c755e54f2688d8786a2e3770977674421e9346183997618dbb9795d4aebc1117

General

Target

Echo Mirage.7z
Size

9.5MB
MD5

5da7ca6f6f3c3ee8dd1d86f174d1f557
SHA1

3c724b5752f7d8fa0852e91fe656c72c24b3a83a
SHA256

c755e54f2688d8786a2e3770977674421e9346183997618dbb9795d4aebc1117
SHA512

3062d94c7a07185fbb10baefd2ef831c1ce1543f2e01116c74b7ca040bc2625c7ee48518d4f09c77345e892c2a9bb35c26e9e95ccfeeb97d738ff5302239ae14
SSDEEP

196608:Qke4SKN+njhTTcT0twzaXvt16TomFIZSWupLkyrIRXelLCqzncjQ:NecNU5ThtLvgJFYqpLkyrxlLC8cE

Score

7^/10

agilenet

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

EchoMirage.exe429635927.exe

pid process

2080 EchoMirage.exe
4320 429635927.exe
Loads dropped DLL 2 IoCs

Processes:

429635927.exe

pid process

4320 429635927.exe
4320 429635927.exe

pid	process
2080	EchoMirage.exe
4320	429635927.exe

pid	process
4320	429635927.exe
4320	429635927.exe

Obfuscated with Agile.Net obfuscator 5 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/4320-29-0x0000000000400000-0x0000000000FC3000-memory.dmp	agile_net
behavioral1/memory/4320-35-0x0000000000400000-0x0000000000FC3000-memory.dmp	agile_net
behavioral1/memory/4320-37-0x0000000000400000-0x0000000000FC3000-memory.dmp	agile_net
behavioral1/memory/4320-66-0x0000000000400000-0x0000000000FC3000-memory.dmp	agile_net
behavioral1/memory/4320-135-0x0000000000400000-0x0000000000FC3000-memory.dmp	agile_net

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

429635927.exe

pid process

4320 429635927.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4320	429635927.exe

Modifies registry class 54 IoCs

Processes:

EchoMirage.execmd.exeOpenWith.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	EchoMirage.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	EchoMirage.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	EchoMirage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	EchoMirage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	EchoMirage.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	EchoMirage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	EchoMirage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	EchoMirage.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	EchoMirage.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	EchoMirage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	EchoMirage.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	EchoMirage.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = ffffffff	EchoMirage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	EchoMirage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	EchoMirage.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	EchoMirage.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	EchoMirage.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	EchoMirage.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 60003100000000009b587ba110004543484f4d497e310000480009000400efbe9c58a8029c58a8022e0000002b690100000010000000000000000000000000000000b15a4f004500630068006f0020004d0069007200610067006500000018000000	EchoMirage.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	EchoMirage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	EchoMirage.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	EchoMirage.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	EchoMirage.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	EchoMirage.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	EchoMirage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	EchoMirage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	EchoMirage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "4"	EchoMirage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	EchoMirage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "3"	EchoMirage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	EchoMirage.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	EchoMirage.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	EchoMirage.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	EchoMirage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	EchoMirage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	EchoMirage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	EchoMirage.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	EchoMirage.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	EchoMirage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	EchoMirage.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	EchoMirage.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	EchoMirage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	EchoMirage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	EchoMirage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	EchoMirage.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	EchoMirage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	EchoMirage.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	EchoMirage.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	EchoMirage.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	EchoMirage.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	EchoMirage.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	EchoMirage.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

EchoMirage.exe429635927.exe

pid process

2080 EchoMirage.exe
2080 EchoMirage.exe
4320 429635927.exe
4320 429635927.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

EchoMirage.exe

pid process

2080 EchoMirage.exe

pid	process
2080	EchoMirage.exe
2080	EchoMirage.exe
4320	429635927.exe
4320	429635927.exe

pid	process
2080	EchoMirage.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

