Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
29-02-2024 22:09
Behavioral task
behavioral1
Sample
cd4a896224f9dcda6f0244bae4ef9abf.exe
Resource
win7-20240215-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
cd4a896224f9dcda6f0244bae4ef9abf.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
cd4a896224f9dcda6f0244bae4ef9abf.exe
-
Size
581KB
-
MD5
cd4a896224f9dcda6f0244bae4ef9abf
-
SHA1
d362ab6e88e94c7a4200206f5d74c68eabc9dd07
-
SHA256
b7291b4d5bdaaffe9f29598bcf3dd822cee39b18d485d2071ee2ae41b9ccdfb2
-
SHA512
438f7ccb8b347c4928e1727b0800351b79308ee912272f85e0ec0c49c860216d102a06dd961044117f253cada879773bc9b76fdbf5b975a6af2238559d3a7f0d
-
SSDEEP
12288:wcQ6CmvZLJLUf9snBS4csPYae6qfzRAA:k6xvhhUF54clNf7RB
Malware Config
Signatures
-
Detects Echelon Stealer payload 2 IoCs
resource yara_rule behavioral1/memory/2980-0-0x0000000000DA0000-0x0000000000E38000-memory.dmp family_echelon behavioral1/memory/2980-2-0x000000001B0D0000-0x000000001B150000-memory.dmp family_echelon -
Detects executables referencing Windows vault credential objects. Observed in infostealers 2 IoCs
resource yara_rule behavioral1/memory/2980-0-0x0000000000DA0000-0x0000000000E38000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2980-2-0x000000001B0D0000-0x000000001B150000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many VPN software clients. Observed in infosteslers 2 IoCs
resource yara_rule behavioral1/memory/2980-0-0x0000000000DA0000-0x0000000000E38000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_VPN behavioral1/memory/2980-2-0x000000001B0D0000-0x000000001B150000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_VPN -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
resource yara_rule behavioral1/memory/2980-0-0x0000000000DA0000-0x0000000000E38000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2980-2-0x000000001B0D0000-0x000000001B150000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
resource yara_rule behavioral1/memory/2980-0-0x0000000000DA0000-0x0000000000E38000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2980-2-0x000000001B0D0000-0x000000001B150000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables using Telegram Chat Bot 2 IoCs
resource yara_rule behavioral1/memory/2980-0-0x0000000000DA0000-0x0000000000E38000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TelegramChatBot behavioral1/memory/2980-2-0x000000001B0D0000-0x000000001B150000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TelegramChatBot -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 api.ipify.org 3 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2980 cd4a896224f9dcda6f0244bae4ef9abf.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2664 2980 cd4a896224f9dcda6f0244bae4ef9abf.exe 29 PID 2980 wrote to memory of 2664 2980 cd4a896224f9dcda6f0244bae4ef9abf.exe 29 PID 2980 wrote to memory of 2664 2980 cd4a896224f9dcda6f0244bae4ef9abf.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd4a896224f9dcda6f0244bae4ef9abf.exe"C:\Users\Admin\AppData\Local\Temp\cd4a896224f9dcda6f0244bae4ef9abf.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2980 -s 11762⤵PID:2664
-