Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
25-03-2024 14:10
Behavioral task
behavioral1
Sample
de3258d448ac5d543c996a6b4c0fd6b8.exe
Resource
win7-20240319-en
General
-
Target
de3258d448ac5d543c996a6b4c0fd6b8.exe
-
Size
3.3MB
-
MD5
de3258d448ac5d543c996a6b4c0fd6b8
-
SHA1
44b4fe0e0d731011467f2f0c831f83801c0d068c
-
SHA256
9785139b6e8bc5f53da68bed1b78f0567aa00d0de965f8e802e038a1243853e6
-
SHA512
71edbb9e13fcdb5f3a86d79446dc4a87c50438b64e7b3cb108fe543be5954e06d3f6f4e9d34135f6baeb8bc19eafa32263e673fae2fdaed547354571b1cffdc7
-
SSDEEP
98304:1/xTTgkJENlhU7ZLsyEQrbRt64dtARJACo9x4RqsSTyIv:rTTguENAlLtPrb7Ri/ACo9mR+ys
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/877099784312328213/gbN3AhFr-HwOYeSmi-AjLnTIHhnG8GV5LfjEhIncHO-_rtFM2jafytOi5GkZCyhMgXTd
Signatures
-
Detects Echelon Stealer payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ProtonHackers.exe family_echelon behavioral1/memory/2628-31-0x0000000001340000-0x00000000013D8000-memory.dmp family_echelon -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
de3258d448ac5d543c996a6b4c0fd6b8.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ de3258d448ac5d543c996a6b4c0fd6b8.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
de3258d448ac5d543c996a6b4c0fd6b8.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion de3258d448ac5d543c996a6b4c0fd6b8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion de3258d448ac5d543c996a6b4c0fd6b8.exe -
Executes dropped EXE 3 IoCs
Processes:
RACKED.exeProtonHack.exeProtonHackers.exepid process 1404 RACKED.exe 3068 ProtonHack.exe 2628 ProtonHackers.exe -
Loads dropped DLL 4 IoCs
Processes:
de3258d448ac5d543c996a6b4c0fd6b8.exeRACKED.exepid process 2884 de3258d448ac5d543c996a6b4c0fd6b8.exe 2884 de3258d448ac5d543c996a6b4c0fd6b8.exe 1404 RACKED.exe 1404 RACKED.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2884-0-0x0000000000400000-0x0000000000C12000-memory.dmp themida behavioral1/memory/2884-32-0x0000000000400000-0x0000000000C12000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Processes:
de3258d448ac5d543c996a6b4c0fd6b8.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA de3258d448ac5d543c996a6b4c0fd6b8.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 freegeoip.app 3 freegeoip.app 4 api.ipify.org 5 api.ipify.org -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
de3258d448ac5d543c996a6b4c0fd6b8.exepid process 2884 de3258d448ac5d543c996a6b4c0fd6b8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ProtonHack.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 ProtonHack.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ProtonHack.exe -
NTFS ADS 2 IoCs
Processes:
RACKED.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\40==K5 >B 0::0.txt RACKED.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\40==K5 >B 0::0.txt RACKED.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
ProtonHack.exepid process 3068 ProtonHack.exe 3068 ProtonHack.exe 3068 ProtonHack.exe 3068 ProtonHack.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ProtonHack.exeProtonHackers.exedescription pid process Token: SeDebugPrivilege 3068 ProtonHack.exe Token: SeDebugPrivilege 2628 ProtonHackers.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 2632 DllHost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
de3258d448ac5d543c996a6b4c0fd6b8.exeRACKED.exeProtonHackers.exedescription pid process target process PID 2884 wrote to memory of 1404 2884 de3258d448ac5d543c996a6b4c0fd6b8.exe RACKED.exe PID 2884 wrote to memory of 1404 2884 de3258d448ac5d543c996a6b4c0fd6b8.exe RACKED.exe PID 2884 wrote to memory of 1404 2884 de3258d448ac5d543c996a6b4c0fd6b8.exe RACKED.exe PID 2884 wrote to memory of 1404 2884 de3258d448ac5d543c996a6b4c0fd6b8.exe RACKED.exe PID 1404 wrote to memory of 3068 1404 RACKED.exe ProtonHack.exe PID 1404 wrote to memory of 3068 1404 RACKED.exe ProtonHack.exe PID 1404 wrote to memory of 3068 1404 RACKED.exe ProtonHack.exe PID 1404 wrote to memory of 3068 1404 RACKED.exe ProtonHack.exe PID 1404 wrote to memory of 2628 1404 RACKED.exe ProtonHackers.exe PID 1404 wrote to memory of 2628 1404 RACKED.exe ProtonHackers.exe PID 1404 wrote to memory of 2628 1404 RACKED.exe ProtonHackers.exe PID 1404 wrote to memory of 2628 1404 RACKED.exe ProtonHackers.exe PID 2628 wrote to memory of 2684 2628 ProtonHackers.exe WerFault.exe PID 2628 wrote to memory of 2684 2628 ProtonHackers.exe WerFault.exe PID 2628 wrote to memory of 2684 2628 ProtonHackers.