Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
20-01-2024 01:06
General
-
Target
4d02168925f891eba820a3d8050fdf7a3de7ddd9a3aabb529dfa45ae6e540f79.exe
-
Size
649KB
-
MD5
d87dbaf2295af3f2f55f7ca333b4668f
-
SHA1
95aa151d52ce3174d4d0e909c8e14e8373e4506a
-
SHA256
4d02168925f891eba820a3d8050fdf7a3de7ddd9a3aabb529dfa45ae6e540f79
-
SHA512
992b8d780758003e237e5c4c3b8eb9cd5276f79965d58976ce0b93128a95346927ee122294b8dea2c8f46aea4b7ab46c916099fbf60b15cc4987dec34217d0a3
-
SSDEEP
12288:jBdlwHRn+WlYV+8T+tkU5bw6g8h+Y409dMCZyH0FVI8QV:jBkVdlYAK23FNZyHf8QV
Malware Config
Signatures
-
Detects Echelon Stealer payload 2 IoCs
-
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d02168925f891eba820a3d8050fdf7a3de7ddd9a3aabb529dfa45ae6e540f79.exe"C:\Users\Admin\AppData\Local\Temp\4d02168925f891eba820a3d8050fdf7a3de7ddd9a3aabb529dfa45ae6e540f79.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelon.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelon.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop "MpsSvc"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop "MpsSvc"4⤵
- Launches sc.exe
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
592KB
MD5a6c5e33747f3087b1f1c96d5c800aa99
SHA1d3e400f79fb0520deca6eaf52ac030eadec98a71
SHA256818d899f97b141d991937b1d39936ead0a845022ea685c7e83aef1fd55838033
SHA5125339057ce8126bb5fc1c4a2115b4887533761ed5cb54976ec8b2087abf6a4602012cc939c04876a3cbf10ed270b100ee55b20fdecae51fa6952194ee2900fdb8
-
Filesize
616KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB