Overview

overview

7

Static

static

3

echo.7z

windows10-2004-x64

7

Analysis

  • max time kernel
    255s
  • max time network
    212s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 15:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    echo.7z

  • Size

    11.4MB

  • MD5

    4818accedc08bbb6f350a96a7dc11871

  • SHA1

    96b90dd9099b689127c5c965eb1518acbef9bf9e

  • SHA256

    a00dc4b646318db993937ca9006bf9bcd361947ce53946b8b308c14c06c2bbe9

  • SHA512

    19548b09f6b58cbc2913eb35187dacb8b216f057fcd2359a06a98d73a2fd4f9d3b64a8b6cc6cc24f8fe5f22b0c32c93def611882f723a8db4043e044105cb285

  • SSDEEP

    196608:3U6ke4SKN+wM9xEA1uA3eCnyBNSz6vBaVXBqK4s0/lrCpFrhGM4kuSb0n:3ULecNJKTyBNoQKwKhGM4/D

Score
7/10
agilenet

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 2 IoCs
  • Obfuscated with Agile.Net obfuscator 5 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Drops file in System32 directory 45 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\echo.7z
    1⤵
    • Modifies registry class
    PID:1300
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2164
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4028
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\echo.7z"
      1⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1836
    • C:\Users\Admin\Desktop\echo\EchoMirage.exe
      "C:\Users\Admin\Desktop\echo\EchoMirage.exe"
      1⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Users\Admin\Desktop\1058352281.exe
        "C:\Users\Admin\Desktop\1058352281.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3604
    • C:\Users\Admin\Desktop\ollydbg\OLLYDBG 9in1.EXE
      "C:\Users\Admin\Desktop\ollydbg\OLLYDBG 9in1.EXE"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2168
    • C:\Users\Admin\Desktop\ollydbg\OLLYDBG 9in1.EXE
      "C:\Users\Admin\Desktop\ollydbg\OLLYDBG 9in1.EXE"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2448
    • C:\Users\Admin\Desktop\ollydbg\OLLYDBG 9in1.EXE
      "C:\Users\Admin\Desktop\ollydbg\OLLYDBG 9in1.EXE"
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4360
      • C:\Users\Admin\Desktop\1058352281.exe
        "C:\Users\Admin\Desktop\1058352281.exe"
        2⤵
        • Executes dropped EXE
        PID:4116

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\1058352281.exe
      Filesize

      7.5MB

      MD5

      08db896a19a103730f5d4d9b495c1e87

      SHA1

      c1ff39e34372970533ecfff4444ddf43f37069ae

      SHA256

      147526e215dce704e9a70ba57ec84ec593204c8427565c2848249b8a3ff8a208

      SHA512

      e5f82b1091786c5d03144202cc1efc56f3c1830c495d0d6c548b06acda20661af70f7413ed406e0c8a068df155adc761e8f9911e575a6d0d609ede539809d9eb

      Download Submit
    • C:\Users\Admin\Desktop\echo\EchoMirage.exe
      Filesize

      6.3MB

      MD5

      b859c2f0ed7bea595f632163f78a3b9e

      SHA1

      ff171191ce3d405db917b652f8b0a502f6a66f11

      SHA256

      d10ad92caff49ee4737a577b72e7647d0d3d06a4feb7d515ec44a6163edcab2e

      SHA512

      83a4a2f4f68c30dd4c298ba57666c85fec84102ff794c0388bea79aa972c31b1f2de43f60e27f46f807867f5601c8b35aba6eaaf734074f183c99fa4d37b2ac5

      Download Submit
    • C:\Users\Admin\Desktop\echo\EchoMirageHooks32.dll
      Filesize

      443KB

      MD5

      e1390e79577ab2dd75e17250e73d4abe

      SHA1

      457b9a21f6b7a0e8297d6aa61c2cedb85adcd907

      SHA256

      2c232c3e196cbb2651fd0c6187697cc4bae752c2b471875943a2dac9d8b02db0

      SHA512

      4a4cdd4b66f7b39a56a5eec8a0c7e29340f4b032edd8da246feaf5dd2d4847d2586ffe64f172132d79b3f2a66ce1f861dc700e5eec83689de672eb103f2234e2

      Download Submit
    • C:\Users\Admin\Desktop\echo\EchoMirageUnelevated.exe
      Filesize

      282KB

      MD5

      708c0ca4057bfa069fa456c43ef3ba07

      SHA1

      c50d48178837dffa7b0f00b28ac39139dbc98972

      SHA256

      8b9cc2596c0434d223cc84627c770dcf9eb58180e18a2be2cede741a50e3158b

      SHA512

      e0648ff5b8b054ddf6efd3a39e00e9e47b5d98125102ec2f1421fa4b63d5089c2f984cadcbffd9a8d57d41f58561c2dee81e2993e9258c8490ec13644e53bcc3

