ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b

Analysis

max time kernel
120s
max time network
128s
platform
windows7_x64
resource
win7-en-20211208
submitted
09-03-2022 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe
Size

1.7MB
MD5

b0338e58388c9040a0f88d0f44ef3714
SHA1

7e664c348735efed508666fec173bb17fa8025f8
SHA256

ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b
SHA512

b5d52004d648da1ea0973186281b0cf34a8bee04f10bcce14e6ebc231ff768d0dc37fe2b3e231cb6dfd8b8f9cf6f2af0fb2ec65d860473a2cbd2a5672aedd899

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

Echelonyes.sfx.exeEchelonyes.exeDecoder.exesystems32.exe

pid	Process
1872	Echelonyes.sfx.exe
1548	Echelonyes.exe
748	Decoder.exe
68748	systems32.exe

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/files/0x0008000000012201-63.dat	vmprotect
behavioral1/files/0x0008000000012201-66.dat	vmprotect
behavioral1/files/0x0008000000012201-65.dat	vmprotect
behavioral1/files/0x0008000000012201-64.dat	vmprotect
behavioral1/files/0x0008000000012201-67.dat	vmprotect
behavioral1/files/0x0008000000012201-68.dat	vmprotect
behavioral1/memory/1548-70-0x0000000001170000-0x0000000001426000-memory.dmp	vmprotect

Drops startup file 2 IoCs

Processes:

Decoder.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe

Loads dropped DLL 5 IoCs

Processes:

cmd.exeEchelonyes.sfx.exe

pid	Process
1296	cmd.exe
1872	Echelonyes.sfx.exe
1872	Echelonyes.sfx.exe
1872	Echelonyes.sfx.exe
1872	Echelonyes.sfx.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
5	api.ipify.org
4	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
592	schtasks.exe
68812	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

Processes:

timeout.exetimeout.exe

pid	Process
808	timeout.exe
1244	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Decoder.exesystems32.exe

pid	Process
748	Decoder.exe
68748	systems32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Echelonyes.exeDecoder.exesystems32.exe

description	pid	Process
Token: SeDebugPrivilege	1548	Echelonyes.exe
Token: SeDebugPrivilege	748	Decoder.exe
Token: SeDebugPrivilege	68748	systems32.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exeWScript.execmd.exeEchelonyes.sfx.exeEchelonyes.execmd.execmd.exeDecoder.exetaskeng.exesystems32.exe

description	pid	Process	procid_target
PID 1620 wrote to memory of 1780	1620	ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe	27
PID 1620 wrote to memory of 1780	1620	ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe	27
PID 1620 wrote to memory of 1780	1620	ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe	27
PID 1620 wrote to memory of 1780	1620	ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe	27
PID 1780 wrote to memory of 1296	1780	WScript.exe	28
PID 1780 wrote to memory of 1296	1780	WScript.exe	28
PID 1780 wrote to memory of 1296	1780	WScript.exe	28
PID 1780 wrote to memory of 1296	1780	WScript.exe	28
PID 1296 wrote to memory of 1872	1296	cmd.exe	30
PID 1296 wrote to memory of 1872	1296	cmd.exe	30
PID 1296 wrote to memory of 1872	1296	cmd.exe	30
PID 1296 wrote to memory of 1872	1296	cmd.exe	30
PID 1872 wrote to memory of 1548	1872	Echelonyes.sfx.exe	31
PID 1872 wrote to memory of 1548	1872	Echelonyes.sfx.exe	31
PID 1872 wrote to memory of 1548	1872	Echelonyes.sfx.exe	31
PID 1872 wrote to memory of 1548	1872	Echelonyes.sfx.exe	31
PID 1548 wrote to memory of 748	1548	Echelonyes.exe	33
PID 1548 wrote to memory of 748	1548	Echelonyes.exe	33
PID 1548 wrote to memory of 748	1548	Echelonyes.exe	33
PID 1548 wrote to memory of 764	1548	Echelonyes.exe	34
PID 1548 wrote to memory of 764	1548	Echelonyes.exe	34
PID 1548 wrote to memory of 764	1548	Echelonyes.exe	34
PID 1548 wrote to memory of 560	1548	Echelonyes.exe	35
PID 1548 wrote to memory of 560	1548	Echelonyes.exe	35
PID 1548 wrote to memory of 560	1548	Echelonyes.exe	35
PID 764 wrote to memory of 1244	764	cmd.exe	39
PID 764 wrote to memory of 1244	764	cmd.exe	39
PID 764 wrote to memory of 1244	764	cmd.exe	39
PID 560 wrote to memory of 808	560	cmd.exe	38
PID 560 wrote to memory of 808	560	cmd.exe	38
PID 560 wrote to memory of 808	560	cmd.exe	38
PID 748 wrote to memory of 592	748	Decoder.exe	40
PID 748 wrote to memory of 592	748	Decoder.exe	40
PID 748 wrote to memory of 592	748	Decoder.exe	40
PID 66636 wrote to memory of 68748	66636	taskeng.exe	43
PID 66636 wrote to memory of 68748	66636	taskeng.exe	43
PID 66636 wrote to memory of 68748	66636	taskeng.exe	43
PID 68748 wrote to memory of 68812	68748	systems32.exe	44
PID 68748 wrote to memory of 68812	68748	systems32.exe	44
PID 68748 wrote to memory of 68812	68748	systems32.exe	44

