ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b

Analysis

max time kernel
120s
max time network
128s
platform
windows7_x64
resource
win7-en-20211208
submitted
09-03-2022 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe
Size

1.7MB
MD5

b0338e58388c9040a0f88d0f44ef3714
SHA1

7e664c348735efed508666fec173bb17fa8025f8
SHA256

ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b
SHA512

b5d52004d648da1ea0973186281b0cf34a8bee04f10bcce14e6ebc231ff768d0dc37fe2b3e231cb6dfd8b8f9cf6f2af0fb2ec65d860473a2cbd2a5672aedd899

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

Echelonyes.sfx.exeEchelonyes.exeDecoder.exesystems32.exe

pid process

1872 Echelonyes.sfx.exe
1548 Echelonyes.exe
748 Decoder.exe
68748 systems32.exe

pid	process
1872	Echelonyes.sfx.exe
1548	Echelonyes.exe
748	Decoder.exe
68748	systems32.exe

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Echelonyes.exe	vmprotect
\Users\Admin\AppData\Local\Temp\Echelonyes.exe	vmprotect
\Users\Admin\AppData\Local\Temp\Echelonyes.exe	vmprotect
\Users\Admin\AppData\Local\Temp\Echelonyes.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\Echelonyes.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\Echelonyes.exe	vmprotect
behavioral1/memory/1548-70-0x0000000001170000-0x0000000001426000-memory.dmp	vmprotect

Drops startup file 2 IoCs

Processes:

Decoder.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe

Loads dropped DLL 5 IoCs

Processes:

cmd.exeEchelonyes.sfx.exe

pid process

1296 cmd.exe
1872 Echelonyes.sfx.exe
1872 Echelonyes.sfx.exe
1872 Echelonyes.sfx.exe
1872 Echelonyes.sfx.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
4 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

592 schtasks.exe
68812 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

808 timeout.exe
1244 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Decoder.exesystems32.exe

pid process

748 Decoder.exe
68748 systems32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Echelonyes.exeDecoder.exesystems32.exe

description pid process

Token: SeDebugPrivilege 1548 Echelonyes.exe
Token: SeDebugPrivilege 748 Decoder.exe
Token: SeDebugPrivilege 68748 systems32.exe

pid	process
1296	cmd.exe
1872	Echelonyes.sfx.exe
1872	Echelonyes.sfx.exe
1872	Echelonyes.sfx.exe
1872	Echelonyes.sfx.exe

flow	ioc
5	api.ipify.org
4	api.ipify.org

pid	process
592	schtasks.exe
68812	schtasks.exe

pid	process
808	timeout.exe
1244	timeout.exe

pid	process
748	Decoder.exe
68748	systems32.exe

description	pid	process
Token: SeDebugPrivilege	1548	Echelonyes.exe
Token: SeDebugPrivilege	748	Decoder.exe
Token: SeDebugPrivilege	68748	systems32.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exeWScript.execmd.exeEchelonyes.sfx.exeEchelonyes.execmd.execmd.exeDecoder.exetaskeng.exesystems32.exe

description	pid	process	target process
PID 1620 wrote to memory of 1780	1620	ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe	WScript.exe
PID 1620 wrote to memory of 1780	1620	ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe	WScript.exe
PID 1620 wrote to memory of 1780	1620	ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe	WScript.exe
PID 1620 wrote to memory of 1780	1620	ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe	WScript.exe
PID 1780 wrote to memory of 1296	1780	WScript.exe	cmd.exe
PID 1780 wrote to memory of 1296	1780	WScript.exe	cmd.exe
PID 1780 wrote to memory of 1296	1780	WScript.exe	cmd.exe
PID 1780 wrote to memory of 1296	1780	WScript.exe	cmd.exe
PID 1296 wrote to memory of 1872	1296	cmd.exe	Echelonyes.sfx.exe
PID 1296 wrote to memory of 1872	1296	cmd.exe	Echelonyes.sfx.exe
PID 1296 wrote to memory of 1872	1296	cmd.exe	Echelonyes.sfx.exe
PID 1296 wrote to memory of 1872	1296	cmd.exe	Echelonyes.sfx.exe
PID 1872 wrote to memory of 1548	1872	Echelonyes.sfx.exe	Echelonyes.exe
PID 1872 wrote to memory of 1548	1872	Echelonyes.sfx.exe	Echelonyes.exe
PID 1872 wrote to memory of 1548	1872	Echelonyes.sfx.exe	Echelonyes.exe
PID 1872 wrote to memory of 1548	1872	Echelonyes.sfx.exe	Echelonyes.exe
PID 1548 wrote to memory of 748	1548	Echelonyes.exe	Decoder.exe
PID 1548 wrote to memory of 748	1548	Echelonyes.exe	Decoder.exe
PID 1548 wrote to memory of 748	1548	Echelonyes.exe	Decoder.exe
PID 1548 wrote to memory of 764	1548	Echelonyes.exe	cmd.exe
PID 1548 wrote to memory of 764	1548	Echelonyes.exe	cmd.exe
PID 1548 wrote to memory of 764	1548	Echelonyes.exe	cmd.exe
PID 1548 wrote to memory of 560	1548	Echelonyes.exe	cmd.exe
PID 1548 wrote to memory of 560	1548	Echelonyes.exe	cmd.exe
PID 1548 wrote to memory of 560	1548	Echelonyes.exe	cmd.exe
PID 764 wrote to memory of 1244	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1244	764	cmd.exe	timeout.exe
PID 764 wrote to memory of 1244	764	cmd.exe	timeout.exe
PID 560 wrote to memory of 808	560	cmd.exe	timeout.exe
PID 560 wrote to memory of 808	560	cmd.exe	timeout.exe
PID 560 wrote to memory of 808	560	cmd.exe	timeout.exe
PID 748 wrote to memory of 592	748	Decoder.exe	schtasks.exe
PID 748 wrote to memory of 592	748	Decoder.exe	schtasks.exe
PID 748 wrote to memory of 592	748	Decoder.exe	schtasks.exe
PID 66636 wrote to memory of 68748	66636	taskeng.exe	systems32.exe
PID 66636 wrote to memory of 68748	66636	taskeng.exe	systems32.exe
PID 66636 wrote to memory of 68748	66636	taskeng.exe	systems32.exe
PID 68748 wrote to memory of 68812	68748	systems32.exe	schtasks.exe
PID 68748 wrote to memory of 68812	68748	systems32.exe	schtasks.exe
PID 68748 wrote to memory of 68812	68748	systems32.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe
"C:\Users\Admin\AppData\Local\Temp\ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bat.bat
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Local\Temp\Echelonyes.sfx.exe
Echelonyes.sfx.exe -pMgXwXO}F -dC:\Users\Admin\AppData\Local\Temp
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Admin\AppData\Local\Temp\Echelonyes.exe
"C:\Users\Admin\AppData\Local\Temp\Echelonyes.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548

C:\ProgramData\Decoder.exe
"C:\ProgramData\Decoder.exe"
6⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
7⤵
- Creates scheduled task(s)
PID:592

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
6⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\system32\timeout.exe
timeout 4
7⤵
- Delays execution with timeout.exe
PID:1244

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6D82.tmp.cmd""
6⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\system32\timeout.exe
timeout 4
7⤵
- Delays execution with timeout.exe
PID:808

C:\Windows\system32\taskeng.exe
taskeng.exe {AF1149C1-CB6F-475F-B754-2362DBEB4B0B} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:66636

C:\systems32_bit\systems32.exe
\systems32_bit\systems32.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:68748

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
3⤵
- Creates scheduled task(s)
PID:68812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Decoder.exe
MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
C:\ProgramData\Decoder.exe
MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd
MD5
217407484aac2673214337def8886072

SHA1
0f8c4c94064ce1f7538c43987feb5bb2d7fec0c6

SHA256
467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797

SHA512
8466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330

Download Submit
C:\Users\Admin\AppData\Local\Temp\Echelonyes.exe
MD5
1fa6f0632a72b1162b1b29a0b869fa90

SHA1
7169e89c84f7ddbd52fd4eb7363f98684e3d6a8b

SHA256
3d05d546ae0ab935f4fb6562945805de7d1d56957f5dfb6c6e40cf2bc3270ff2

SHA512
92a21ab47e57a8c6ce430607a51ea4a59e910efdbc045dd8442d74a9c5ead7c26ecc0a4b73ed379669f8be0dd710f2fd9c70b580114e53abe114a2603a4fcfba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Echelonyes.exe
MD5
1fa6f0632a72b1162b1b29a0b869fa90

SHA1
7169e89c84f7ddbd52fd4eb7363f98684e3d6a8b

SHA256
3d05d546ae0ab935f4fb6562945805de7d1d56957f5dfb6c6e40cf2bc3270ff2

SHA512
92a21ab47e57a8c6ce430607a51ea4a59e910efdbc045dd8442d74a9c5ead7c26ecc0a4b73ed379669f8be0dd710f2fd9c70b580114e53abe114a2603a4fcfba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Echelonyes.sfx.exe
MD5
379c4da3d182dc8adbc5df1f0dbde542

SHA1
7b43213139780da48b2d36430d664f09c0568faf

SHA256
080fdedd00b6d9b82fd6c758591cac8c4c53ce4994cfd127eecbffdc74cccbc0

SHA512
7f55ba9a1296534743805abe8210d1649696f0361d9c35fe61d72c7e3e51e17dcc6b6e3ebaf4f4385a8b0777ad933ffd8d47ed37e786fdf90404750c6b7d0d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Echelonyes.sfx.exe
MD5
379c4da3d182dc8adbc5df1f0dbde542

SHA1
7b43213139780da48b2d36430d664f09c0568faf

SHA256
080fdedd00b6d9b82fd6c758591cac8c4c53ce4994cfd127eecbffdc74cccbc0

SHA512
7f55ba9a1296534743805abe8210d1649696f0361d9c35fe61d72c7e3e51e17dcc6b6e3ebaf4f4385a8b0777ad933ffd8d47ed37e786fdf90404750c6b7d0d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bat.bat
MD5
bfcc1b768af96c396d04795313972815

SHA1
26a9be4a505b98beacc0291c9ec43de739568444

SHA256
858c103ed517819c917bd859da7c0664cab0a6d5d868d7381aa7091ebbe6c240

SHA512
eabcfed61407fe3e350aeb7ba5a2948647747970da6cbe62f5ed3b12138f4924dbcd8036d69c88669031a6cc82a88dfe14c8d39906309d74a237e86daf753921

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6D82.tmp.cmd
MD5
27bdb4f7ed9a40b4d28131c51352993d

SHA1
cdb8c8398f3a6dbc1ab1b591d73c554f8c958bd4

SHA256
66b5a190ff11dff09c0b787a5d865e0bf3fef14e3cfac30e9978e84652066734

SHA512
fea27308a2192fff37ff9b7b99ee278a2a05bfc9fdfc8731a760944c1f6835f2b9b92981cd8579d8451e9f9390ab1514109d629d61e363092cd6e9c0674c213e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbs.vbs
MD5
dc06d3c7415f4f6b05272426a63e9fd1

SHA1
2a148ec726cde2a19222c03ebf2cf48e8a5c171f

SHA256
101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093

SHA512
d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a

Download Submit
C:\systems32_bit\systems32.exe
MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
C:\systems32_bit\systems32.exe
MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
\Users\Admin\AppData\Local\Temp\Echelonyes.exe
MD5
1fa6f0632a72b1162b1b29a0b869fa90