      Download Submit
    • C:\Users\Admin\Desktop\echo\unins000.exe
      Filesize

      787KB

      MD5

      16f9bd410649d056813ec6e512f27e0b

      SHA1

      ee003f3df76f564f82e2f455417af03f9e9f181f

      SHA256

      39493b65a2ebc5a08c4ff8e5b5137114b927d7c99b69bb7d0f4f7a7603f99fff

      SHA512

      62507c25ddb1a77519eea51a2a24e5f5c1953b8b28125300e74ed2159c97ebc605f7d09843f017b4f0337f3bc32b61b996cbc739043a49d418b228cbe6719025

      Download Submit
    • C:\Users\Admin\Desktop\ollydbg\Lib\MFC42.Lib
      Filesize

      2.1MB

      MD5

      23dbc1c7e5d71e307b3caef5478fbaa5

      SHA1

      921b3b8f52087ab03eaccf74ec55109c81efc6fe

      SHA256

      b50e66c8aba822a981c3861e1947c0047256661f3d1e41165a67c8af4e11e743

      SHA512

      17682cbc9d37791393f497c36c02abf541d5d7aa697704042e245e8f9da771209440d68bd7df7550dffd4c7c39eac8553751bf2081dc03b663effef011565732

      Download Submit
    • C:\Users\Admin\Desktop\ollydbg\Lib\mfc71.Lib
      Filesize

      2.5MB

      MD5

      42bc9eea3acc3e9a4432d4b442d228d0

      SHA1

      8c772b5d97b1e78c065c40d4448c741a55ee3f1f

      SHA256

      a906a075d51a769c304b567cca80967b1ab621c4452e088e788d93f862b7310d

      SHA512

      3deace223fae0f75109f56f9f96284418251c0bcd0afbf5294b8913c3d311741f526491e6c3a0728c8662b2b99cb3faf5e0d0ee67cc3e6bef76c38f6f072afe6

      Download Submit
    • C:\Users\Admin\Desktop\ollydbg\OLLYDBG 9in1.EXE
      Filesize

      1.1MB

      MD5

      a25619c1946816b7bfa807b6ea93a2d4

      SHA1

      2d355f2b5495c18b65d585569c0a83b09896fb75

      SHA256

      fbd8f7948fc78efacee917fdd48ecf4d1576029e1ec5963ec65b0e370fb5c95d

      SHA512

      16a2efd3cba1ebb9c140d92cf60f2a8d2cc2cbf59d007c38757e43921a6b1305f17149bca1f3f6ff2ed8d8c613cc32987d3559a1dbb21ddb759b4a209fa2f0ff

      Download Submit
    • C:\Users\Admin\Desktop\ollydbg\OLLYDBG.exe
      Filesize

      1.1MB

      MD5

      e6ed9d8c957ce32a7542ec058759ed9c

      SHA1

      dae591d49a59a26f7197d32b271a7cbdb7cdb4ef

      SHA256

      664da7e350029dfb5a5cc28b41e998af5df675b53afcf202251fc79c11ce8791

      SHA512

      1354ecc99b80055f972cec586670f0f8cf4ad40c47e6b68ba0afde7ee280bc85c852fc10d5ed6cbaf431a1427389257436969d79c36257275e215ac239bf98bb

      Download Submit
    • C:\Users\Admin\Desktop\ollydbg\ollydbg.ini
      Filesize

      10KB

      MD5

      775391fa774a011f17c202866934def0

      SHA1

      1965a4f8e821540fc6b258ee8a93e5eb65794965

      SHA256

      cb5b026cde79be6f5b2e0104324f30b517d018bf48b001ae736d0f6feccc9dd3

      SHA512

      689cd75e3b47d0e6745f999fda5800619f1bd851f1e1e1a35171f7f80556456df4b046ecae29e27284c30150cf37369156cfcf4aa6d36fb63aa06c051192e3c2

      Download Submit
    • C:\Users\Admin\Desktop\ollydbg\ollydbg.ini
      Filesize

      10KB

      MD5

      2fb75032c69e8a28fa37a9d8400c49be

      SHA1

      e9d2a98059394e1cff04e55003d208fb4339dd6f

      SHA256

      ca09f2944322b5104e03635c9f1458d7ed9e1e815cfcc717246df71ecdad9d4b

      SHA512

      e618c39699f1b39ed38c3c14282c34d1bff93ec7c4df1a47cefdb456e262170a853550a13c003753e7349d14d99f6f86b0c7127e048ee9db1e2f53592ab20781

      Download Submit
    • memory/2968-122-0x0000000000400000-0x0000000000A73000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/3604-150-0x0000000076550000-0x0000000076765000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3604-178-0x000000006EB50000-0x000000006EC33000-memory.dmp
      Filesize

      908KB

      Download
    • memory/3604-120-0x0000000072E00000-0x0000000072E89000-memory.dmp
      Filesize

      548KB

      Download
    • memory/3604-121-0x0000000000400000-0x0000000000FA7000-memory.dmp
      Filesize

      11.7MB

      Download
    • memory/3604-118-0x00000000772A0000-0x0000000077383000-memory.dmp
      Filesize

      908KB

      Download
    • memory/3604-123-0x000000000A4B0000-0x000000000AEA2000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/3604-124-0x000000000C330000-0x000000000C5F4000-memory.dmp
      Filesize

