37b659aa22473d3c2c8d94a2f83735a3e849fa148955401751e9a28963171320

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24-02-2023 15:21

Target

Echelon.exe
Size

582KB
MD5

be7fb27a2d8fe2dcb1573590373ccab7
SHA1

1f97541db03a96f28c786e99ee40d8da1a2035fd
SHA256

37b659aa22473d3c2c8d94a2f83735a3e849fa148955401751e9a28963171320
SHA512

209d24bb976d671755bf3cdfffdc9d28d2f7c2fd372d3dd6e1a2fdcb537a50ddfd296a661b3627652d945317b0c211d46b569235897a010bac77aea97de28605
SSDEEP

12288:Ha4ne0dXFMetm3aC33ZLJLUf9snBS4csPYae6qfzFAA:T5I33hhUF54clNf7FB

Score

6^/10

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
3	api.ipify.org
4	api.ipify.org

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1456	1088	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Echelon.exe

description	pid	Process
Token: SeDebugPrivilege	1088	Echelon.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Echelon.exe

description	pid	Process	procid_target
PID 1088 wrote to memory of 1456	1088	Echelon.exe	29
PID 1088 wrote to memory of 1456	1088	Echelon.exe	29
PID 1088 wrote to memory of 1456	1088	Echelon.exe	29

C:\Users\Admin\AppData\Local\Temp\Echelon.exe
"C:\Users\Admin\AppData\Local\Temp\Echelon.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1088 -s 1324
  2⤵
  - Program crash
  PID:1456

memory/1088-54-0x0000000000E60000-0x0000000000EF8000-memory.dmp

Filesize
608KB

Download
memory/1088-55-0x000000001AAD0000-0x000000001AB50000-memory.dmp

Filesize
512KB

Download
memory/1088-56-0x000000001AAD0000-0x000000001AB50000-memory.dmp

Filesize
512KB

Download