Analysis
-
max time kernel
161s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
28-09-2023 07:16
General
-
Target
https://telegra.ph/CS2-Hack-by-CoderX-09-27
Malware Config
Signatures
-
Detects Echelon Stealer payload 4 IoCs
-
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://telegra.ph/CS2-Hack-by-CoderX-09-271⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2536.0.1421455987\1513791750" -parentBuildID 20221007134813 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fd7fd66-acd1-4c60-b16a-8aa1a35085dc} 2536 "\\.\pipe\gecko-crash-server-pipe.2536" 1948 16ce8b03e58 gpu2⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2536.1.1063272934\951439919" -parentBuildID 20221007134813 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6594b8c9-d86b-4c5e-8c20-29ccccc03848} 2536 "\\.\pipe\gecko-crash-server-pipe.2536" 2372 16cdb172858 socket2⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2536.2.1973198439\2141890807" -childID 1 -isForBrowser -prefsHandle 2948 -prefMapHandle 3284 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {effbb250-23be-4cf2-8a54-c1150527f1bb} 2536 "\\.\pipe\gecko-crash-server-pipe.2536" 3172 16cebc2b758 tab2⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2536.3.654942247\636466466" -childID 2 -isForBrowser -prefsHandle 3636 -prefMapHandle 3632 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85b06fe6-a87a-4a7e-b874-5317fa726309} 2536 "\\.\pipe\gecko-crash-server-pipe.2536" 3640 16cecd15e58 tab2⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2536.6.211880438\753705606" -childID 5 -isForBrowser -prefsHandle 5292 -prefMapHandle 5296 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4155ea05-a0ad-4fd5-98aa-dcd1887e33f8} 2536 "\\.\pipe\gecko-crash-server-pipe.2536" 5284 16cee943e58 tab2⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2536.5.1978908064\346224373" -childID 4 -isForBrowser -prefsHandle 5092 -prefMapHandle 5096 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0eb0fc7-1ed8-47ce-b789-1bd5d68b8e95} 2536 "\\.\pipe\gecko-crash-server-pipe.2536" 5084 16cee941a58 tab2⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2536.4.903695245\124512719" -childID 3 -isForBrowser -prefsHandle 4940 -prefMapHandle 4936 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4807ba5f-31d5-4ede-8d30-71798d71284c} 2536 "\\.\pipe\gecko-crash-server-pipe.2536" 4952 16cee941d58 tab2⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2536.7.116600406\1557863431" -childID 6 -isForBrowser -prefsHandle 5668 -prefMapHandle 5712 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1906c32-18b9-409a-b44c-c7e668a8fdf4} 2536 "\\.\pipe\gecko-crash-server-pipe.2536" 2848 16cee398b58 tab2⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2536.8.1483908777\18385240" -childID 7 -isForBrowser -prefsHandle 5856 -prefMapHandle 5912 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be531a96-0c14-435d-92ed-91e9055ec544} 2536 "\\.\pipe\gecko-crash-server-pipe.2536" 5976 16cedc88c58 tab2⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://telegra.ph/CS2-Hack-by-CoderX-09-27"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x384 0x5181⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\pack1.bat"1⤵
-
