Analysis
-
max time kernel
120s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25-03-2024 14:10
Behavioral task
behavioral1
Sample
de3258d448ac5d543c996a6b4c0fd6b8.exe
Resource
win7-20240319-en
General
-
Target
de3258d448ac5d543c996a6b4c0fd6b8.exe
-
Size
3.3MB
-
MD5
de3258d448ac5d543c996a6b4c0fd6b8
-
SHA1
44b4fe0e0d731011467f2f0c831f83801c0d068c
-
SHA256
9785139b6e8bc5f53da68bed1b78f0567aa00d0de965f8e802e038a1243853e6
-
SHA512
71edbb9e13fcdb5f3a86d79446dc4a87c50438b64e7b3cb108fe543be5954e06d3f6f4e9d34135f6baeb8bc19eafa32263e673fae2fdaed547354571b1cffdc7
-
SSDEEP
98304:1/xTTgkJENlhU7ZLsyEQrbRt64dtARJACo9x4RqsSTyIv:rTTguENAlLtPrb7Ri/ACo9mR+ys
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/877099784312328213/gbN3AhFr-HwOYeSmi-AjLnTIHhnG8GV5LfjEhIncHO-_rtFM2jafytOi5GkZCyhMgXTd
Signatures
-
Detects Echelon Stealer payload 2 IoCs
resource yara_rule behavioral2/files/0x0009000000023341-30.dat family_echelon behavioral2/memory/2140-39-0x000001802BE30000-0x000001802BEC8000-memory.dmp family_echelon -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ de3258d448ac5d543c996a6b4c0fd6b8.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion de3258d448ac5d543c996a6b4c0fd6b8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion de3258d448ac5d543c996a6b4c0fd6b8.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation de3258d448ac5d543c996a6b4c0fd6b8.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation RACKED.exe -
Executes dropped EXE 3 IoCs
pid Process 332 RACKED.exe 3008 ProtonHack.exe 2140 ProtonHackers.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/4344-0-0x0000000000400000-0x0000000000C12000-memory.dmp themida behavioral2/memory/4344-13-0x0000000000400000-0x0000000000C12000-memory.dmp themida -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ProtonHackers.exe Key opened \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ProtonHackers.exe Key opened \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ProtonHackers.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA de3258d448ac5d543c996a6b4c0fd6b8.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 32 freegeoip.app 40 api.ipify.org 41 api.ipify.org 50 ip-api.com 31 freegeoip.app -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4344 de3258d448ac5d543c996a6b4c0fd6b8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 ProtonHack.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ProtonHack.exe -
NTFS ADS 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\40==K5 >B 0::0.txt RACKED.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\40==K5 >B 0::0.txt RACKED.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3008 ProtonHack.exe 3008 ProtonHack.exe 3008 ProtonHack.exe 3008 ProtonHack.exe 3008 ProtonHack.exe 2140 ProtonHackers.exe 2140 ProtonHackers.exe 2140 ProtonHackers.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3008 ProtonHack.exe Token: SeDebugPrivilege 2140 ProtonHackers.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4344 wrote to memory of 332 4344 de3258d448ac5d543c996a6b4c0fd6b8.exe 97 PID 4344 wrote to memory of 332 4344 de3258d448ac5d543c996a6b4c0fd6b8.exe 97 PID 4344 wrote to memory of 332 4344 de3258d448ac5d543c996a6b4c0fd6b8.exe 97 PID 332 wrote to memory of 3008 332 RACKED.exe 98 PID 332 wrote to memory of 3008 332 RACKED.exe 98 PID 332 wrote to memory of 2140 332 RACKED.exe 99 PID 332 wrote to memory of 2140 332 RACKED.exe 99 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ProtonHackers.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ProtonHackers.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\de3258d448ac5d543c996a6b4c0fd6b8.exe"C:\Users\Admin\AppData\Local\Temp\de3258d448ac5d543c996a6b4c0fd6b8.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Users\Admin\AppData\Local\Temp\RACKED.exe"C:\Users\Admin\AppData\Local\Temp\RACKED.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Users\Admin\AppData\Local\Temp\ProtonHack.exe"C:\Users\Admin\AppData\Local\Temp\ProtonHack.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
C:\Users\Admin\AppData\Local\Temp\ProtonHackers.exe"C:\Users\Admin\AppData\Local\Temp\ProtonHackers.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2140
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4052 --field-trial-handle=2260,i,9938964625802268469,1928462186077019554,262144 --variations-seed-version /prefetch:81⤵PID:4604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
274KB
MD59df1e86f0c44b525df31975949fe225a
SHA1a1869bd91c12f6e96339d112d2acb0f018c31f6e
SHA25613685d73ac437d3d5f976b9f600b183a489aa8871596ee9bec5d27ceb53c0b13
SHA5127dfe7348e4934aa5d5b21af64ed0d90397fb430ea8dd6f5b104b69edc80e51766c6150f8db37749912dc47f604fa18dff4e9cfbf7a850248d16cf8acdd2d5bb6
-
Filesize
581KB
MD5ae9fc2812c2a6d55c9f66b626963639f
SHA122b0e3477e075bb7fbe70121f51567d50c6d5d39
SHA256c46ae05c8aecb322d21d504e5dc4665304c12f4a23da2222f58bc940ee53345c
SHA51237ef5617f2fda51865f850a9d089e9e56de29508a1b153ada6fd8e32375fdd0f8750b9c5946508a5b0a7a06d61f271fc3d4ffca66d2a8ae72adfed11fc226e88
-
Filesize
575KB
MD51bedb8644adbf8aa590d04ebb31edb87
SHA15467bb793d56356a418c779dd2677c9ebf92a7a6
SHA2565db197f06ea1b086ef988650989d7dc85388a1f6be6d4fc1cfa27231f05e587b
SHA5125c56418fe8d4536d6227123df14204235f2c86276030ed6f2a420daf41b3a78614aa374916daa92a06bfdaf6a204f54f22cf97ba33f492b9376ab798313acdac
-
Filesize
92KB
MD5fbe4c51ee21cb3ec2e3c7698c9f7bdb0
SHA122f78716f3ab309bb89a86dc7f2f4f71f05e5aae
SHA256fd94eefb6e43f441bc8daafd21b51612016a8baecf93a088e91e4e3b6c0b36d0
SHA5126185afbbb674c2dad6a737fff3e7283633595bb8aea200b1312a98967060f3e3bd93c2f51116ce5350de6d9abd78c0de8aeb31706b85e793e00e104a08353278
-
Filesize
1KB
MD57cf2d5d272b2206b41811c6cadf1fabe
SHA1816d7b3699644d2b7bab799160952ba1ae89c736
SHA256ce498281ff312f74a4002d26b45af927687d9a845d36706af3f54ae6de388e29
SHA5120e2ed1326e9fbd76428060e38af425ca314984b69e65a8b3ef7eee9a37f4454c67f5727c4ba7abcb6c3b99b6625098440c6c0cebf2b041432b8335c56cb4c08b