Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
18-03-2024 01:19
Static task
static1
Behavioral task
behavioral1
Sample
f78995fd865b6f50c2cdb18c589216238b539b2fa635b89061b1ab4644053f6c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f78995fd865b6f50c2cdb18c589216238b539b2fa635b89061b1ab4644053f6c.exe
Resource
win10v2004-20240226-en
General
-
Target
f78995fd865b6f50c2cdb18c589216238b539b2fa635b89061b1ab4644053f6c.exe
-
Size
1.4MB
-
MD5
2c79e627d6cbe94d0f577a6f828ca839
-
SHA1
fc8b24ea84099560d82b96e784a00294568e3740
-
SHA256
f78995fd865b6f50c2cdb18c589216238b539b2fa635b89061b1ab4644053f6c
-
SHA512
e5751126ce586830931b53cc1963074041aef7b2ad3f3bc627d6b2c61b6b249fe7969b657c74dc97cd758760ab8092714188fc8422c6ddfa16e38c37a320075b
-
SSDEEP
24576:7970JbUadeO+P9AYU4IIH3JyN4yCHMSXZVM3CM5cPVbVOsIogCjh9A+NIdWs:BIJYad8AzU3Jy/CHJpm3CM5ctVO5ogOY
Malware Config
Signatures
-
Detects Echelon Stealer payload 2 IoCs
resource yara_rule behavioral2/memory/3668-1-0x0000000000DF0000-0x00000000011EE000-memory.dmp family_echelon behavioral2/memory/3668-44-0x0000000000DF0000-0x00000000011EE000-memory.dmp family_echelon -
Detects executables referencing Windows vault credential objects. Observed in infostealers 2 IoCs
resource yara_rule behavioral2/memory/3668-1-0x0000000000DF0000-0x00000000011EE000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/3668-44-0x0000000000DF0000-0x00000000011EE000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many VPN software clients. Observed in infosteslers 2 IoCs
resource yara_rule behavioral2/memory/3668-1-0x0000000000DF0000-0x00000000011EE000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_VPN behavioral2/memory/3668-44-0x0000000000DF0000-0x00000000011EE000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_VPN -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
resource yara_rule behavioral2/memory/3668-1-0x0000000000DF0000-0x00000000011EE000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/3668-44-0x0000000000DF0000-0x00000000011EE000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
resource yara_rule behavioral2/memory/3668-1-0x0000000000DF0000-0x00000000011EE000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/3668-44-0x0000000000DF0000-0x00000000011EE000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables using Telegram Chat Bot 2 IoCs
resource yara_rule behavioral2/memory/3668-1-0x0000000000DF0000-0x00000000011EE000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TelegramChatBot behavioral2/memory/3668-44-0x0000000000DF0000-0x00000000011EE000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TelegramChatBot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 f78995fd865b6f50c2cdb18c589216238b539b2fa635b89061b1ab4644053f6c.exe Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 f78995fd865b6f50c2cdb18c589216238b539b2fa635b89061b1ab4644053f6c.exe Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 f78995fd865b6f50c2cdb18c589216238b539b2fa635b89061b1ab4644053f6c.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 api.ipify.org 14 api.ipify.org 43 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 3668 f78995fd865b6f50c2cdb18c589216238b539b2fa635b89061b1ab4644053f6c.exe 3668 f78995fd865b6f50c2cdb18c589216238b539b2fa635b89061b1ab4644053f6c.exe 3668 f78995fd865b6f50c2cdb18c589216238b539b2fa635b89061b1ab4644053f6c.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4296 3668 WerFault.exe 85 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 3668 f78995fd865b6f50c2cdb18c589216238b539b2fa635b89061b1ab4644053f6c.exe 3668 f78995fd865b6f50c2cdb18c589216238b539b2fa635b89061b1ab4644053f6c.exe 3668 f78995fd865b6f50c2cdb18c589216238b539b2fa635b89061b1ab4644053f6c.exe 3668 f78995fd865b6f50c2cdb18c589216238b539b2fa635b89061b1ab4644053f6c.exe 3668 f78995fd865b6f50c2cdb18c589216238b539b2fa635b89061b1ab4644053f6c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3668 f78995fd865b6f50c2cdb18c589216238b539b2fa635b89061b1ab4644053f6c.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3668 f78995fd865b6f50c2cdb18c589216238b539b2fa635b89061b1ab4644053f6c.exe -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 f78995fd865b6f50c2cdb18c589216238b539b2fa635b89061b1ab4644053f6c.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 f78995fd865b6f50c2cdb18c589216238b539b2fa635b89061b1ab4644053f6c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f78995fd865b6f50c2cdb18c589216238b539b2fa635b89061b1ab4644053f6c.exe"C:\Users\Admin\AppData\Local\Temp\f78995fd865b6f50c2cdb18c589216238b539b2fa635b89061b1ab4644053f6c.exe"1⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:3668 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 22082⤵
- Program crash
PID:4296
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3668 -ip 36681⤵PID:1692