Analysis
-
max time kernel
92s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24-02-2024 18:45
Static task
static1
Behavioral task
behavioral1
Sample
a27ba5e68cdd7333b8cd5e4ebd558019.exe
Resource
win7-20240221-en
General
-
Target
a27ba5e68cdd7333b8cd5e4ebd558019.exe
-
Size
863KB
-
MD5
a27ba5e68cdd7333b8cd5e4ebd558019
-
SHA1
c4e6d99f3979003424ad4cc511a36434944c02b0
-
SHA256
e42ba94ba2b856fdb7aa01b9dee11abd71c55b6fc15e1933a77269deedb57e88
-
SHA512
2edfb1bae88e3088da81fbcf382fa7955998562817eb9f25bfaef6d82cbeb064c93764d1f9f127ad667543854109da6df84938cbb8d9b62eabf3a00ee5699ff1
-
SSDEEP
12288:XZaaNwVY4K/EX7xzHMPq/2KAIoE2F27HFqkPNXyDxR8AVNHp+0ng13k/u:Ja3VDHtsz5hoHM4KxR8Mg
Malware Config
Signatures
-
Detects Echelon Stealer payload 2 IoCs
Processes:
resource yara_rule behavioral2/files/0x000300000001e96f-4.dat family_echelon behavioral2/memory/324-24-0x00000000009D0000-0x0000000000AD6000-memory.dmp family_echelon -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a27ba5e68cdd7333b8cd5e4ebd558019.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation a27ba5e68cdd7333b8cd5e4ebd558019.exe -
Executes dropped EXE 2 IoCs
Processes:
CoderVir Stealer Love Lolz.guru.exe98899.exepid Process 324 CoderVir Stealer Love Lolz.guru.exe 4756 98899.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 wtfismyip.com 7 wtfismyip.com 9 api.ipify.org 10 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 728 4756 WerFault.exe 87 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
98899.exeCoderVir Stealer Love Lolz.guru.exepid Process 4756 98899.exe 324 CoderVir Stealer Love Lolz.guru.exe 324 CoderVir Stealer Love Lolz.guru.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
98899.exeCoderVir Stealer Love Lolz.guru.exedescription pid Process Token: SeDebugPrivilege 4756 98899.exe Token: SeDebugPrivilege 324 CoderVir Stealer Love Lolz.guru.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
a27ba5e68cdd7333b8cd5e4ebd558019.exedescription pid Process procid_target PID 1952 wrote to memory of 324 1952 a27ba5e68cdd7333b8cd5e4ebd558019.exe 86 PID 1952 wrote to memory of 324 1952 a27ba5e68cdd7333b8cd5e4ebd558019.exe 86 PID 1952 wrote to memory of 4756 1952 a27ba5e68cdd7333b8cd5e4ebd558019.exe 87 PID 1952 wrote to memory of 4756 1952 a27ba5e68cdd7333b8cd5e4ebd558019.exe 87 PID 1952 wrote to memory of 4756 1952 a27ba5e68cdd7333b8cd5e4ebd558019.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\a27ba5e68cdd7333b8cd5e4ebd558019.exe"C:\Users\Admin\AppData\Local\Temp\a27ba5e68cdd7333b8cd5e4ebd558019.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe"C:\Users\Admin\AppData\Local\Temp\CoderVir Stealer Love Lolz.guru.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:324
-
-
C:\Users\Admin\AppData\Local\Temp\98899.exe"C:\Users\Admin\AppData\Local\Temp\98899.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4756 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 19763⤵
- Program crash
PID:728
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4756 -ip 47561⤵PID:2460
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5ac0a9390d50cbc5133523482b31e0735
SHA14d29f350e46df5672f87095033cdfe3710c58b42
SHA256710dec8e4d9f735cab190d54b4b27b23636d98d588b93ddbc112a48427eaa18c
SHA512a5fd9ec8f7b60a63865b1cf85daf76247c677c7a1de0165449680f7640be2d48ff90dd97639c644e013b4c2e429240e0b52804334b49b3ac7903c6d7fd4e8f64
-
Filesize
1.0MB
MD5c10aa673e83a05634292512446b5896d
SHA18ac8a1820c0f907412b8159476348ed690cfbaee
SHA2566040eb35031a150e4ba05d2e808c5d800a051a537ce4b6c68f3f9b0da9a7258e
SHA5122a0bd1ccae71a802ffcfa79a2c15ed54a7c932b63905f8cbd320f8e90af729294e8812ead8bba7853bc5527afba00fdf77d353ad857187a32efb0cfc854a4d67
-
C:\Users\Admin\AppData\Roaming\BTB078BFBFF000306D2A8FFBA9C21\21078BFBFF000306D2A8FFBA9CBTB\Browsers\Passwords\Passwords_Edge.txt
Filesize426B
MD542fa959509b3ed7c94c0cf3728b03f6d
SHA1661292176640beb0b38dc9e7a462518eb592d27d
SHA256870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00
SHA5127def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007