Analysis
-
max time kernel
148s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-03-2022 06:11
Static task
static1
Behavioral task
behavioral1
Sample
be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702.exe
Resource
win10v2004-en-20220113
General
-
Target
be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702.exe
-
Size
2.3MB
-
MD5
33457a5418912781388994b3d6380669
-
SHA1
afb62f3fa4d7a5f08066e16160b567842e9321f3
-
SHA256
be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702
-
SHA512
172b1f756c23d9455935f5f1a4e6f060b85485fae6f89a83a077106a5769dc4dbc69c98a119d5e5f9c40c8532dcfda2cafdb70599019bcf1d413d41e853c0844
Malware Config
Signatures
-
Echelon log file 1 IoCs
Detects a log file produced by Echelon.
Processes:
yara_rule echelon_log_file -
Executes dropped EXE 1 IoCs
Processes:
images.exepid Process 2524 images.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
images.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 images.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 images.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 images.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 api.ipify.org 20 ip-api.com 18 api.ipify.org -
Suspicious use of NtSetInformationThreadHideFromDebugger 23 IoCs
Processes:
images.exepid Process 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2976 2524 WerFault.exe 79 -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
images.exepid Process 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe 2524 images.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
images.exedescription pid Process Token: SeDebugPrivilege 2524 images.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
images.exepid Process 2524 images.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702.exedescription pid Process procid_target PID 1820 wrote to memory of 2524 1820 be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702.exe 79 PID 1820 wrote to memory of 2524 1820 be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702.exe 79 PID 1820 wrote to memory of 2524 1820 be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702.exe 79 -
outlook_office_path 1 IoCs
Processes:
images.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 images.exe -
outlook_win_path 1 IoCs
Processes:
images.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 images.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702.exe"C:\Users\Admin\AppData\Local\Temp\be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Public\Downloads\images.exe"C:\Users\Public\Downloads\images.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2524 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 25883⤵
- Program crash
PID:2976
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2524 -ip 25241⤵PID:1796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3f7049b2c628eac94f17629f3e7d5830
SHA161ad825e39e19472d06a3080367a858e18187d05
SHA256af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7
SHA5126a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff
-
MD5
3f7049b2c628eac94f17629f3e7d5830
SHA161ad825e39e19472d06a3080367a858e18187d05
SHA256af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7
SHA5126a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff