Analysis
-
max time kernel
84s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2023 07:05
Static task
static1
Behavioral task
behavioral1
Sample
9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exe
Resource
win10v2004-20230220-en
General
-
Target
9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exe
-
Size
2.6MB
-
MD5
7615de772c95e664bd7cdb315205a143
-
SHA1
e5491ee6f2d7d63953d5ea601ef307d26188afaf
-
SHA256
9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea
-
SHA512
0b640cbca39b7955a1b724e6b2ec30a6d899d1401c670f0bfc4955b98797bce01fa1dd11c1777e57137f0c4e1e45022eabe1a430327759b1c48aa070d2b95334
-
SSDEEP
49152:sB41RPvlrEPdZp32cJ0nxoEXLlivMXfDVOwxlBxj6xIAX:G8PvEnzJhEXZGMXfDVhHBgIg
Malware Config
Signatures
-
Detects Echelon Stealer payload 4 IoCs
Processes:
resource yara_rule behavioral2/files/0x000500000001db45-178.dat family_echelon behavioral2/files/0x000500000001db45-186.dat family_echelon behavioral2/files/0x000500000001db45-185.dat family_echelon behavioral2/memory/4584-187-0x000002734DC30000-0x000002734DCF8000-memory.dmp family_echelon -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exeEXE1.exeWScript.exeEXE2.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation 9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation EXE1.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation EXE2.exe -
Drops startup file 1 IoCs
Processes:
3.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1284928.bat 3.exe -
Executes dropped EXE 6 IoCs
Processes:
3.exe4856802.jpegEXE1.exeEXE2.exedefender.exe4.exepid Process 4012 3.exe 620 4856802.jpeg 4164 EXE1.exe 3672 EXE2.exe 3396 defender.exe 4584 4.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
4856802.jpegdescription ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 4856802.jpeg Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4856802.jpeg -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 21 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1340 4584 WerFault.exe 93 -
Modifies registry class 1 IoCs
Processes:
EXE1.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings EXE1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
4.exedescription pid Process Token: SeDebugPrivilege 4584 4.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exe3.exe4856802.jpegEXE1.exeWScript.exeEXE2.exedefender.exedescription pid Process procid_target PID 616 wrote to memory of 4012 616 9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exe 84 PID 616 wrote to memory of 4012 616 9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exe 84 PID 616 wrote to memory of 4012 616 9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exe 84 PID 4012 wrote to memory of 620 4012 3.exe 87 PID 4012 wrote to memory of 620 4012 3.exe 87 PID 620 wrote to memory of 4164 620 4856802.jpeg 88 PID 620 wrote to memory of 4164 620 4856802.jpeg 88 PID 620 wrote to memory of 4164 620 4856802.jpeg 88 PID 4164 wrote to memory of 5008 4164 EXE1.exe 89 PID 4164 wrote to memory of 5008 4164 EXE1.exe 89 PID 4164 wrote to memory of 5008 4164 EXE1.exe 89 PID 620 wrote to memory of 3672 620 4856802.jpeg 90 PID 620 wrote to memory of 3672 620 4856802.jpeg 90 PID 620 wrote to memory of 3672 620 4856802.jpeg 90 PID 5008 wrote to memory of 3396 5008 WScript.exe 91 PID 5008 wrote to memory of 3396 5008 WScript.exe 91 PID 3672 wrote to memory of 4584 3672 EXE2.exe 93 PID 3672 wrote to memory of 4584 3672 EXE2.exe 93 PID 3396 wrote to memory of 4716 3396 defender.exe 94 PID 3396 wrote to memory of 4716 3396 defender.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exe"C:\Users\Admin\AppData\Local\Temp\9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Users\Admin\AppData\Roaming\3.exe"C:\Users\Admin\AppData\Roaming\3.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Users\Admin\AppData\Roaming\4856802.jpeg"C:\Users\Admin\AppData\Roaming\4856802.jpeg"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EXE1.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EXE1.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\start.vbs"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Roaming\defender.exe"C:\Users\Admin\AppData\Roaming\defender.exe" -a verus -o stratum+tcp://eu.luckpool.net:3960 -u RXYt52ECeUztSRZBvaKxL2VLhzeh35ED4s.RIG -p x -t 46⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls7⤵PID:4716
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EXE2.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EXE2.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Users\Admin\AppData\Roaming\4.exe"C:\Users\Admin\AppData\Roaming\4.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4584 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4584 -s 11206⤵
- Program crash
PID:1340
-
-
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 188 -p 4584 -ip 45841⤵PID:2032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD559c26b9bbc70075be49ae7d80e2f5146
SHA1ef75ff7047f26ead38e5647982ae4a4e7204fc60
SHA256d927b4f41513d10671685a8972bc8321ae046596c9d2ca2387d1243be4371db0
SHA512b0fb0aaab5f3d6935a22c9f52264c6ffdbd9859ab98aa1c26d0966351e7cf1e2af6e5a374fa912af1ff7fa12c242836d0493de90d218068e0e20fc515539b50b
-
Filesize
1.5MB
MD559c26b9bbc70075be49ae7d80e2f5146
SHA1ef75ff7047f26ead38e5647982ae4a4e7204fc60
SHA256d927b4f41513d10671685a8972bc8321ae046596c9d2ca2387d1243be4371db0
SHA512b0fb0aaab5f3d6935a22c9f52264c6ffdbd9859ab98aa1c26d0966351e7cf1e2af6e5a374fa912af1ff7fa12c242836d0493de90d218068e0e20fc515539b50b
-
Filesize
1.5MB
MD559c26b9bbc70075be49ae7d80e2f5146
SHA1ef75ff7047f26ead38e5647982ae4a4e7204fc60
SHA256d927b4f41513d10671685a8972bc8321ae046596c9d2ca2387d1243be4371db0
SHA512b0fb0aaab5f3d6935a22c9f52264c6ffdbd9859ab98aa1c26d0966351e7cf1e2af6e5a374fa912af1ff7fa12c242836d0493de90d218068e0e20fc515539b50b
-
Filesize
677KB
MD5070073c57a34b8a5f409d405eb9074fb
SHA156e0cbe08f996ff8c3ae3334b3e711e383f9e142
SHA256eded5497df7c743ee541782b8ffc3317ee456c9077d7106ebf90c0ad5599beba
SHA512de8a73f0bd337bb6f020488469b9700e6b8e0f4f0cfb427734dc379a838986829fef7bf682dd25dd194421898314c7c9678333108d518d24838b26f1aa645e54
-
Filesize
677KB
MD5070073c57a34b8a5f409d405eb9074fb
SHA156e0cbe08f996ff8c3ae3334b3e711e383f9e142
SHA256eded5497df7c743ee541782b8ffc3317ee456c9077d7106ebf90c0ad5599beba
SHA512de8a73f0bd337bb6f020488469b9700e6b8e0f4f0cfb427734dc379a838986829fef7bf682dd25dd194421898314c7c9678333108d518d24838b26f1aa645e54
-
Filesize
5.2MB
MD54bb8922aed2f554aa5457d315a43c760
SHA15a87d57eb5046e96e56e1e43ba818855fe2c053a
SHA256406445e1f73c0cf1fe809e54842ee915694039373b94230a163ef61a7749f2f6
SHA512b866c8f43edcefa6cc4ec2cbcf22cf94b6b45b12815532ac794a6e42b44d65ad8e0d624313829974820325856d86a884dc85d9c4618fd1ff7283db1a3f2be7ac
-
Filesize
5.2MB
MD54bb8922aed2f554aa5457d315a43c760
SHA15a87d57eb5046e96e56e1e43ba818855fe2c053a
SHA256406445e1f73c0cf1fe809e54842ee915694039373b94230a163ef61a7749f2f6
SHA512b866c8f43edcefa6cc4ec2cbcf22cf94b6b45b12815532ac794a6e42b44d65ad8e0d624313829974820325856d86a884dc85d9c4618fd1ff7283db1a3f2be7ac
-
Filesize
5.2MB
MD54bb8922aed2f554aa5457d315a43c760
SHA15a87d57eb5046e96e56e1e43ba818855fe2c053a
SHA256406445e1f73c0cf1fe809e54842ee915694039373b94230a163ef61a7749f2f6
SHA512b866c8f43edcefa6cc4ec2cbcf22cf94b6b45b12815532ac794a6e42b44d65ad8e0d624313829974820325856d86a884dc85d9c4618fd1ff7283db1a3f2be7ac
-
Filesize
795KB
MD556df7a0ea82242ce7e1a58ba8280822b
SHA10415e883811e56483cbf0a54e9ce3cfedd6e5dd2
SHA256cfca50d3277007bca65275606eb469261ac4d12732c05448a41811b4cde159a7
SHA512ded49ee0228c7e60cc88fba59c6b4f4295aed1237775cbb19e90fb9a96952d2890fe2bbf0920815c98439da29076b22f720934e45cdcfef50458b042dffe4993
-
Filesize
795KB
MD556df7a0ea82242ce7e1a58ba8280822b
SHA10415e883811e56483cbf0a54e9ce3cfedd6e5dd2
SHA256cfca50d3277007bca65275606eb469261ac4d12732c05448a41811b4cde159a7
SHA512ded49ee0228c7e60cc88fba59c6b4f4295aed1237775cbb19e90fb9a96952d2890fe2bbf0920815c98439da29076b22f720934e45cdcfef50458b042dffe4993
-
Filesize
795KB
MD556df7a0ea82242ce7e1a58ba8280822b
SHA10415e883811e56483cbf0a54e9ce3cfedd6e5dd2
SHA256cfca50d3277007bca65275606eb469261ac4d12732c05448a41811b4cde159a7
SHA512ded49ee0228c7e60cc88fba59c6b4f4295aed1237775cbb19e90fb9a96952d2890fe2bbf0920815c98439da29076b22f720934e45cdcfef50458b042dffe4993
-
Filesize
1.9MB
MD548ab7d994ff16743bc34404f6282209c
SHA12384002699b10e0e4fd230cf4b36c75d3fb7c3bc
SHA2563090f3102eb0f9d704e34a5eed66b9c0e3f505f5fb90ddc5ba3054e91eb6713f
SHA51205d66fa8efc235016e12499e6921307a8212457e94e198c015903dacb8d2a6e1a7eb57510e08bc87fe68749a54af7f71a39a1ad5f255f1f6bcab7a48ef381ae0
-
Filesize
791KB
MD558e92ea3a88e6b00f15c0b8da7d7c270
SHA12c3b4bcb08f3b5ab2e02f2f184d300d0c5567cab
SHA256580a71f3c0c10e7df4f011f0ce6897e16b176c9e2c6a78a6ee7ab292633d6da0
SHA512cf205fd978b814bf09f13446222b9c9f5c07072d294798e829f9a810fd0e9377ae36bb8ed77c5d1efa3b0ebb85a6a6404a55f68d2ebe528e096e2b9d56b9a114
-
Filesize
791KB
MD558e92ea3a88e6b00f15c0b8da7d7c270
SHA12c3b4bcb08f3b5ab2e02f2f184d300d0c5567cab
SHA256580a71f3c0c10e7df4f011f0ce6897e16b176c9e2c6a78a6ee7ab292633d6da0
SHA512cf205fd978b814bf09f13446222b9c9f5c07072d294798e829f9a810fd0e9377ae36bb8ed77c5d1efa3b0ebb85a6a6404a55f68d2ebe528e096e2b9d56b9a114
-
Filesize
210B
MD50ed388e96be16481782876ae6e57790e
SHA18ea5810dda85821e8737bf4b18c0ea5c1fc55198
SHA256ece530f92f9ba5b045a723ef9321cbae9c4e582c763ccae1e4eda6f03d9b2916
SHA5122c530cce0a9869ffd4032c871ffb736486ddbd580fdc0163dfdc847319c331b38cb62411c89323ebb99243767b34817c2547405d3b61fcf25a3ff5a4bb306dce