7zFM.exeEchoMirage.exe429635927.exe

description	pid	process
Token: SeRestorePrivilege	4112	7zFM.exe
Token: 35	4112	7zFM.exe
Token: SeSecurityPrivilege	4112	7zFM.exe
Token: SeIncreaseQuotaPrivilege	2080	EchoMirage.exe
Token: SeSecurityPrivilege	2080	EchoMirage.exe
Token: SeLoadDriverPrivilege	2080	EchoMirage.exe
Token: SeSystemProfilePrivilege	2080	EchoMirage.exe
Token: SeSystemtimePrivilege	2080	EchoMirage.exe
Token: SeProfSingleProcessPrivilege	2080	EchoMirage.exe
Token: SeIncBasePriorityPrivilege	2080	EchoMirage.exe
Token: SeCreatePagefilePrivilege	2080	EchoMirage.exe
Token: SeShutdownPrivilege	2080	EchoMirage.exe
Token: SeDebugPrivilege	2080	EchoMirage.exe
Token: SeSystemEnvironmentPrivilege	2080	EchoMirage.exe
Token: SeRemoteShutdownPrivilege	2080	EchoMirage.exe
Token: SeUndockPrivilege	2080	EchoMirage.exe
Token: SeManageVolumePrivilege	2080	EchoMirage.exe
Token: 33	2080	EchoMirage.exe
Token: 34	2080	EchoMirage.exe
Token: 35	2080	EchoMirage.exe
Token: 36	2080	EchoMirage.exe
Token: SeDebugPrivilege	4320	429635927.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

7zFM.exeEchoMirage.exe

pid process

4112 7zFM.exe
4112 7zFM.exe
2080 EchoMirage.exe
2080 EchoMirage.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OpenWith.exeEchoMirage.exe

pid process

4784 OpenWith.exe
2080 EchoMirage.exe

pid	process
4112	7zFM.exe
4112	7zFM.exe
2080	EchoMirage.exe
2080	EchoMirage.exe

pid	process
4784	OpenWith.exe
2080	EchoMirage.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

EchoMirage.exe

description	pid	process	target process
PID 2080 wrote to memory of 4320	2080	EchoMirage.exe	429635927.exe
PID 2080 wrote to memory of 4320	2080	EchoMirage.exe	429635927.exe
PID 2080 wrote to memory of 4320	2080	EchoMirage.exe	429635927.exe
PID 2080 wrote to memory of 4320	2080	EchoMirage.exe	429635927.exe
PID 2080 wrote to memory of 4320	2080	EchoMirage.exe	429635927.exe
PID 2080 wrote to memory of 4320	2080	EchoMirage.exe	429635927.exe
PID 2080 wrote to memory of 4320	2080	EchoMirage.exe	429635927.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Echo Mirage.7z"
1⤵
- Modifies registry class
PID:4756

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4784

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4772

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Echo Mirage.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4112

C:\Users\Admin\Desktop\Echo Mirage\EchoMirage.exe
"C:\Users\Admin\Desktop\Echo Mirage\EchoMirage.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080

C:\Users\Admin\Desktop\429635927.exe
"C:\Users\Admin\Desktop\429635927.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4320

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\429635927.exe
Filesize
7.5MB

MD5
e74eafef23a34eec03b91aa62493ca15

SHA1
94bf8bba4fe1e973a5ac6739127c16d645d1156a

SHA256
1ffda4e6f64f044ffa2a79d8cf710b02014e7da5cd60300e8b08f615d5f81cc0

SHA512
9cf9a1dea10cd37af4975425f005552ff0405670c92376cdade41315911e3f6471b3ac25852ea8a21e31d94bc404de7a1336ac0322d049d562670e8f61fc81aa

