Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2023 01:06
Behavioral task
behavioral1
Sample
d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe
Resource
win10v2004-20231222-en
General
-
Target
d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe
-
Size
1.1MB
-
MD5
21baedb54f72d57d2d847d9352c8f91d
-
SHA1
ab0bdda443b1720b9a023874ae91c950146579b0
-
SHA256
d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be
-
SHA512
0da246eba76c17d86f3409eee307c43542ad6d46902d6183f75404dd1c8b460696d100c758ea893a4a4f6034967d450ba621325b59ca7ebc60fd48c5ea5059bf
-
SSDEEP
12288:tgGpzc0nT1aCX1TAlJjWWNQg3PcaMhljQATlQEhXbw7jKcQq6kAiJVORZy9:tgG5c0nTcwsWWR0PRThbw7jKDkANZk
Malware Config
Signatures
-
Detects Echelon Stealer payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\Desktop\File.exe family_echelon C:\Users\Admin\Desktop\File.exe family_echelon C:\Users\Admin\Desktop\File.exe family_echelon behavioral2/memory/1636-11-0x00000185133A0000-0x00000185134C8000-memory.dmp family_echelon -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe -
Executes dropped EXE 1 IoCs
Processes:
File.exepid process 1636 File.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
File.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 File.exe Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 File.exe Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 File.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 26 api.ipify.org 27 api.ipify.org 30 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
File.exepid process 1636 File.exe 1636 File.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
File.exedescription pid process Token: SeDebugPrivilege 1636 File.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exedescription pid process target process PID 5072 wrote to memory of 1636 5072 d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe File.exe PID 5072 wrote to memory of 1636 5072 d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe File.exe -
outlook_office_path 1 IoCs
Processes:
File.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 File.exe -
outlook_win_path 1 IoCs
Processes:
File.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 File.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe"C:\Users\Admin\AppData\Local\Temp\d33967ebaa16503e91f891bd66ff6e7bf081de47ae790554b24a1733314d94be.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Users\Admin\Desktop\File.exe"C:\Users\Admin\Desktop\File.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\FFL078BFBFF000306D208BC0FF322\22078BFBFF000306D208BC0FF3FFL\Browsers\Passwords\Passwords_Edge.txtFilesize
426B
MD542fa959509b3ed7c94c0cf3728b03f6d
SHA1661292176640beb0b38dc9e7a462518eb592d27d
SHA256870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00
SHA5127def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007
-
C:\Users\Admin\Desktop\File.exeFilesize
962KB
MD5eb9ec4158e115f7ef5cc3d9dbf0f386e
SHA177c8fd9c9d44053dea434feab3ebe33d5e8fb1b5
SHA25651230231836a377a9e5110058773d2d5d1d1e30ffb581739aa725837f816e81d
SHA512a9d141e64947e4e766ce2a8256990b1fec6e05d8dc9c162aa4dfe131775da20cd7b01a29d2ad9c6bdd0e4e848e07bbdc267fd159148f735e0742df5f05770400
-
C:\Users\Admin\Desktop\File.exeFilesize
960KB
MD5f315b2491cdc502a910664db11735a8f
SHA14abafcbecceaafbac9304e26dc2e5416e1a2ecf6
SHA2567c3e201b15b3d7a867f8d3262bed4082c800e3a5c8de767af995ea01fa123c95
SHA5121cf9f5e201c3e19ebc1f8ee7477041ba2f81117905e825ed0afbf0230174645e92194ea2fee54aa177c631711cc62959cce8d7206304e0099c61eca3f3ebc169
-
C:\Users\Admin\Desktop\File.exeFilesize
585KB
MD556a071af11d61c271b7adc422b85e36c
SHA13d7d090d32f12903378e80f960224da03a46d140
SHA256e827ca267088e0bb5c21e96256ee8b6f6af62e291bc519f8d3215c3d61f3e0cf
SHA512e7a58005893065abe4c3cb8c8435b753df2fff2884aa74abaf96318e239ae5760ca40eb2cbc485e49fd0fa3b0abf923960f56b3f25694c25d7d3577d97a9d280
-
memory/1636-11-0x00000185133A0000-0x00000185134C8000-memory.dmpFilesize
1.2MB
-
memory/1636-12-0x00007FFB92250000-0x00007FFB92D11000-memory.dmpFilesize
10.8MB
-
memory/1636-13-0x000001852DCF0000-0x000001852DD00000-memory.dmpFilesize
64KB
-
memory/1636-82-0x000001852DC80000-0x000001852DCA2000-memory.dmpFilesize
136KB
-
memory/1636-95-0x00007FFB92250000-0x00007FFB92D11000-memory.dmpFilesize
10.8MB