Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
18-01-2024 09:44
General
-
Target
6512ee54cb87daf804d1d337785c947e.exe
-
Size
1.5MB
-
MD5
6512ee54cb87daf804d1d337785c947e
-
SHA1
6e29351ed23c4b14d731a36c789e08cea5f8eb5e
-
SHA256
fe2a40f78f2acb54fb1675bbe256de830d9c78ff813818d7335b98ce8b2bb3e6
-
SHA512
a7725fee1f1a90fe6b0571cf293b028f4128ac5baf62f64cc3b6ba20d7c412437918096c86b005411bb922b42f020c393980965f0ec7c16b000a8e0773da96b7
-
SSDEEP
24576:+DWHSb4Nc0yPFtkTb67tzzM9DvVIJV1rliDpL9Dh7qd2P69EuKA+R:t846kKzzKVIJ5+pLTpP699Kn
Malware Config
Signatures
-
Detects Echelon Stealer payload 4 IoCs
-
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
VMProtect packed file 8 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6512ee54cb87daf804d1d337785c947e.exe"C:\Users\Admin\AppData\Local\Temp\6512ee54cb87daf804d1d337785c947e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\UltraHook newe.sfx.exe"C:\Users\Admin\AppData\Local\Temp\UltraHook newe.sfx.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\UltraHook newe.exe"C:\Users\Admin\AppData\Local\Temp\UltraHook newe.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Crypt.exe"C:\Users\Admin\AppData\Local\Temp\Crypt.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Crypt.exeFilesize
334KB
MD54cbb821230d32f767f6c1cb949f1d344
SHA170adb916e3b4a76760d8bd48ad375fd28f8e494c
SHA25641b98c4a24bdf7c78e0b960063ceba41b0be1a4660f2a60f29d51f17fe1fdcb6
SHA51245bd11261230e6d60f481324be9391169b2282954572c14d59cffee5f3f73f965bd8ffa2176d2b2979e3e41d5fa5d2b00c5210e6dd67544a34bf512ef2670847
-
C:\Users\Admin\AppData\Local\Temp\Crypt.exeFilesize
323KB
MD5171f19203ccc242d472aeb45cc74fdd9
SHA19a20bdaa55c11186e5239f09136c932f8b74f021
SHA25691457babb965c37923de89fbdc2d26b719b9823aeb56f9dc63e9a2b611da5485
SHA512f22efc315e04820b0b8bfd996e5e07695d067273edec0148fa3b6e451e89dcfd4b9c326a66fd5fd5803ec1bd90ba63869e6269f90940aa1dcc248552b2736aa2
-
C:\Users\Admin\AppData\Local\Temp\Crypt.exeFilesize
422KB
MD5382d187d2cbbdf37a4032bf80cc97a47
SHA1640c5a58560b2cafd9b813de5e20d9be77954fd0
SHA256c61b403de33d5d9f57faa1a13450eb205688406004315c59aac25677aa1e7357
SHA5129c5deb526c46b15bd944b085d9f3e8fdb6415ca5df101f6242c4ceea150ebe2c71867ce33ff5c248e823cc1f02b0282571bae91b075d0a115eab62dfb7eb3c6f
-
C:\Users\Admin\AppData\Local\Temp\UltraHook newe.exeFilesize
581KB
MD54b96c037ba3272a9299a794fbbfaad68
SHA1056bb237b9a6890c008fb251676733a46f9aeee6
SHA256cf83d1e1d14f913fa871bacd4b76a61b72b4cd6600183fa961c4021818f4ac35
SHA512eab32a90a2b185c0715f5aecad6cd4e66f7ddfb4ee530275f39aecf1344afe782aa8130883a1a42003be038c3b35eb1a6a604ffecbfb1bd1a06ef5eeafb1fb1d
