Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 14:27
Behavioral task
behavioral1
Sample
c2728a9030fc90844defcbd8c155fd1c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
c2728a9030fc90844defcbd8c155fd1c.exe
Resource
win10v2004-20231215-en
General
-
Target
c2728a9030fc90844defcbd8c155fd1c.exe
-
Size
581KB
-
MD5
c2728a9030fc90844defcbd8c155fd1c
-
SHA1
49f18f9f3512f521aa06055807c0e720ae319233
-
SHA256
4e9e39595b36eda5ad4181e324560a423cd7119b8b666861d98181399df02989
-
SHA512
008f5c255b4cc1d291a92edba8e6cf79cbbe02ccb339ccbb10a96da24906d7f2bd5cb8567fd610fd0c5882156c75786567fb52a88cf7959c44ee4dc03de789f4
-
SSDEEP
12288:IibOqGDZLJLUf9snBS4csPYae6qfz0AA:FOFDhhUF54clNf70B
Malware Config
Signatures
-
Detects Echelon Stealer payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2100-0-0x0000000000E30000-0x0000000000EC8000-memory.dmp family_echelon -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org 3 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c2728a9030fc90844defcbd8c155fd1c.exedescription pid process Token: SeDebugPrivilege 2100 c2728a9030fc90844defcbd8c155fd1c.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
c2728a9030fc90844defcbd8c155fd1c.exedescription pid process target process PID 2100 wrote to memory of 2976 2100 c2728a9030fc90844defcbd8c155fd1c.exe WerFault.exe PID 2100 wrote to memory of 2976 2100 c2728a9030fc90844defcbd8c155fd1c.exe WerFault.exe PID 2100 wrote to memory of 2976 2100 c2728a9030fc90844defcbd8c155fd1c.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2728a9030fc90844defcbd8c155fd1c.exe"C:\Users\Admin\AppData\Local\Temp\c2728a9030fc90844defcbd8c155fd1c.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2100 -s 12282⤵PID:2976
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2100-0-0x0000000000E30000-0x0000000000EC8000-memory.dmpFilesize
608KB
-
memory/2100-1-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmpFilesize
9.9MB
-
memory/2100-2-0x000000001AE60000-0x000000001AEE0000-memory.dmpFilesize
512KB
-
memory/2100-3-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmpFilesize
9.9MB
-
memory/2100-4-0x000000001AE60000-0x000000001AEE0000-memory.dmpFilesize
512KB