Download Submit
C:\Users\Admin\Desktop\Echo Mirage\EchoMirage.exe
Filesize
6.3MB

MD5
b859c2f0ed7bea595f632163f78a3b9e

SHA1
ff171191ce3d405db917b652f8b0a502f6a66f11

SHA256
d10ad92caff49ee4737a577b72e7647d0d3d06a4feb7d515ec44a6163edcab2e

SHA512
83a4a2f4f68c30dd4c298ba57666c85fec84102ff794c0388bea79aa972c31b1f2de43f60e27f46f807867f5601c8b35aba6eaaf734074f183c99fa4d37b2ac5

Download Submit
C:\Users\Admin\Desktop\Echo Mirage\EchoMirageHooks32.dll
Filesize
443KB

MD5
e1390e79577ab2dd75e17250e73d4abe

SHA1
457b9a21f6b7a0e8297d6aa61c2cedb85adcd907

SHA256
2c232c3e196cbb2651fd0c6187697cc4bae752c2b471875943a2dac9d8b02db0

SHA512
4a4cdd4b66f7b39a56a5eec8a0c7e29340f4b032edd8da246feaf5dd2d4847d2586ffe64f172132d79b3f2a66ce1f861dc700e5eec83689de672eb103f2234e2

Download Submit
C:\Users\Admin\Desktop\Echo Mirage\EchoMirageUnelevated.exe
Filesize
282KB

MD5
708c0ca4057bfa069fa456c43ef3ba07

SHA1
c50d48178837dffa7b0f00b28ac39139dbc98972

SHA256
8b9cc2596c0434d223cc84627c770dcf9eb58180e18a2be2cede741a50e3158b

SHA512
e0648ff5b8b054ddf6efd3a39e00e9e47b5d98125102ec2f1421fa4b63d5089c2f984cadcbffd9a8d57d41f58561c2dee81e2993e9258c8490ec13644e53bcc3

Download Submit
C:\Users\Admin\Desktop\Echo Mirage\unins000.exe
Filesize
787KB

MD5
16f9bd410649d056813ec6e512f27e0b

SHA1
ee003f3df76f564f82e2f455417af03f9e9f181f

SHA256
39493b65a2ebc5a08c4ff8e5b5137114b927d7c99b69bb7d0f4f7a7603f99fff

SHA512
62507c25ddb1a77519eea51a2a24e5f5c1953b8b28125300e74ed2159c97ebc605f7d09843f017b4f0337f3bc32b61b996cbc739043a49d418b228cbe6719025

Download Submit
memory/2080-38-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/4320-27-0x0000000002C80000-0x0000000002CFA000-memory.dmp

Filesize
488KB

Download
memory/4320-28-0x0000000000400000-0x0000000000FC3000-memory.dmp

Filesize
11.8MB

Download
memory/4320-30-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/4320-31-0x0000000002D00000-0x0000000002D40000-memory.dmp

Filesize
256KB

Download
memory/4320-29-0x0000000000400000-0x0000000000FC3000-memory.dmp

Filesize
11.8MB

Download
memory/4320-32-0x0000000076330000-0x0000000076545000-memory.dmp

Filesize
2.1MB

Download
memory/4320-33-0x0000000077740000-0x00000000779C1000-memory.dmp

Filesize
2.5MB

Download
memory/4320-34-0x0000000075C90000-0x0000000075D73000-memory.dmp

Filesize
908KB

Download
memory/4320-35-0x0000000000400000-0x0000000000FC3000-memory.dmp

Filesize
11.8MB

Download
memory/4320-36-0x0000000073470000-0x00000000734F9000-memory.dmp

Filesize
548KB

Download
memory/4320-37-0x0000000000400000-0x0000000000FC3000-memory.dmp

Filesize
11.8MB

Download
memory/4320-39-0x0000000009DE0000-0x000000000A7D2000-memory.dmp

Filesize
9.9MB

Download
memory/4320-40-0x000000000A7D0000-0x000000000AA94000-memory.dmp

Filesize
2.8MB

Download
memory/4320-41-0x000000000ABC0000-0x000000000ACD9000-memory.dmp

Filesize
1.1MB

Download
memory/4320-42-0x000000000ABC0000-0x000000000ACD9000-memory.dmp

Filesize
1.1MB

Download
memory/4320-43-0x000000000ABC0000-0x000000000ACD9000-memory.dmp

Filesize
1.1MB

Download
memory/4320-59-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/4320-57-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/4320-55-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/4320-53-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/4320-52-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/4320-63-0x0000000076E50000-0x0000000077403000-memory.dmp