-
C:\Users\Admin\AppData\Local\Temp\UltraHook newe.exeFilesize
534KB
MD53b814ad62b88fff000d007357c65f015
SHA145fa085374ff146b3e3461d4d7712b7e24464934
SHA2562c81e4a2dd90c11dc78c765656a2d256d9a76d1cf75f55336d65b5cf88faa5f7
SHA5127b77a704e995e68e6f3180bb6efd483fc42bfe7aa639097c31062dc866a18a0483006f8411ad380988874415acd448ff7dc92bfcf93ba0f2fe569bc4649cb529
-
C:\Users\Admin\AppData\Local\Temp\UltraHook newe.exeFilesize
462KB
MD5f9513df82be4d920436d703edd435246
SHA1ae7e730ba783eb7de776d5936d0cb706a339b110
SHA2560d702a6941da11dc3e48db09f1ddc84fcae169cb8986a36f427009f8080e6b72
SHA51280e1bd6c3272fd0e8123e387daf6ec184b8105698bd4da8ed56736c79dfdc21b8103c4c3a1aa8dfe6fc94fa5bb702b12fbf43d85a68367ad29335b761a827825
-
C:\Users\Admin\AppData\Local\Temp\UltraHook newe.sfx.exeFilesize
85KB
MD563cb634d14a2318018fa3f186bbfa692
SHA19081829a9ea67579ea567e05ecabfa2d82f24b2c
SHA256b315a7f9863bb4bfe58714d90e2de236f471ff96af7ff18df36a225e1da73731
SHA5128a08dadea1b5debe29c5b108c98c74a3d0a447641062989649252319df28802d3332b0bf67691cd0b30c4641408f5a16bebbdd9928bfb52d0370ef9cbaaec792
-
C:\Users\Admin\AppData\Local\Temp\UltraHook newe.sfx.exeFilesize
494KB
MD5233882319f664d7812b91b7a77e7d520
SHA18c1ca48f4a6169796940967cb6963fa151620246
SHA256ad3a783913c416a3939d73881f2b1493580960994efb9bf97168d4cd21a6f9c2
SHA51239247542254c3f61343c036c27bf1f8717768dcbcf06966faa670b1f1c1c4f93d26c8a692d83d13295c7d34fc6387923d5a35f0f26bd1b1791bb3ded392d7597
-
C:\Users\Admin\AppData\Local\Temp\UltraHook newe.sfx.exeFilesize
119KB
MD5e486b603767b039dcebfd10b14884a18
SHA10793e2ba0f6976be513fbe41a5498347e84c7fb2
SHA256589186b09ff62fb832351882cb90f56a2eb678803046d99a7580566ddd500e6f
SHA512e1269f9c5b0b07f1acd4c758a7d889ad1c0c1ee6a2d8cda82aa7e13f1e8e8fa025e145e484b20e646077120730a3d34bd520e49161e98bad78ce4c47ef551539
-
memory/2652-67-0x00007FFA64190000-0x00007FFA64C51000-memory.dmpFilesize
10.8MB
-
memory/2652-40-0x000001BA9A230000-0x000001BA9A2A6000-memory.dmpFilesize
472KB
-
memory/2652-37-0x00007FFA64190000-0x00007FFA64C51000-memory.dmpFilesize
10.8MB
-
memory/2652-35-0x000001BAFF3C0000-0x000001BAFF586000-memory.dmpFilesize
1.8MB
-
memory/2652-39-0x000001BA819F0000-0x000001BA81A00000-memory.dmpFilesize
64KB
-
memory/3640-20-0x0000000000B30000-0x0000000000D30000-memory.dmpFilesize
2.0MB
-
memory/3640-38-0x00007FFA64190000-0x00007FFA64C51000-memory.dmpFilesize
10.8MB
-
memory/3640-22-0x00000000014C0000-0x00000000014C1000-memory.dmpFilesize
4KB
-
memory/3640-23-0x000000001BB00000-0x000000001BB10000-memory.dmpFilesize
64KB
-
memory/3640-21-0x00007FFA64190000-0x00007FFA64C51000-memory.dmpFilesize
10.8MB