Analysis
-
max time kernel
294s -
max time network
298s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
24-02-2022 03:02
Static task
static1
General
-
Target
main_setup.exe
-
Size
873KB
-
MD5
d373f2439a302ef03640bb043906e29c
-
SHA1
2c2a47b939f08942b40c98d6af02516adcea1053
-
SHA256
e0706917bcf1faa84a513753f7fe0af1c8738b0495af938d55134ba5d2ac2f74
-
SHA512
9de3d0f0e9467d13fbfac31095d87a30930b69ef9bc45a7400968fe0be1946c86ab59047b0155440fd94607f8783dbb70ebb8ba5c2f5e858b9fca7d7978898a3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Ecco.exe.pifpid process 2972 Ecco.exe.pif -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
main_setup.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation main_setup.exe -
Loads dropped DLL 7 IoCs
Processes:
Ecco.exe.pifpid process 2972 Ecco.exe.pif 2972 Ecco.exe.pif 2972 Ecco.exe.pif 2972 Ecco.exe.pif 2972 Ecco.exe.pif 2972 Ecco.exe.pif 2972 Ecco.exe.pif -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Ecco.exe.pifdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Ecco.exe.pif Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Ecco.exe.pif -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 4524 tasklist.exe 4612 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 4524 tasklist.exe Token: SeDebugPrivilege 4612 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Ecco.exe.pifpid process 2972 Ecco.exe.pif 2972 Ecco.exe.pif 2972 Ecco.exe.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Ecco.exe.pifpid process 2972 Ecco.exe.pif 2972 Ecco.exe.pif 2972 Ecco.exe.pif -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
main_setup.execmd.execmd.exedescription pid process target process PID 2996 wrote to memory of 4940 2996 main_setup.exe cmd.exe PID 2996 wrote to memory of 4940 2996 main_setup.exe cmd.exe PID 2996 wrote to memory of 4940 2996 main_setup.exe cmd.exe PID 4940 wrote to memory of 4580 4940 cmd.exe cmd.exe PID 4940 wrote to memory of 4580 4940 cmd.exe cmd.exe PID 4940 wrote to memory of 4580 4940 cmd.exe cmd.exe PID 4580 wrote to memory of 4524 4580 cmd.exe tasklist.exe PID 4580 wrote to memory of 4524 4580 cmd.exe tasklist.exe PID 4580 wrote to memory of 4524 4580 cmd.exe tasklist.exe PID 4580 wrote to memory of 2068 4580 cmd.exe find.exe PID 4580 wrote to memory of 2068 4580 cmd.exe find.exe PID 4580 wrote to memory of 2068 4580 cmd.exe find.exe PID 4580 wrote to memory of 4612 4580 cmd.exe tasklist.exe PID 4580 wrote to memory of 4612 4580 cmd.exe tasklist.exe PID 4580 wrote to memory of 4612 4580 cmd.exe tasklist.exe PID 4580 wrote to memory of 3424 4580 cmd.exe find.exe PID 4580 wrote to memory of 3424 4580 cmd.exe find.exe PID 4580 wrote to memory of 3424 4580 cmd.exe find.exe PID 4580 wrote to memory of 4740 4580 cmd.exe findstr.exe PID 4580 wrote to memory of 4740 4580 cmd.exe findstr.exe PID 4580 wrote to memory of 4740 4580 cmd.exe findstr.exe PID 4580 wrote to memory of 2972 4580 cmd.exe Ecco.exe.pif PID 4580 wrote to memory of 2972 4580 cmd.exe Ecco.exe.pif PID 4580 wrote to memory of 2972 4580 cmd.exe Ecco.exe.pif PID 4580 wrote to memory of 856 4580 cmd.exe waitfor.exe PID 4580 wrote to memory of 856 4580 cmd.exe waitfor.exe PID 4580 wrote to memory of 856 4580 cmd.exe waitfor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\main_setup.exe"C:\Users\Admin\AppData\Local\Temp\main_setup.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Dall.pps2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"4⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^hrwRffsQFVtvUDIIPAKkrbATJdxXuJRBKzGOhowKIjsHhjniNHxpasjPDioYUzJWrDMBWTcGmZCRuSGvSjlmfIozuQlyqePfCcDKmX$" Statuette.pps4⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ecco.exe.pifEcco.exe.pif G4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\waitfor.exewaitfor /t 5 usjlovQBzGCQSPipLLLawbxjzDpj4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dall.ppsMD5
63d3f2e39d6e2f3e147124555d560eca
SHA1a9a1688a8c8fc26c2a9167f695643ce5dda00b05
SHA256c221726eeef877b4d494f39308cf7d4ee661b6c28da724fc586575c5486b2382
SHA512b9eb5372fef4adc17a2658bbebc3413f6aeecfec1dd4c62406fd31b610a91889f04e18e4dc6da01591662bd9eade423699c1561bb39ab48c4e95a4c17b622137
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ecco.exe.pifMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gocce.ppsMD5
a6eddad1df98c48f022c3c06bdfdf9f3
SHA167bcaa8a762f639448268408716903e6c669fb9b
SHA256d06a33683e726f9b90acf817ac4b0430c4d3c7aa31eaa8c66370e256951fe6c5
SHA512b3c2ced58c90abfb9bcd9585a815d001502db930aa2fe93a8e965fe81f779ebac34e8c133ab5c4bb562182cf81b5d8da8320f3721c4636649263831c558fb37d
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Statuette.ppsMD5
d5a27f2f79bd983140a0669d13dd1716
SHA1de43a8f8154cd2e13e689d49a32a52c893a5bfa4
SHA25669574d0fcaf701c4d2e12c155b5f633e916c10f4a969c2e99375bf9297c2835b
SHA5127acfedb525cfddeadbc3ed65049054f0074d3e25739d3a497befb996ca520f158e651454450c0bd30f30a9fdfd08eeaf7e1ea9878f695e348a8826170c2cd595
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gWXVwdhBXPE.dllMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gWXVwdhBXPE.dllMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gWXVwdhBXPE.dllMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gWXVwdhBXPE.dllMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gWXVwdhBXPE.dllMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gWXVwdhBXPE.dllMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gWXVwdhBXPE.dllMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
memory/2972-139-0x00000000005B0000-0x00000000005B1000-memory.dmpFilesize
4KB
-
memory/2972-143-0x0000000004551000-0x0000000004558000-memory.dmpFilesize
28KB