C:\Users\Admin\AppData\Local\Temp\ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe
"C:\Users\Admin\AppData\Local\Temp\ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c bat.bat
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1296
  - - C:\Users\Admin\AppData\Local\Temp\Echelonyes.sfx.exe
      Echelonyes.sfx.exe -pMgXwXO}F -dC:\Users\Admin\AppData\Local\Temp
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1872
    - - C:\Users\Admin\AppData\Local\Temp\Echelonyes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Echelonyes.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1548
      - C:\ProgramData\Decoder.exe
        
        "C:\ProgramData\Decoder.exe"
        6⤵
        Executes dropped EXE
        Drops startup file
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
        7⤵
        Creates scheduled task(s)
        
        PID:592
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\system32\timeout.exe
        
        timeout 4
        7⤵
        Delays execution with timeout.exe
        
        PID:1244
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6D82.tmp.cmd""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\system32\timeout.exe
        
        timeout 4
        7⤵
        Delays execution with timeout.exe
        
        PID:808

C:\Windows\system32\taskeng.exe
taskeng.exe {AF1149C1-CB6F-475F-B754-2362DBEB4B0B} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:66636
- C:\systems32_bit\systems32.exe
  \systems32_bit\systems32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:68748
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:68812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Decoder.exe

MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
C:\ProgramData\Decoder.exe

MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd

MD5
217407484aac2673214337def8886072

SHA1
0f8c4c94064ce1f7538c43987feb5bb2d7fec0c6

SHA256
467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797

SHA512
8466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330

Download Submit
C:\Users\Admin\AppData\Local\Temp\Echelonyes.exe

MD5
1fa6f0632a72b1162b1b29a0b869fa90

SHA1
7169e89c84f7ddbd52fd4eb7363f98684e3d6a8b

SHA256
3d05d546ae0ab935f4fb6562945805de7d1d56957f5dfb6c6e40cf2bc3270ff2

SHA512
92a21ab47e57a8c6ce430607a51ea4a59e910efdbc045dd8442d74a9c5ead7c26ecc0a4b73ed379669f8be0dd710f2fd9c70b580114e53abe114a2603a4fcfba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Echelonyes.exe

MD5
1fa6f0632a72b1162b1b29a0b869fa90

SHA1
7169e89c84f7ddbd52fd4eb7363f98684e3d6a8b

SHA256
3d05d546ae0ab935f4fb6562945805de7d1d56957f5dfb6c6e40cf2bc3270ff2

SHA512
92a21ab47e57a8c6ce430607a51ea4a59e910efdbc045dd8442d74a9c5ead7c26ecc0a4b73ed379669f8be0dd710f2fd9c70b580114e53abe114a2603a4fcfba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Echelonyes.sfx.exe

MD5
379c4da3d182dc8adbc5df1f0dbde542

SHA1
7b43213139780da48b2d36430d664f09c0568faf

SHA256
080fdedd00b6d9b82fd6c758591cac8c4c53ce4994cfd127eecbffdc74cccbc0

SHA512
7f55ba9a1296534743805abe8210d1649696f0361d9c35fe61d72c7e3e51e17dcc6b6e3ebaf4f4385a8b0777ad933ffd8d47ed37e786fdf90404750c6b7d0d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Echelonyes.sfx.exe

MD5
379c4da3d182dc8adbc5df1f0dbde542

SHA1
7b43213139780da48b2d36430d664f09c0568faf

SHA256
080fdedd00b6d9b82fd6c758591cac8c4c53ce4994cfd127eecbffdc74cccbc0

SHA512
7f55ba9a1296534743805abe8210d1649696f0361d9c35fe61d72c7e3e51e17dcc6b6e3ebaf4f4385a8b0777ad933ffd8d47ed37e786fdf90404750c6b7d0d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bat.bat

MD5
bfcc1b768af96c396d04795313972815

SHA1
26a9be4a505b98beacc0291c9ec43de739568444

SHA256
858c103ed517819c917bd859da7c0664cab0a6d5d868d7381aa7091ebbe6c240

SHA512
eabcfed61407fe3e350aeb7ba5a2948647747970da6cbe62f5ed3b12138f4924dbcd8036d69c88669031a6cc82a88dfe14c8d39906309d74a237e86daf753921