Filesize
5.7MB

Download
memory/4320-64-0x000000000F860000-0x000000000F8F2000-memory.dmp

Filesize
584KB

Download
memory/4320-68-0x0000000077A90000-0x0000000077AB4000-memory.dmp

Filesize
144KB

Download
memory/4320-67-0x0000000076330000-0x0000000076545000-memory.dmp

Filesize
2.1MB

Download
memory/4320-70-0x0000000076570000-0x0000000076690000-memory.dmp

Filesize
1.1MB

Download
memory/4320-66-0x0000000000400000-0x0000000000FC3000-memory.dmp

Filesize
11.8MB

Download
memory/4320-73-0x0000000075EF0000-0x0000000075FAF000-memory.dmp

Filesize
764KB

Download
memory/4320-72-0x0000000076C10000-0x0000000076C85000-memory.dmp

Filesize
468KB

Download
memory/4320-71-0x0000000075FB0000-0x000000007606F000-memory.dmp

Filesize
764KB

Download
memory/4320-69-0x00000000776A0000-0x000000007771B000-memory.dmp

Filesize
492KB

Download
memory/4320-76-0x0000000002C80000-0x0000000002CFA000-memory.dmp

Filesize
488KB

Download
memory/4320-83-0x00000000751A0000-0x00000000751AF000-memory.dmp

Filesize
60KB

Download
memory/4320-89-0x0000000073470000-0x00000000734F9000-memory.dmp

Filesize
548KB

Download
memory/4320-94-0x0000000003920000-0x0000000003938000-memory.dmp

Filesize
96KB

Download
memory/4320-96-0x000000006F190000-0x000000006F1BB000-memory.dmp

Filesize
172KB

Download
memory/4320-95-0x000000006F1C0000-0x000000006F2A3000-memory.dmp

Filesize
908KB

Download
memory/4320-93-0x0000000003330000-0x0000000003336000-memory.dmp

Filesize
24KB

Download
memory/4320-92-0x0000000076550000-0x0000000076569000-memory.dmp

Filesize
100KB

Download
memory/4320-91-0x00000000728E0000-0x00000000728F2000-memory.dmp

Filesize
72KB

Download
memory/4320-90-0x0000000073360000-0x0000000073465000-memory.dmp

Filesize
1.0MB

Download
memory/4320-87-0x0000000074910000-0x00000000749BB000-memory.dmp

Filesize
684KB

Download
memory/4320-86-0x00000000749C0000-0x00000000749D4000-memory.dmp

Filesize
80KB

Download
memory/4320-82-0x00000000751B0000-0x000000007523D000-memory.dmp

Filesize
564KB

Download
memory/4320-81-0x00000000774B0000-0x00000000774F5000-memory.dmp

Filesize
276KB

Download
memory/4320-80-0x0000000075270000-0x0000000075294000-memory.dmp

Filesize
144KB

Download
memory/4320-79-0x0000000076D80000-0x0000000076DE3000-memory.dmp

Filesize
396KB

Download
memory/4320-77-0x0000000077410000-0x00000000774A6000-memory.dmp

Filesize
600KB

Download
memory/4320-84-0x0000000075190000-0x0000000075198000-memory.dmp

Filesize
32KB

Download
memory/4320-75-0x0000000075970000-0x00000000759C2000-memory.dmp

Filesize
328KB

Download
memory/4320-78-0x0000000077740000-0x00000000779C1000-memory.dmp

Filesize
2.5MB

Download
memory/4320-135-0x0000000000400000-0x0000000000FC3000-memory.dmp

Filesize
11.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads