Overview

overview

10

Static

static

d117bb94ac...d3.exe

windows7_x64

10

d117bb94ac...d3.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    20-03-2022 01:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d117bb94ace706283addab84a8c3fcd5b93591fc527f0664299dcefabc2a90d3.exe

  • Size

    2.4MB

  • MD5

    2ce52a25ec3c74b4a0608e8d0fdec0ff

  • SHA1

    d60c64e1333c214db1b37b3d706e10bbc794c3af

  • SHA256

    d117bb94ace706283addab84a8c3fcd5b93591fc527f0664299dcefabc2a90d3

  • SHA512

    9d90b5b6b2b599b791ee938786879cd27fb491878316292fa0e15d34d62060fd717a49bcbc2aa0079d74af053cb452cb82c83f535ce8cc0e871ca1e776fa8397

Score
10/10
echelonbootkitcollectiondiscoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    stealerspywareechelon
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d117bb94ace706283addab84a8c3fcd5b93591fc527f0664299dcefabc2a90d3.exe
    "C:\Users\Admin\AppData\Local\Temp\d117bb94ace706283addab84a8c3fcd5b93591fc527f0664299dcefabc2a90d3.exe"
    1⤵
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Accesses Microsoft Outlook profiles
    • Checks whether UAC is enabled
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:1808
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 2060
      2⤵
      • Program crash
      PID:2620
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 2060
      2⤵
      • Program crash
      PID:3888
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1808 -ip 1808
    1⤵
      PID:3440

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1808-134-0x0000000077270000-0x0000000077413000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1808-135-0x0000000000110000-0x0000000000768000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/1808-136-0x0000000000110000-0x0000000000768000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/1808-137-0x0000000005430000-0x0000000005496000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1808-138-0x00000000740E0000-0x0000000074890000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1808-139-0x0000000005700000-0x0000000005701000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1808-140-0x00000000060E0000-0x0000000006684000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1808-141-0x0000000005703000-0x0000000005705000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1808-142-0x0000000005705000-0x0000000005706000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1808-143-0x0000000005706000-0x0000000005707000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1808-144-0x0000000005707000-0x0000000005708000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1808-145-0x0000000005709000-0x000000000570F000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1808-146-0x0000000006E30000-0x0000000006EC2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1808-147-0x00000000070B0000-0x000000000714C000-memory.dmp

      Filesize

      624KB

      Download