Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
18-03-2024 01:19
General
-
Target
f78995fd865b6f50c2cdb18c589216238b539b2fa635b89061b1ab4644053f6c.exe
-
Size
1.4MB
-
MD5
2c79e627d6cbe94d0f577a6f828ca839
-
SHA1
fc8b24ea84099560d82b96e784a00294568e3740
-
SHA256
f78995fd865b6f50c2cdb18c589216238b539b2fa635b89061b1ab4644053f6c
-
SHA512
e5751126ce586830931b53cc1963074041aef7b2ad3f3bc627d6b2c61b6b249fe7969b657c74dc97cd758760ab8092714188fc8422c6ddfa16e38c37a320075b
-
SSDEEP
24576:7970JbUadeO+P9AYU4IIH3JyN4yCHMSXZVM3CM5cPVbVOsIogCjh9A+NIdWs:BIJYad8AzU3Jy/CHJpm3CM5ctVO5ogOY
Malware Config
Signatures
-
Detects Echelon Stealer payload 2 IoCs
-
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
-
Detects executables referencing Windows vault credential objects. Observed in infostealers 2 IoCs
-
Detects executables referencing many VPN software clients. Observed in infosteslers 2 IoCs
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
-
Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
-
Detects executables using Telegram Chat Bot 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f78995fd865b6f50c2cdb18c589216238b539b2fa635b89061b1ab4644053f6c.exe"C:\Users\Admin\AppData\Local\Temp\f78995fd865b6f50c2cdb18c589216238b539b2fa635b89061b1ab4644053f6c.exe"1⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 22082⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3668 -ip 36681⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
7.7MB