Analysis
-
max time kernel
121s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-05-2022 19:19
General
-
Target
729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe
-
Size
1.7MB
-
MD5
caea94dab0c8720bd97447d7f9e1ecb8
-
SHA1
f3eb2519d75901b6c8fc6107bd354b013e6a0b71
-
SHA256
729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6
-
SHA512
7752ae0ca4cece6e444af17c50c5cd2226f4c051674286529bf23c4e9f540455e54d969ab2988a7c580beb88be515bf59494b81516a3f9faafe6514123f9ecdb
Malware Config
Signatures
-
Darkstealer
Darkstealer is a file grabber, data stealer, and RAT.
-
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
-
Echelon - DarkStealer Fork 2 IoCs
Payload resembles modified variant of Echelon Stealer called DarkStealer.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe"C:\Users\Admin\AppData\Local\Temp\729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe"1⤵
- Identifies Wine through registry keys
- Accesses Microsoft Outlook profiles
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 19842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3452 -ip 34521⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3452-130-0x0000000077620000-0x00000000777C3000-memory.dmpFilesize
1.6MB
-
memory/3452-131-0x0000000000400000-0x00000000007B2000-memory.dmpFilesize
3.7MB
-
memory/3452-132-0x0000000000400000-0x00000000007B2000-memory.dmpFilesize
3.7MB
-
memory/3452-133-0x0000000004D60000-0x0000000004DC6000-memory.dmpFilesize
408KB
-
memory/3452-134-0x00000000055D0000-0x000000000566C000-memory.dmpFilesize
624KB
-
memory/3452-135-0x00000000056A0000-0x0000000005732000-memory.dmpFilesize
584KB
-
memory/3452-136-0x0000000005760000-0x0000000005D04000-memory.dmpFilesize
5.6MB