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6D82.tmp.cmd

MD5
27bdb4f7ed9a40b4d28131c51352993d

SHA1
cdb8c8398f3a6dbc1ab1b591d73c554f8c958bd4

SHA256
66b5a190ff11dff09c0b787a5d865e0bf3fef14e3cfac30e9978e84652066734

SHA512
fea27308a2192fff37ff9b7b99ee278a2a05bfc9fdfc8731a760944c1f6835f2b9b92981cd8579d8451e9f9390ab1514109d629d61e363092cd6e9c0674c213e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbs.vbs

MD5
dc06d3c7415f4f6b05272426a63e9fd1

SHA1
2a148ec726cde2a19222c03ebf2cf48e8a5c171f

SHA256
101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093

SHA512
d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a

Download Submit
C:\systems32_bit\systems32.exe

MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
C:\systems32_bit\systems32.exe

MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
\Users\Admin\AppData\Local\Temp\Echelonyes.exe

MD5
1fa6f0632a72b1162b1b29a0b869fa90

SHA1
7169e89c84f7ddbd52fd4eb7363f98684e3d6a8b

SHA256
3d05d546ae0ab935f4fb6562945805de7d1d56957f5dfb6c6e40cf2bc3270ff2

SHA512
92a21ab47e57a8c6ce430607a51ea4a59e910efdbc045dd8442d74a9c5ead7c26ecc0a4b73ed379669f8be0dd710f2fd9c70b580114e53abe114a2603a4fcfba

Download Submit
\Users\Admin\AppData\Local\Temp\Echelonyes.exe

MD5
1fa6f0632a72b1162b1b29a0b869fa90

SHA1
7169e89c84f7ddbd52fd4eb7363f98684e3d6a8b

SHA256
3d05d546ae0ab935f4fb6562945805de7d1d56957f5dfb6c6e40cf2bc3270ff2

SHA512
92a21ab47e57a8c6ce430607a51ea4a59e910efdbc045dd8442d74a9c5ead7c26ecc0a4b73ed379669f8be0dd710f2fd9c70b580114e53abe114a2603a4fcfba

Download Submit
\Users\Admin\AppData\Local\Temp\Echelonyes.exe

MD5
1fa6f0632a72b1162b1b29a0b869fa90

SHA1
7169e89c84f7ddbd52fd4eb7363f98684e3d6a8b

SHA256
3d05d546ae0ab935f4fb6562945805de7d1d56957f5dfb6c6e40cf2bc3270ff2

SHA512
92a21ab47e57a8c6ce430607a51ea4a59e910efdbc045dd8442d74a9c5ead7c26ecc0a4b73ed379669f8be0dd710f2fd9c70b580114e53abe114a2603a4fcfba

Download Submit
\Users\Admin\AppData\Local\Temp\Echelonyes.exe

MD5
1fa6f0632a72b1162b1b29a0b869fa90

SHA1
7169e89c84f7ddbd52fd4eb7363f98684e3d6a8b

SHA256
3d05d546ae0ab935f4fb6562945805de7d1d56957f5dfb6c6e40cf2bc3270ff2

SHA512
92a21ab47e57a8c6ce430607a51ea4a59e910efdbc045dd8442d74a9c5ead7c26ecc0a4b73ed379669f8be0dd710f2fd9c70b580114e53abe114a2603a4fcfba

Download Submit
\Users\Admin\AppData\Local\Temp\Echelonyes.sfx.exe

MD5
379c4da3d182dc8adbc5df1f0dbde542

SHA1
7b43213139780da48b2d36430d664f09c0568faf

SHA256
080fdedd00b6d9b82fd6c758591cac8c4c53ce4994cfd127eecbffdc74cccbc0

SHA512
7f55ba9a1296534743805abe8210d1649696f0361d9c35fe61d72c7e3e51e17dcc6b6e3ebaf4f4385a8b0777ad933ffd8d47ed37e786fdf90404750c6b7d0d8b

Download Submit
memory/748-79-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/748-83-0x000000001B9A0000-0x000000001B9A2000-memory.dmp

Filesize
8KB

Download
memory/748-82-0x000007FEF5930000-0x000007FEF631C000-memory.dmp

Filesize
9.9MB

Download
memory/1548-69-0x000007FEF5930000-0x000007FEF631C000-memory.dmp

Filesize
9.9MB

Download
memory/1548-70-0x0000000001170000-0x0000000001426000-memory.dmp

Filesize
2.7MB

Download
memory/1548-74-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1548-73-0x000000001B820000-0x000000001B822000-memory.dmp

Filesize
8KB

Download
memory/1548-75-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1548-76-0x0000000000C20000-0x0000000000C96000-memory.dmp

Filesize
472KB

Download
memory/1620-55-0x0000000076921000-0x0000000076923000-memory.dmp

Filesize
8KB

Download
memory/68748-86-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/68748-88-0x000000001BE50000-0x000000001BE52000-memory.dmp

Filesize
8KB

Download
memory/68748-87-0x000007FEF5930000-0x000007FEF631C000-memory.dmp

Filesize
9.9MB

Download