Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
29-02-2024 06:51
General
-
Target
adf2c1710358901e7cc4131c8705ff1b.exe
-
Size
3.1MB
-
MD5
adf2c1710358901e7cc4131c8705ff1b
-
SHA1
f7422460048a1bb7df79c40df103c2ea160d51f6
-
SHA256
fe84372f838e5c4ab673dcf10349c94433399d725c9586a2aa2a077f168c2020
-
SHA512
6a966025634645e85a0ade32858510d2e2c29dc5a86e584a3da737aaf27937789deb6855992f23d5f54e43f3a8124b6d74ac65c202babe4e0a4038fafe71fb01
-
SSDEEP
98304:TVrCEpy5HS84pl5NlSHtaJd3Bo5iIenLkQvFvk:TVrXy5Hzo5NkHted3kiIeLfFM
Malware Config
Signatures
-
Detects Echelon Stealer payload 3 IoCs
-
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\adf2c1710358901e7cc4131c8705ff1b.exe"C:\Users\Admin\AppData\Local\Temp\adf2c1710358901e7cc4131c8705ff1b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 25682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1888 -ip 18881⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1888-0-0x0000000000A40000-0x0000000001010000-memory.dmpFilesize
5.8MB
-
memory/1888-1-0x0000000077A14000-0x0000000077A16000-memory.dmpFilesize
8KB
-
memory/1888-2-0x0000000000A40000-0x0000000001010000-memory.dmpFilesize
5.8MB
-
memory/1888-3-0x0000000000A40000-0x0000000001010000-memory.dmpFilesize
5.8MB
-
memory/1888-4-0x0000000074800000-0x0000000074FB0000-memory.dmpFilesize
7.7MB
-
memory/1888-5-0x0000000000A40000-0x0000000001010000-memory.dmpFilesize
5.8MB
-
memory/1888-6-0x0000000007190000-0x00000000071F6000-memory.dmpFilesize
408KB
-
memory/1888-7-0x00000000079E0000-0x0000000007A02000-memory.dmpFilesize
136KB
-
memory/1888-8-0x0000000007A10000-0x0000000007D64000-memory.dmpFilesize
3.3MB
-
memory/1888-10-0x00000000089A0000-0x0000000008A3C000-memory.dmpFilesize
624KB
-
memory/1888-42-0x0000000000A40000-0x0000000001010000-memory.dmpFilesize
5.8MB
-
memory/1888-43-0x0000000074800000-0x0000000074FB0000-memory.dmpFilesize
7.7MB