a0719409190eb27e962d07b8099258cc816
SHA2567082302ceee9e84632ae16a2e3b44747e24424748086f522b6303e4bca9e4948
SHA5126c63acc37f3ab9dfa66d0d44f8edb0b2ea71a7224055936e5db2e64eb8a037bbea8aeb16b4f3182e4ff40fb8fc786346be0fd82ac51ba874431b08f0de5990c4
-
MD5
79112cb6a47b53ae2844d502f0a5d7c2
SHA143509a0719409190eb27e962d07b8099258cc816
SHA2567082302ceee9e84632ae16a2e3b44747e24424748086f522b6303e4bca9e4948
SHA5126c63acc37f3ab9dfa66d0d44f8edb0b2ea71a7224055936e5db2e64eb8a037bbea8aeb16b4f3182e4ff40fb8fc786346be0fd82ac51ba874431b08f0de5990c4
-
MD5
340b294efc691d1b20c64175d565ebc7
SHA181cb9649bd1c9a62ae79e781818fc24d15c29ce7
SHA25672566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9
SHA5121395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d
-
MD5
3e7ecaeb51c2812d13b07ec852d74aaf
SHA1e9bdab93596ffb0f7f8c65243c579180939acb26
SHA256e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96
SHA512635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d
-
MD5
424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
MD5
424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
MD5
756e089a055d07461b35549b542ef4d8
SHA14c652e9fdf95200de724aae517bd0a8f45e87bcd
SHA2568d17bbb32df3c926ec6af1bdfd26a5f01b603e85cac495d720fc9aaece15c52d
SHA512ec3181acd21763d13a8d328846986b0c875b3c082c6ce47b4360cb7bb87902fa0192d988448038b9725f2a9a3f7f430c00037e468591d869d361b72b2c11e7f1
-
MD5
245599d3047f622e6906f226f886bd86
SHA1e49c9221a8d03125c0a772458cb1a8aac42775f9
SHA2569abba50fcc018d58668c3f9c5deed71b3d4e41f53380a0a6eb8e37e87390d9c9
SHA5128dee7b8dfd13fbebda26c962b00382dc86e2446d0e7a9a124d30016cdc18553a5c14ff8f946352bae322684f5a7c7e980372be991585fcc4267e944ca940a065
-
MD5
245599d3047f622e6906f226f886bd86
SHA1e49c9221a8d03125c0a772458cb1a8aac42775f9
SHA2569abba50fcc018d58668c3f9c5deed71b3d4e41f53380a0a6eb8e37e87390d9c9
SHA5128dee7b8dfd13fbebda26c962b00382dc86e2446d0e7a9a124d30016cdc18553a5c14ff8f946352bae322684f5a7c7e980372be991585fcc4267e944ca940a065
-
MD5
68934a3e9455fa72420237eb05902327
SHA17cb6efb98ba5972a9b5090dc2e517fe14d12cb04
SHA256fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa
SHA512719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d
-
MD5
c3256800dce47c14acc83ccca4c3e2ac
SHA19d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA5126865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25
-
MD5
bdd7dd3c4f48fd81508966f8ef89b732
SHA1a56ea6dade632e3a77bdb0cd5efa78fa115e9409
SHA256be3b4e28c9ae0b5b4cf78942012d467bb25ffa11c91bda98fc22b94ff97896a0
SHA512a71f4e1081e4cf7933812c620c83e8d5fcbb374c8cef7a9d8f06ca99c599ebdba775a8b105be202b7bd24df429fb48848acc2e06b45914d9d2151e3e74a0b991
-
MD5
79112cb6a47b53ae2844d502f0a5d7c2
SHA143509a0719409190eb27e962d07b8099258cc816
SHA2567082302ceee9e84632ae16a2e3b44747e24424748086f522b6303e4bca9e4948