      2.8MB

      Download
    • memory/3604-125-0x000000000A0A0000-0x000000000A1B9000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3604-126-0x000000000A0A0000-0x000000000A1B9000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3604-127-0x000000000A0A0000-0x000000000A1B9000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3604-143-0x0000000010000000-0x0000000010005000-memory.dmp
      Filesize

      20KB

      Download
    • memory/3604-141-0x0000000010000000-0x0000000010005000-memory.dmp
      Filesize

      20KB

      Download
    • memory/3604-139-0x0000000010000000-0x0000000010005000-memory.dmp
      Filesize

      20KB

      Download
    • memory/3604-137-0x0000000010000000-0x0000000010005000-memory.dmp
      Filesize

      20KB

      Download
    • memory/3604-136-0x0000000010000000-0x0000000010005000-memory.dmp
      Filesize

      20KB

      Download
    • memory/3604-147-0x0000000075650000-0x0000000075C03000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3604-148-0x000000000FD80000-0x000000000FE12000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3604-153-0x0000000076840000-0x0000000076960000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3604-152-0x0000000076380000-0x00000000763FB000-memory.dmp
      Filesize

      492KB

      Download
    • memory/3604-151-0x0000000076520000-0x0000000076544000-memory.dmp
      Filesize

      144KB

      Download
    • memory/3604-117-0x0000000076D20000-0x0000000076FA1000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/3604-156-0x0000000076460000-0x000000007651F000-memory.dmp
      Filesize

      764KB

      Download
    • memory/3604-164-0x0000000076CD0000-0x0000000076D15000-memory.dmp
      Filesize

      276KB

      Download
    • memory/3604-167-0x0000000074B20000-0x0000000074B28000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3604-170-0x00000000742A0000-0x000000007434B000-memory.dmp
      Filesize

      684KB

      Download
    • memory/3604-172-0x0000000072E00000-0x0000000072E89000-memory.dmp
      Filesize

      548KB

      Download
    • memory/3604-179-0x000000006EB20000-0x000000006EB4B000-memory.dmp
      Filesize

      172KB

      Download
    • memory/3604-119-0x0000000000400000-0x0000000000FA7000-memory.dmp
      Filesize

      11.7MB

      Download
    • memory/3604-177-0x0000000003B90000-0x0000000003BA8000-memory.dmp
      Filesize

      96KB

      Download
    • memory/3604-176-0x0000000003A30000-0x0000000003A36000-memory.dmp
      Filesize

      24KB

      Download
    • memory/3604-175-0x0000000076C50000-0x0000000076C69000-memory.dmp
      Filesize

      100KB

      Download
    • memory/3604-174-0x0000000072270000-0x0000000072282000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3604-173-0x0000000072CF0000-0x0000000072DF5000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3604-168-0x0000000074370000-0x0000000074B20000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3604-169-0x0000000074350000-0x0000000074364000-memory.dmp
      Filesize

      80KB

      Download
    • memory/3604-166-0x0000000074B30000-0x0000000074B3F000-memory.dmp
      Filesize

      60KB

      Download
    • memory/3604-165-0x0000000074B40000-0x0000000074BCD000-memory.dmp
      Filesize

      564KB

      Download
    • memory/3604-163-0x0000000074C00000-0x0000000074C24000-memory.dmp
      Filesize

      144KB

      Download
    • memory/3604-162-0x0000000076790000-0x00000000767F3000-memory.dmp
      Filesize

      396KB

      Download
    • memory/3604-161-0x0000000076D20000-0x0000000076FA1000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/3604-160-0x0000000075490000-0x0000000075526000-memory.dmp
      Filesize

      600KB

      Download
    • memory/3604-159-0x0000000002DB0000-0x0000000002E2A000-memory.dmp
      Filesize

      488KB

      Download
    • memory/3604-149-0x0000000000400000-0x0000000000FA7000-memory.dmp
      Filesize

      11.7MB

      Download
    • memory/3604-155-0x0000000076960000-0x00000000769D5000-memory.dmp
      Filesize

      468KB

      Download
    • memory/3604-154-0x0000000075530000-0x00000000755EF000-memory.dmp
      Filesize

      764KB

      Download
    • memory/3604-158-0x0000000075390000-0x00000000753E2000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3604-454-0x0000000000400000-0x0000000000FA7000-memory.dmp
      Filesize

      11.7MB

      Download
    • memory/3604-116-0x0000000076550000-0x0000000076765000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/3604-113-0x0000000000400000-0x0000000000FA7000-memory.dmp
      Filesize

      11.7MB

      Download
    • memory/3604-114-0x0000000002D60000-0x0000000002DA0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/3604-115-0x0000000002D40000-0x0000000002D41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3604-112-0x0000000000400000-0x0000000000FA7000-memory.dmp
      Filesize

      11.7MB

      Download
    • memory/3604-111-0x0000000002DB0000-0x0000000002E2A000-memory.dmp
      Filesize

      488KB

      Download
    • memory/4116-988-0x0000000000400000-0x0000000000FA7000-memory.dmp
      Filesize

      11.7MB

      Download