Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-04-2024 01:28
Behavioral task
behavioral1
Sample
84b575b323f2bf336c245c6c29d82a674effe37640a60d52d3fbe3bab26482e7.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
General
-
Target
84b575b323f2bf336c245c6c29d82a674effe37640a60d52d3fbe3bab26482e7.exe
-
Size
581KB
-
MD5
ef058437296cfc61901c367927a3ff4b
-
SHA1
3ad2da48fab1901a345fa1bd66d0de3ed0356346
-
SHA256
84b575b323f2bf336c245c6c29d82a674effe37640a60d52d3fbe3bab26482e7
-
SHA512
6063698b00c5abc241bd95a08807b1e31b4fe3fb75948ec8f036b55fa05c95c7aba8598846fcf78a5423da60ec6f915f6c8d835f900ea0bd384f5505b9a12c81
-
SSDEEP
12288:MiZA7E95GUmdgPp+ryZLJLUf9snBS4csPYae6qfzsAA:gEgryhhUF54clNf7sB
Malware Config
Signatures
-
Detects Echelon Stealer payload 2 IoCs
resource yara_rule behavioral1/memory/2208-0-0x0000000000980000-0x0000000000A18000-memory.dmp family_echelon behavioral1/memory/2208-2-0x000000001AE40000-0x000000001AEC0000-memory.dmp family_echelon -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 api.ipify.org 4 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2208 84b575b323f2bf336c245c6c29d82a674effe37640a60d52d3fbe3bab26482e7.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2748 2208 84b575b323f2bf336c245c6c29d82a674effe37640a60d52d3fbe3bab26482e7.exe 29 PID 2208 wrote to memory of 2748 2208 84b575b323f2bf336c245c6c29d82a674effe37640a60d52d3fbe3bab26482e7.exe 29 PID 2208 wrote to memory of 2748 2208 84b575b323f2bf336c245c6c29d82a674effe37640a60d52d3fbe3bab26482e7.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\84b575b323f2bf336c245c6c29d82a674effe37640a60d52d3fbe3bab26482e7.exe"C:\Users\Admin\AppData\Local\Temp\84b575b323f2bf336c245c6c29d82a674effe37640a60d52d3fbe3bab26482e7.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2208 -s 13002⤵PID:2748
-