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\de3258d448ac5d543c996a6b4c0fd6b8.exe"C:\Users\Admin\AppData\Local\Temp\de3258d448ac5d543c996a6b4c0fd6b8.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\RACKED.exe"C:\Users\Admin\AppData\Local\Temp\RACKED.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\ProtonHack.exe"C:\Users\Admin\AppData\Local\Temp\ProtonHack.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\ProtonHackers.exe"C:\Users\Admin\AppData\Local\Temp\ProtonHackers.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2628 -s 12604⤵PID:2684
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:2632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
242B
MD5170a09439462ae3f536b2c5f4277a31c
SHA130b7f1e5e5ba603a2ffdfe00ef3305421b1ff07e
SHA256b2af831b911e253a5cc8124fd0268d73d1aa3e4914b5c48606797995b8af0c8f
SHA512fb436edecf61aef4e8f8359f6f1107cc744e0f663cb3c827cddc2fee377db3198b044bd4f6635f88be4dcdcce732d55601fe873f4fecacbc26d3cdf11321368e
-
Filesize
443B
MD5e4eb408b3076458077762744cf2645ef
SHA180d41125f0964e2415a8fbf8df7e064ccd0cbae5
SHA25624774c8f8efdc068bbbe3e931476f5f409019da0ce3fbe56b983ef0c96f5c1c1
SHA512d8cff83460638f9b29029fd48da9000bbfbd79c1f2ae6da12653d8dae8a8650067feb71ee6875e8d37042b1d0c32a38474fc4e194b0e4ce807fc8c6dd337aedf
-
Filesize
295KB
MD5418e0374acb48a29df66cd6cf77b2556
SHA11aec0f4a7810cea8a0356e3c40602f843e64e8b9
SHA256a9a8e2eb897d271ae1aa442c1c315f3df7b377f33809e82d685452e90f7790fe
SHA5128c6e57b180a57cec0593c77fd8377a4a27e6a64bfd4142e7382c0a4fc0fb95af7bc6daabaabcbc8289029da361ede25fa2bcdf26912a4da05f35f57993a39c13
-
Filesize
581KB
MD5ae9fc2812c2a6d55c9f66b626963639f
SHA122b0e3477e075bb7fbe70121f51567d50c6d5d39
SHA256c46ae05c8aecb322d21d504e5dc4665304c12f4a23da2222f58bc940ee53345c
SHA51237ef5617f2fda51865f850a9d089e9e56de29508a1b153ada6fd8e32375fdd0f8750b9c5946508a5b0a7a06d61f271fc3d4ffca66d2a8ae72adfed11fc226e88
-
Filesize
64KB
MD54e3e3a145100c082b8643dc22a6b48f9
SHA1b4954ec4d81ed8d0a5dbecae897337b8f812d657
SHA25694532042c3dbdc12e95b830f3886085bc44245eb95744e272e40aa2e09332699
SHA512748b524f288f96391342204ab16e8354915a831ebec9c180fd4a7450bc0385eb187d4f6b5f47d28e9c06db6940f598a9d757b0d919d34fe301f1b2464792d762
-
Filesize
449KB
MD5af6dbbdcb44d920c0e41d166b60b26e4
SHA1bd653c5d5985e0cf826fef5c080754a935527afd
SHA2562c1a3eb1514f74d3f0c87e3ba9f205a809eebff725bdf105d50c2de351971592
SHA512ebc0e10e4d5b2dd032ac09c364133cc8483ffc5fae2b39f9a65c11be06ee8b704e52bda47cdcecdcea357d51a4804ab418cadc908d68d6fb545139c5fafe8c83
-
Filesize
274KB
MD59df1e86f0c44b525df31975949fe225a
SHA1a1869bd91c12f6e96339d112d2acb0f018c31f6e
SHA25613685d73ac437d3d5f976b9f600b183a489aa8871596ee9bec5d27ceb53c0b13
SHA5127dfe7348e4934aa5d5b21af64ed0d90397fb430ea8dd6f5b104b69edc80e51766c6150f8db37749912dc47f604fa18dff4e9cfbf7a850248d16cf8acdd2d5bb6
-
Filesize
575KB
MD51bedb8644adbf8aa590d04ebb31edb87
SHA15467bb793d56356a418c779dd2677c9ebf92a7a6
SHA2565db197f06ea1b086ef988650989d7dc85388a1f6be6d4fc1cfa27231f05e587b
SHA5125c56418fe8d4536d6227123df14204235f2c86276030ed6f2a420daf41b3a78614aa374916daa92a06bfdaf6a204f54f22cf97ba33f492b9376ab798313acdac
-
Filesize
549KB
MD511ce8a0ba80fe5b237f361ef05f41507
SHA1c6802f3aa82660932d5a96df939427c2417824d7
SHA2563577fa9dc8ce5c58ec025589a5aa2802332f2ea0310cbe4cecd40250c60fd780
SHA512d254c348d2dbaed48fc6cbeacaffdbe345283b4fbad1739884226b2d424c43492971f2b6ce9e9823ca2c4f0c7b727f0110343d18bc275110c187479ae1ff6d9d