Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
20-02-2024 01:29
General
-
Target
a7b4ff991a0932e916f4f4ae6cc1f25d4434202788ffa2e23e9e7ea2e36955e9.exe
-
Size
1.1MB
-
MD5
00dc0ff6987d8dc9651bfc8b9dfa235a
-
SHA1
7a24a90b470a81af4c67d4488e64728b53c04e91
-
SHA256
a7b4ff991a0932e916f4f4ae6cc1f25d4434202788ffa2e23e9e7ea2e36955e9
-
SHA512
aa154bb732cb63df970cb49d62aab412e66ca2415074a118a4101af27507b1b867f07b4eef7fb84667bf6dc627c6a1eea711496d7fa562b20d86ff738230dc92
-
SSDEEP
12288:1geMBID71CWeVdxB5uRaWmk93sYvBFaXQAT2QEhXbwhjCU+oGnmAudhgIQnGy:1geMBID78l4aW+4iRTCbwhjCTxnmAA
Malware Config
Signatures
-
Detects Echelon Stealer payload 1 IoCs
-
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7b4ff991a0932e916f4f4ae6cc1f25d4434202788ffa2e23e9e7ea2e36955e9.exe"C:\Users\Admin\AppData\Local\Temp\a7b4ff991a0932e916f4f4ae6cc1f25d4434202788ffa2e23e9e7ea2e36955e9.exe"1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2180 -s 17682⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NBuZFL078BFBFF000306D2F804344531\31078BFBFF000306D2F8043445NBuZFL\Browsers\Passwords\Passwords_Edge.txtFilesize
52B
MD5fdec4452a98b7d7f3dc83904cd82a724
SHA12b447ea859993ab549ee1547c72071e59cace07c
SHA25659b16ba683aaf821362d2061fef52b52a909ad63be1192ef3d2374f3e8a4b235
SHA51287a573d8a9a085ffeea49335d213f96cd55385a3afa281d1a4a321043e82cd81a324d1131c764d024966d9dcbcc219d78514b0cdce74f849fe33e0f9ce2df432
-
memory/2180-0-0x0000000001360000-0x0000000001488000-memory.dmpFilesize
1.2MB
-
memory/2180-1-0x000007FEF5D90000-0x000007FEF677C000-memory.dmpFilesize
9.9MB
-
memory/2180-34-0x000000001C390000-0x000000001C410000-memory.dmpFilesize
512KB
-
memory/2180-58-0x000007FEF5D90000-0x000007FEF677C000-memory.dmpFilesize
9.9MB
-
memory/2180-59-0x000000001C390000-0x000000001C410000-memory.dmpFilesize
512KB