Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28-12-2023 01:06
Behavioral task
behavioral1
Sample
d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe
Resource
win10v2004-20231222-en
General
-
Target
d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe
-
Size
1.1MB
-
MD5
21baedb54f72d57d2d847d9352c8f91d
-
SHA1
ab0bdda443b1720b9a023874ae91c950146579b0
-
SHA256
d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be
-
SHA512
0da246eba76c17d86f3409eee307c43542ad6d46902d6183f75404dd1c8b460696d100c758ea893a4a4f6034967d450ba621325b59ca7ebc60fd48c5ea5059bf
-
SSDEEP
12288:tgGpzc0nT1aCX1TAlJjWWNQg3PcaMhljQATlQEhXbw7jKcQq6kAiJVORZy9:tgG5c0nTcwsWWR0PRThbw7jKDkANZk
Malware Config
Signatures
-
Detects Echelon Stealer payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\Desktop\File.exe family_echelon behavioral1/memory/2516-6-0x00000000002E0000-0x0000000000408000-memory.dmp family_echelon behavioral1/memory/2516-40-0x000000001CCE0000-0x000000001CD60000-memory.dmp family_echelon -
Executes dropped EXE 1 IoCs
Processes:
File.exepid process 2516 File.exe -
Loads dropped DLL 1 IoCs
Processes:
d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exepid process 2508 d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
File.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 File.exe Key opened \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 File.exe Key opened \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 File.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org 3 api.ipify.org 4 ip-api.com 6 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
File.exepid process 2516 File.exe 2516 File.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
File.exedescription pid process Token: SeDebugPrivilege 2516 File.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exeFile.exedescription pid process target process PID 2508 wrote to memory of 2516 2508 d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe File.exe PID 2508 wrote to memory of 2516 2508 d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe File.exe PID 2508 wrote to memory of 2516 2508 d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe File.exe PID 2508 wrote to memory of 2516 2508 d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe File.exe PID 2516 wrote to memory of 1580 2516 File.exe WerFault.exe PID 2516 wrote to memory of 1580 2516 File.exe WerFault.exe PID 2516 wrote to memory of 1580 2516 File.exe WerFault.exe -
outlook_office_path 1 IoCs
Processes:
File.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 File.exe -
outlook_win_path 1 IoCs
Processes:
File.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 File.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe"C:\Users\Admin\AppData\Local\Temp\d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\Desktop\File.exe"C:\Users\Admin\Desktop\File.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2516 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2516 -s 8883⤵PID:1580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\wVFZNXNRPyFRwwPuFuZRRNLT078BFBFF000306D254E847F694\94078BFBFF000306D254E847F6wVFZNXNRPyFRwwPuFuZRRNLT\Browsers\Passwords\Passwords_Edge.txtFilesize
52B
MD5fdec4452a98b7d7f3dc83904cd82a724
SHA12b447ea859993ab549ee1547c72071e59cace07c
SHA25659b16ba683aaf821362d2061fef52b52a909ad63be1192ef3d2374f3e8a4b235
SHA51287a573d8a9a085ffeea49335d213f96cd55385a3afa281d1a4a321043e82cd81a324d1131c764d024966d9dcbcc219d78514b0cdce74f849fe33e0f9ce2df432
-
\Users\Admin\Desktop\File.exeFilesize
1.1MB
MD5bc8ec6ae561e3c2706004a1455f2eea3
SHA1a2c03450a47899dbb2390a9a152ae13cdd4a1bdc
SHA256cb5c79133f2204ea0dfcc8794771a836a1e2676bf5fcd9615135b0b8c1b0e9f3
SHA512be8cce3f3d13c3e1f9c531415909fe183e4602c3c7edefced16041745fd24dee4257e7c60962b1ba9689257aa96b420dd313777c038bf99736ca26868927f3eb
-
memory/2516-6-0x00000000002E0000-0x0000000000408000-memory.dmpFilesize
1.2MB
-
memory/2516-7-0x000007FEF5750000-0x000007FEF613C000-memory.dmpFilesize
9.9MB
-
memory/2516-40-0x000000001CCE0000-0x000000001CD60000-memory.dmpFilesize
512KB
-
memory/2516-64-0x000007FEF5750000-0x000007FEF613C000-memory.dmpFilesize
9.9MB
-
memory/2516-65-0x000000001CCE0000-0x000000001CD60000-memory.dmpFilesize
512KB