Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-02-2024 01:09
Static task
static1
Behavioral task
behavioral1
Sample
f210c6578cf4878d5059661a535b7eb37023f61dc6aa10bebd28da527aa74bc2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f210c6578cf4878d5059661a535b7eb37023f61dc6aa10bebd28da527aa74bc2.exe
Resource
win10v2004-20240221-en
General
-
Target
f210c6578cf4878d5059661a535b7eb37023f61dc6aa10bebd28da527aa74bc2.exe
-
Size
26.6MB
-
MD5
0ca6c805da69fb131412fee821298139
-
SHA1
3dbb25eb358da6381e7097ac5a40273336ad8366
-
SHA256
f210c6578cf4878d5059661a535b7eb37023f61dc6aa10bebd28da527aa74bc2
-
SHA512
90fae09ee6a5759f96e4b6b9ed6fe8b0e6ff6afcce900e49ef09bb0ee8fcf467950690caab294c5abf3b99175ed1c63317fc53bff70ded509cd1ae2efb803214
-
SSDEEP
786432:Exsai8/g0usnG1KUUeuJ9+ChkQUIOmU3tS5CaHbkLmxRZdw:usr0ugG1KUoJ9+NQv9U3txCvw
Malware Config
Signatures
-
Detects Echelon Stealer payload 2 IoCs
resource yara_rule behavioral1/files/0x000d000000013a06-5.dat family_echelon behavioral1/memory/2628-17-0x0000000000D10000-0x0000000000EE4000-memory.dmp family_echelon -
Executes dropped EXE 1 IoCs
pid Process 2628 anubis.exe -
Loads dropped DLL 4 IoCs
pid Process 2184 f210c6578cf4878d5059661a535b7eb37023f61dc6aa10bebd28da527aa74bc2.exe 2184 f210c6578cf4878d5059661a535b7eb37023f61dc6aa10bebd28da527aa74bc2.exe 2184 f210c6578cf4878d5059661a535b7eb37023f61dc6aa10bebd28da527aa74bc2.exe 2184 f210c6578cf4878d5059661a535b7eb37023f61dc6aa10bebd28da527aa74bc2.exe -
resource yara_rule behavioral1/files/0x000d000000013a06-5.dat vmprotect behavioral1/memory/2628-17-0x0000000000D10000-0x0000000000EE4000-memory.dmp vmprotect behavioral1/memory/2628-23-0x00000000004C0000-0x0000000000540000-memory.dmp vmprotect -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 api.ipify.org 3 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2628 anubis.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2628 2184 f210c6578cf4878d5059661a535b7eb37023f61dc6aa10bebd28da527aa74bc2.exe 28 PID 2184 wrote to memory of 2628 2184 f210c6578cf4878d5059661a535b7eb37023f61dc6aa10bebd28da527aa74bc2.exe 28 PID 2184 wrote to memory of 2628 2184 f210c6578cf4878d5059661a535b7eb37023f61dc6aa10bebd28da527aa74bc2.exe 28 PID 2184 wrote to memory of 2628 2184 f210c6578cf4878d5059661a535b7eb37023f61dc6aa10bebd28da527aa74bc2.exe 28 PID 2628 wrote to memory of 2792 2628 anubis.exe 30 PID 2628 wrote to memory of 2792 2628 anubis.exe 30 PID 2628 wrote to memory of 2792 2628 anubis.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\f210c6578cf4878d5059661a535b7eb37023f61dc6aa10bebd28da527aa74bc2.exe"C:\Users\Admin\AppData\Local\Temp\f210c6578cf4878d5059661a535b7eb37023f61dc6aa10bebd28da527aa74bc2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\anubis.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\anubis.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2628 -s 12483⤵PID:2792
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD54f09391934f598db83741393a456e17c
SHA15386cc0a62afe676249cd50cb109ee88631687a3
SHA2562ae2ae473ead2143f8e27cee2a31b7ffed95323c9fd0a924e5a33638b49f66eb
SHA512eee829f5ae3417d78404267bbd0620aaf366afc1d648989c7829922fda86d0427232e3429eb068780f52b39cc66488e483626ebc6209d8e6db04d27b110535c4