Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-02-2024 01:16
Behavioral task
behavioral1
Sample
8793455ff0b8e1ba86950146f3b38eb2f40dd9f31509e51b4179d188469df05d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8793455ff0b8e1ba86950146f3b38eb2f40dd9f31509e51b4179d188469df05d.exe
Resource
win10v2004-20231215-en
General
-
Target
8793455ff0b8e1ba86950146f3b38eb2f40dd9f31509e51b4179d188469df05d.exe
-
Size
581KB
-
MD5
4c3eab225aabc7e675e5ca16056aa5dd
-
SHA1
3c28f07eba4a7163e1be5e9e2e0e4fba595832ea
-
SHA256
8793455ff0b8e1ba86950146f3b38eb2f40dd9f31509e51b4179d188469df05d
-
SHA512
604eb2047921dc92c5b8203847e9b3e7b4fa269a865cc3f2ca49aea388984ea54388f569563a2a1879c07a1c14de39ce368b09d484b5305454ceda8f64d099d5
-
SSDEEP
12288:zu5kjMFW/Yq9a7p8HRZLJLUf9snBS4csPYae6qfzYAA:9cwHRhhUF54clNf7YB
Malware Config
Signatures
-
Detects Echelon Stealer payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3612-0-0x000002541C7B0000-0x000002541C848000-memory.dmp family_echelon -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
8793455ff0b8e1ba86950146f3b38eb2f40dd9f31509e51b4179d188469df05d.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 8793455ff0b8e1ba86950146f3b38eb2f40dd9f31509e51b4179d188469df05d.exe Key opened \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 8793455ff0b8e1ba86950146f3b38eb2f40dd9f31509e51b4179d188469df05d.exe Key opened \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 8793455ff0b8e1ba86950146f3b38eb2f40dd9f31509e51b4179d188469df05d.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org 25 ip-api.com -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
8793455ff0b8e1ba86950146f3b38eb2f40dd9f31509e51b4179d188469df05d.exepid process 3612 8793455ff0b8e1ba86950146f3b38eb2f40dd9f31509e51b4179d188469df05d.exe 3612 8793455ff0b8e1ba86950146f3b38eb2f40dd9f31509e51b4179d188469df05d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8793455ff0b8e1ba86950146f3b38eb2f40dd9f31509e51b4179d188469df05d.exedescription pid process Token: SeDebugPrivilege 3612 8793455ff0b8e1ba86950146f3b38eb2f40dd9f31509e51b4179d188469df05d.exe -
outlook_office_path 1 IoCs
Processes:
8793455ff0b8e1ba86950146f3b38eb2f40dd9f31509e51b4179d188469df05d.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 8793455ff0b8e1ba86950146f3b38eb2f40dd9f31509e51b4179d188469df05d.exe -
outlook_win_path 1 IoCs
Processes:
8793455ff0b8e1ba86950146f3b38eb2f40dd9f31509e51b4179d188469df05d.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 8793455ff0b8e1ba86950146f3b38eb2f40dd9f31509e51b4179d188469df05d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8793455ff0b8e1ba86950146f3b38eb2f40dd9f31509e51b4179d188469df05d.exe"C:\Users\Admin\AppData\Local\Temp\8793455ff0b8e1ba86950146f3b38eb2f40dd9f31509e51b4179d188469df05d.exe"1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3612