efea96686cbe5897b40690ea74f24377bb885a776c2611af08245632f0616fda

Analysis

max time kernel
142s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2023, 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

echo-36D617-ODE5MDEy-b7aad1-m.exe
Size

14.5MB
MD5

1c94d6d3032f49f54fd9d6d0888d062b
SHA1

7a8e0aa1dc45f3d9bf5d6eeebd227093e0478104
SHA256

efea96686cbe5897b40690ea74f24377bb885a776c2611af08245632f0616fda
SHA512

915d29ebcf1429b497b125855c6ba4051604e8325267a0b7e693105103833b2c49f6e0c7abd107cf6161877066ca7aab68bdf1fd20d3ab6b04bfa9832971cef7
SSDEEP

196608:Q4URNPI9sc1ZPlQup05a3B+4abosxt+5SO:Q4URq9XZPWuu0+fcSO

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2728	echo-36D617-ODE5MDEy-b7aad1-m.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3624	sc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2728	echo-36D617-ODE5MDEy-b7aad1-m.exe
2728	echo-36D617-ODE5MDEy-b7aad1-m.exe
2728	echo-36D617-ODE5MDEy-b7aad1-m.exe
2728	echo-36D617-ODE5MDEy-b7aad1-m.exe
2728	echo-36D617-ODE5MDEy-b7aad1-m.exe
2728	echo-36D617-ODE5MDEy-b7aad1-m.exe
2728	echo-36D617-ODE5MDEy-b7aad1-m.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
668	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2728	echo-36D617-ODE5MDEy-b7aad1-m.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 3624	2728	echo-36D617-ODE5MDEy-b7aad1-m.exe	81
PID 2728 wrote to memory of 3624	2728	echo-36D617-ODE5MDEy-b7aad1-m.exe	81

C:\Users\Admin\AppData\Local\Temp\echo-36D617-ODE5MDEy-b7aad1-m.exe
"C:\Users\Admin\AppData\Local\Temp\echo-36D617-ODE5MDEy-b7aad1-m.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\system32\sc.exe
  sc delete EchoDrv
  2⤵
  - Launches sc.exe
  PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2728-0-0x00007FFD29140000-0x00007FFD29409000-memory.dmp

Filesize
2.8MB

Download
memory/2728-1-0x00007FFD29140000-0x00007FFD29409000-memory.dmp

Filesize
2.8MB

Download
memory/2728-2-0x00007FFD29140000-0x00007FFD29409000-memory.dmp

Filesize
2.8MB

Download
memory/2728-4-0x00007FFD00000000-0x00007FFD00002000-memory.dmp

Filesize
8KB

Download
memory/2728-3-0x00007FFD00030000-0x00007FFD00031000-memory.dmp

Filesize
4KB

Download
memory/2728-6-0x00007FFD2B690000-0x00007FFD2B885000-memory.dmp

Filesize
2.0MB

Download
memory/2728-7-0x0000000180000000-0x0000000180008000-memory.dmp

Filesize
32KB

Download
memory/2728-14-0x00007FFD00010000-0x00007FFD00011000-memory.dmp

Filesize
4KB

Download
memory/2728-15-0x00007FFD2A0E0000-0x00007FFD2A0E1000-memory.dmp

Filesize
4KB

Download
memory/2728-16-0x00007FFD29140000-0x00007FFD29409000-memory.dmp

Filesize
2.8MB

Download
memory/2728-17-0x00007FFD29140000-0x00007FFD29409000-memory.dmp

Filesize
2.8MB

Download
memory/2728-18-0x00007FFD2B690000-0x00007FFD2B885000-memory.dmp

Filesize
2.0MB

Download
memory/2728-19-0x00007FF635290000-0x00007FF636FC2000-memory.dmp

Filesize
29.2MB

Download