SHA5126c63acc37f3ab9dfa66d0d44f8edb0b2ea71a7224055936e5db2e64eb8a037bbea8aeb16b4f3182e4ff40fb8fc786346be0fd82ac51ba874431b08f0de5990c4
-
MD5
79112cb6a47b53ae2844d502f0a5d7c2
SHA143509a0719409190eb27e962d07b8099258cc816
SHA2567082302ceee9e84632ae16a2e3b44747e24424748086f522b6303e4bca9e4948
SHA5126c63acc37f3ab9dfa66d0d44f8edb0b2ea71a7224055936e5db2e64eb8a037bbea8aeb16b4f3182e4ff40fb8fc786346be0fd82ac51ba874431b08f0de5990c4
-
MD5
79112cb6a47b53ae2844d502f0a5d7c2
SHA143509a0719409190eb27e962d07b8099258cc816
SHA2567082302ceee9e84632ae16a2e3b44747e24424748086f522b6303e4bca9e4948
SHA5126c63acc37f3ab9dfa66d0d44f8edb0b2ea71a7224055936e5db2e64eb8a037bbea8aeb16b4f3182e4ff40fb8fc786346be0fd82ac51ba874431b08f0de5990c4
-
MD5
79112cb6a47b53ae2844d502f0a5d7c2
SHA143509a0719409190eb27e962d07b8099258cc816
SHA2567082302ceee9e84632ae16a2e3b44747e24424748086f522b6303e4bca9e4948
SHA5126c63acc37f3ab9dfa66d0d44f8edb0b2ea71a7224055936e5db2e64eb8a037bbea8aeb16b4f3182e4ff40fb8fc786346be0fd82ac51ba874431b08f0de5990c4
-
MD5
79112cb6a47b53ae2844d502f0a5d7c2
SHA143509a0719409190eb27e962d07b8099258cc816
SHA2567082302ceee9e84632ae16a2e3b44747e24424748086f522b6303e4bca9e4948
SHA5126c63acc37f3ab9dfa66d0d44f8edb0b2ea71a7224055936e5db2e64eb8a037bbea8aeb16b4f3182e4ff40fb8fc786346be0fd82ac51ba874431b08f0de5990c4
-
MD5
424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
MD5
424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
MD5
424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
MD5
245599d3047f622e6906f226f886bd86
SHA1e49c9221a8d03125c0a772458cb1a8aac42775f9
SHA2569abba50fcc018d58668c3f9c5deed71b3d4e41f53380a0a6eb8e37e87390d9c9
SHA5128dee7b8dfd13fbebda26c962b00382dc86e2446d0e7a9a124d30016cdc18553a5c14ff8f946352bae322684f5a7c7e980372be991585fcc4267e944ca940a065
-
MD5
245599d3047f622e6906f226f886bd86
SHA1e49c9221a8d03125c0a772458cb1a8aac42775f9
SHA2569abba50fcc018d58668c3f9c5deed71b3d4e41f53380a0a6eb8e37e87390d9c9
SHA5128dee7b8dfd13fbebda26c962b00382dc86e2446d0e7a9a124d30016cdc18553a5c14ff8f946352bae322684f5a7c7e980372be991585fcc4267e944ca940a065
-
MD5
245599d3047f622e6906f226f886bd86
SHA1e49c9221a8d03125c0a772458cb1a8aac42775f9
SHA2569abba50fcc018d58668c3f9c5deed71b3d4e41f53380a0a6eb8e37e87390d9c9
SHA5128dee7b8dfd13fbebda26c962b00382dc86e2446d0e7a9a124d30016cdc18553a5c14ff8f946352bae322684f5a7c7e980372be991585fcc4267e944ca940a065
-
MD5
245599d3047f622e6906f226f886bd86
SHA1e49c9221a8d03125c0a772458cb1a8aac42775f9
SHA2569abba50fcc018d58668c3f9c5deed71b3d4e41f53380a0a6eb8e37e87390d9c9
SHA5128dee7b8dfd13fbebda26c962b00382dc86e2446d0e7a9a124d30016cdc18553a5c14ff8f946352bae322684f5a7c7e980372be991585fcc4267e944ca940a065
-
MD5
c3256800dce47c14acc83ccca4c3e2ac
SHA19d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA5126865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25