C:\Users\Admin\Desktop\CS2 Hack.exe"C:\Users\Admin\Desktop\CS2 Hack.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\drivEn990.exe"C:\Users\Admin\AppData\Local\Temp\drivEn990.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ddwqx74p.default-release\activity-stream.discovery_stream.json.tmpFilesize
22KB
MD51f81335fcac17ce203292cd1a154fd4f
SHA18da082d56fd2f232347784cedc6d86fb065cd4d5
SHA25630cfaaed1525728bc5500cac763eb5dfc381567af0372c0ed0ce1b359dbfde33
SHA5126b7e9c1cb5c6cc72758d65f697d3ea716ac5f3385dff9bb5ae28d5f7e5375788723980b75b2997b3d21732e01d19d078471b01832865eb05c5260d62e0547833
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ddwqx74p.default-release\cache2\doomed\2738Filesize
9KB
MD5c940340a4b29f298b380c8b5832175eb
SHA19cbe1fb3fe7af2443e1e203af72d539791de5fc4
SHA2567ce2dd94122202fecf91453bee55799d28ec3c50323ca4eacd6d17a77b8b7901
SHA512d22cf876be53f1896efb55c55cff878ddb0e42176647cc89c3c2a6accad25d60ea9f5231d4b893f14481478fb4aad33a5f0b2910918a6e530f594fb8a5ef138e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ddwqx74p.default-release\cache2\entries\58A756A796A86993036E1F0F79183245EE2ABF58Filesize
13KB
MD5ca759b48d61617f85f2769dd0bb35def
SHA1cbaec7ea0b5b45121f79b22ab0b73a61495bc6e6
SHA256d056078a10a456c413d1d2caba8246fcff5e3e753cc1b9b7f0455d3d766e8c00
SHA5120744ddf390c5f8acaf6e3394eafc8567cd05ff0ce8c32c01d9a601531958fd645f69bfc4ff588370fe39237601f54d36ccee261e2ef30d4d9ca675893906d0ab
-
C:\Users\Admin\AppData\Local\Temp\drivEn990.exeFilesize
581KB
MD52754395ba2bd39a4c53d616ad931a389
SHA1e17fe4a9616a6c47a0314d552b4072806607d82e
SHA256af2e7803c31710bac7eeb61f3c498e08bbb9b8d661b63f3dde72e0b01e05554b
SHA512ab23f13cbfa531ab97cff7ee974cbe496f59311ae309c484719f1a67b58a896d538a47f1ea25e4d467a6f01f069a6ec492da99bae7064c999870a66b7cf7c8b7
-
C:\Users\Admin\AppData\Local\Temp\drivEn990.exeFilesize
581KB
MD52754395ba2bd39a4c53d616ad931a389
SHA1e17fe4a9616a6c47a0314d552b4072806607d82e
SHA256af2e7803c31710bac7eeb61f3c498e08bbb9b8d661b63f3dde72e0b01e05554b
SHA512ab23f13cbfa531ab97cff7ee974cbe496f59311ae309c484719f1a67b58a896d538a47f1ea25e4d467a6f01f069a6ec492da99bae7064c999870a66b7cf7c8b7
-
C:\Users\Admin\AppData\Local\Temp\drivEn990.exeFilesize
581KB
MD52754395ba2bd39a4c53d616ad931a389
SHA1e17fe4a9616a6c47a0314d552b4072806607d82e
SHA256af2e7803c31710bac7eeb61f3c498e08bbb9b8d661b63f3dde72e0b01e05554b
SHA512ab23f13cbfa531ab97cff7ee974cbe496f59311ae309c484719f1a67b58a896d538a47f1ea25e4d467a6f01f069a6ec492da99bae7064c999870a66b7cf7c8b7
-
C:\Users\Admin\AppData\Local\Temp\sqls990.exeFilesize
102KB
MD5bb9a15a24e66a151ef0d14b343a508a8
SHA1a17ece76f497de5aa4d5f96c66e8ef2e5ea1a133
SHA256ff430987186f07f82e04d8101e0ecf9af58047c9af3d53f08e113dec0cbfbf01
SHA51291b600d988cd2646ebe41d9616d4cf752401d0fb82aeb0656abc938182d3bb6b2fedd95f92338c1c909f5bc31f67e66b06680e067109a2136695084b65f72dcd
-
C:\Users\Admin\AppData\Local\Temp\tmpaddonFilesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ddwqx74p.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.dllFilesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ddwqx74p.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.infoFilesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ddwqx74p.default-release\prefs-1.jsFilesize
7KB
MD54dc7db4d09d9199b4ea131299773505f
SHA19edd115390eaef91cc90f68b19d6c3ae0c47c5f7
SHA2568f11b06cbcf4373ac547f3db8e17f2a788beab5def634b8b563d3883407bf72a
SHA512d3646d7f0d146a438bcb21f562649304b50597507e34bfcc648eae69547bf4d4db3a98ff652b3b0a69f7ad62ae369c047ae65ee8d5d2db275db6541fa6d91976
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ddwqx74p.default-release\prefs-1.jsFilesize
8KB
MD5d4d57f528b3e3130e9585bb81a613d4c
SHA14ada7e7f924f42b43fd0b39aa8ec739d45dab864
SHA256e799f7636a027523a9f2c1204d9059d22b78212acdf420604c9917e428a6d964
SHA51248254bd5ea0de734597a61c0566cb2515e5e706f6b644d9fb0becb232ecef937d5ed8fcfe4d6bd90ad16f0decaf710c394c87ed01139702ec6f11ab6578eaa79
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ddwqx74p.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD535ed55a3fd7e328b797016d492ad8ddc
SHA138810778fcf671214f6e74742738e5baa47046c5
SHA25650e10b23abe49b3974a9d75131fc220027144da16805fc4c956ed8df8f16f898
SHA512c4f05b6a349b4d9e4660f796b64f107b2c72cfce4b0e90c76e4911e90d900ed4cd1c30aca4a27ae6f68af2fd51ee4484efa2b389f63b18a430ed59513300001c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ddwqx74p.default-release\storage\default\https+++mega.nz\cache\morgue\234\{0b18ab84-2fdb-4dc1-8f3b-b68d207b50ea}.finalFilesize
1KB
MD53efa9abd92666265dd81c4f4311a96f9
SHA141b6b716d67b93555e444cd453f3c6e3f8c9522c
SHA2565066b1841e8877db31312ef3af86f9bc9234c95071119e025764f45241a4e2e7
SHA5125961950f077501608a0f2975e7f69c483eeacc4eec4ac77fd650cc1131609501f87819f93ed23aa508a90426156abf038a859fac4112d2d4435bbb634027cd6c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ddwqx74p.default-release\storage\default\https+++mega.nz\idb\3713173747_s_edmban.sqliteFilesize
48KB
MD592be686a322cb6fa45b8eb6514815161
SHA18106e839194746c2abaaea4a48bb6b6a84608326
SHA256d0c7dea2af7825b807ea51a3ad8c39c734f33a491028f1fb55f4ddbb3a932192
SHA51293e200683e39423b76232e794493bcb253486812f95cc3b92d46873f0b424d03caedc6428334dd476bae5c483a140159ba8d4056ea6cfd660003ec1bddd331eb
-
C:\Users\Admin\Downloads\CS2 Hack.mcmSXINM.zip.partFilesize
11.9MB
MD53e28bae7928117b0bca2bff396230d57
SHA104038ce69096c6430ead4806d6639dccca28692a
SHA256f70a6db4edadfb5fad6baf8ba03d8f4fb91dca2effd059d6fa0049213bb9133b
SHA512aefd8b92d010d90c1e40fa7011f7322ee0c77b1685d92ac3764b9242118f7671bca2cbaa94140cb897a69ebe94c5696783d7c408a25589a70cd2e53c5b9e4433
-
memory/5304-299-0x00007FF8B8A40000-0x00007FF8B9501000-memory.dmpFilesize
10.8MB
-
memory/5304-292-0x0000017D6FAB0000-0x0000017D6FB48000-memory.dmpFilesize
608KB
-
memory/5304-294-0x00007FF8B8A40000-0x00007FF8B9501000-memory.dmpFilesize
10.8MB
-
memory/5304-295-0x0000017D71FC0000-0x0000017D71FD0000-memory.dmpFilesize
64KB
-
memory/5304-296-0x0000017D72220000-0x0000017D72296000-memory.dmpFilesize
472KB
-
memory/5304-332-0x00007FF8B8A40000-0x00007FF8B9501000-memory.dmpFilesize
10.8MB
-
memory/6104-293-0x00007FF8BAE40000-0x00007FF8BB7E1000-memory.dmpFilesize
9.6MB
-
memory/6104-278-0x0000000001550000-0x0000000001560000-memory.dmpFilesize
64KB
-
memory/6104-277-0x00007FF8BAE40000-0x00007FF8BB7E1000-memory.dmpFilesize
9.6MB
-
memory/6104-269-0x0000000001550000-0x0000000001560000-memory.dmpFilesize
64KB
-
memory/6104-268-0x00007FF8BAE40000-0x00007FF8BB7E1000-memory.dmpFilesize
9.6MB
-
memory/6104-265-0x00007FF8BAE40000-0x00007FF8BB7E1000-memory.dmpFilesize
9.6MB