SHA1
7169e89c84f7ddbd52fd4eb7363f98684e3d6a8b

SHA256
3d05d546ae0ab935f4fb6562945805de7d1d56957f5dfb6c6e40cf2bc3270ff2

SHA512
92a21ab47e57a8c6ce430607a51ea4a59e910efdbc045dd8442d74a9c5ead7c26ecc0a4b73ed379669f8be0dd710f2fd9c70b580114e53abe114a2603a4fcfba

Download Submit
\Users\Admin\AppData\Local\Temp\Echelonyes.exe
MD5
1fa6f0632a72b1162b1b29a0b869fa90

SHA1
7169e89c84f7ddbd52fd4eb7363f98684e3d6a8b

SHA256
3d05d546ae0ab935f4fb6562945805de7d1d56957f5dfb6c6e40cf2bc3270ff2

SHA512
92a21ab47e57a8c6ce430607a51ea4a59e910efdbc045dd8442d74a9c5ead7c26ecc0a4b73ed379669f8be0dd710f2fd9c70b580114e53abe114a2603a4fcfba

Download Submit
\Users\Admin\AppData\Local\Temp\Echelonyes.exe
MD5
1fa6f0632a72b1162b1b29a0b869fa90

SHA1
7169e89c84f7ddbd52fd4eb7363f98684e3d6a8b

SHA256
3d05d546ae0ab935f4fb6562945805de7d1d56957f5dfb6c6e40cf2bc3270ff2

SHA512
92a21ab47e57a8c6ce430607a51ea4a59e910efdbc045dd8442d74a9c5ead7c26ecc0a4b73ed379669f8be0dd710f2fd9c70b580114e53abe114a2603a4fcfba

Download Submit
\Users\Admin\AppData\Local\Temp\Echelonyes.exe
MD5
1fa6f0632a72b1162b1b29a0b869fa90

SHA1
7169e89c84f7ddbd52fd4eb7363f98684e3d6a8b

SHA256
3d05d546ae0ab935f4fb6562945805de7d1d56957f5dfb6c6e40cf2bc3270ff2

SHA512
92a21ab47e57a8c6ce430607a51ea4a59e910efdbc045dd8442d74a9c5ead7c26ecc0a4b73ed379669f8be0dd710f2fd9c70b580114e53abe114a2603a4fcfba

Download Submit
\Users\Admin\AppData\Local\Temp\Echelonyes.sfx.exe
MD5
379c4da3d182dc8adbc5df1f0dbde542

SHA1
7b43213139780da48b2d36430d664f09c0568faf

SHA256
080fdedd00b6d9b82fd6c758591cac8c4c53ce4994cfd127eecbffdc74cccbc0

SHA512
7f55ba9a1296534743805abe8210d1649696f0361d9c35fe61d72c7e3e51e17dcc6b6e3ebaf4f4385a8b0777ad933ffd8d47ed37e786fdf90404750c6b7d0d8b

Download Submit
memory/748-79-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/748-83-0x000000001B9A0000-0x000000001B9A2000-memory.dmp

Filesize
8KB

Download
memory/748-82-0x000007FEF5930000-0x000007FEF631C000-memory.dmp

Filesize
9.9MB

Download
memory/1548-69-0x000007FEF5930000-0x000007FEF631C000-memory.dmp

Filesize
9.9MB

Download
memory/1548-70-0x0000000001170000-0x0000000001426000-memory.dmp

Filesize
2.7MB

Download
memory/1548-74-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1548-73-0x000000001B820000-0x000000001B822000-memory.dmp

Filesize
8KB

Download
memory/1548-75-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1548-76-0x0000000000C20000-0x0000000000C96000-memory.dmp

Filesize
472KB

Download
memory/1620-55-0x0000000076921000-0x0000000076923000-memory.dmp

Filesize
8KB

Download
memory/68748-86-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/68748-88-0x000000001BE50000-0x000000001BE52000-memory.dmp

Filesize
8KB

Download
memory/68748-87-0x000007FEF5930000-0x000007FEF631C000-memory.dmp

Filesize
9.9MB

Download