Analysis

  • max time kernel
    92s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-02-2024 18:45

General

  • Target

    a27ba5e68cdd7333b8cd5e4ebd558019.exe

  • Size

    863KB

  • MD5

    a27ba5e68cdd7333b8cd5e4ebd558019

  • SHA1

    c4e6d99f3979003424ad4cc511a36434944c02b0

  • SHA256

    e42ba94ba2b856fdb7aa01b9dee11abd71c55b6fc15e1933a77269deedb57e88

  • SHA512

    2edfb1bae88e3088da81fbcf382fa7955998562817eb9f25bfaef6d82cbeb064c93764d1f9f127ad667543854109da6df84938cbb8d9b62eabf3a00ee5699ff1

  • SSDEEP

    12288:XZaaNwVY4K/EX7xzHMPq/2KAIoE2F27HFqkPNXyDxR8AVNHp+0ng13k/u:Ja3VDHtsz5hoHM4KxR8Mg

Score
10/10

Malware Config

Signatures

  • Detects Echelon Stealer payload 2 IoCs
  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a27ba5e68cdd7333b8cd5e4ebd558019.exe
    "C:\Users\Admin\AppData\Local\Temp\a27ba5e68cdd7333b8cd5e4ebd558019.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe
      "C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:324
    • C:\Users\Admin\AppData\Local\Temp\98899.exe
      "C:\Users\Admin\AppData\Local\Temp\98899.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4756
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 1976
        3⤵
        • Program crash
        PID:728
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4756 -ip 4756
    1⤵
      PID:2460

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\98899.exe

      Filesize

      7KB

      MD5

      ac0a9390d50cbc5133523482b31e0735

      SHA1

      4d29f350e46df5672f87095033cdfe3710c58b42

      SHA256

      710dec8e4d9f735cab190d54b4b27b23636d98d588b93ddbc112a48427eaa18c

      SHA512

      a5fd9ec8f7b60a63865b1cf85daf76247c677c7a1de0165449680f7640be2d48ff90dd97639c644e013b4c2e429240e0b52804334b49b3ac7903c6d7fd4e8f64

    • C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe

      Filesize

      1.0MB

      MD5

      c10aa673e83a05634292512446b5896d

      SHA1

      8ac8a1820c0f907412b8159476348ed690cfbaee

      SHA256

      6040eb35031a150e4ba05d2e808c5d800a051a537ce4b6c68f3f9b0da9a7258e

      SHA512

      2a0bd1ccae71a802ffcfa79a2c15ed54a7c932b63905f8cbd320f8e90af729294e8812ead8bba7853bc5527afba00fdf77d353ad857187a32efb0cfc854a4d67

    • C:\Users\Admin\AppData\Roaming\BTB078BFBFF000306D2A8FFBA9C21\21078BFBFF000306D2A8FFBA9CBTB\Browsers\Passwords\Passwords_Edge.txt

      Filesize

      426B

      MD5

      42fa959509b3ed7c94c0cf3728b03f6d

      SHA1

      661292176640beb0b38dc9e7a462518eb592d27d

      SHA256

      870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

      SHA512

      7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

    • memory/324-24-0x00000000009D0000-0x0000000000AD6000-memory.dmp

      Filesize

      1.0MB

    • memory/324-26-0x00007FFE2F1C0000-0x00007FFE2FC81000-memory.dmp

      Filesize

      10.8MB

    • memory/324-29-0x000000001C690000-0x000000001C706000-memory.dmp

      Filesize

      472KB

    • memory/324-98-0x00007FFE2F1C0000-0x00007FFE2FC81000-memory.dmp

      Filesize

      10.8MB

    • memory/4756-25-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

      Filesize

      32KB

    • memory/4756-27-0x0000000074260000-0x0000000074A10000-memory.dmp

      Filesize

      7.7MB

    • memory/4756-28-0x0000000005740000-0x0000000005750000-memory.dmp

      Filesize

      64KB

    • memory/4756-74-0x0000000074260000-0x0000000074A10000-memory.dmp

      Filesize

      7.7MB