Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 01:38
Behavioral task
behavioral1
Sample
74a17459d4f6eee883845c4601c74ea6a0dd293e24bac22f88b46da440f917f2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
74a17459d4f6eee883845c4601c74ea6a0dd293e24bac22f88b46da440f917f2.exe
Resource
win10v2004-20240426-en
General
-
Target
74a17459d4f6eee883845c4601c74ea6a0dd293e24bac22f88b46da440f917f2.exe
-
Size
581KB
-
MD5
e2e98863638ff7ebe577ce0e7045eed9
-
SHA1
e9e4c86ac937ac4ca6ce0c78e7826049d0395c1f
-
SHA256
74a17459d4f6eee883845c4601c74ea6a0dd293e24bac22f88b46da440f917f2
-
SHA512
ee98f6d5ff48db962ed2c514f7bedc5a3b84ca280cda97a8cae394f75da24ecdffed46a451167373d5cb4cbffa68025ae5292d41d8ce22bffc5ab23e7ed58540
-
SSDEEP
12288:qu5kjMFW/Yq9a7pw4NZLJLUf9snBS4csPYae6qfzrAA:ic04NhhUF54clNf7rB
Malware Config
Signatures
-
Detects Echelon Stealer payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1956-1-0x000001F9B9F20000-0x000001F9B9FB8000-memory.dmp family_echelon -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
74a17459d4f6eee883845c4601c74ea6a0dd293e24bac22f88b46da440f917f2.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 74a17459d4f6eee883845c4601c74ea6a0dd293e24bac22f88b46da440f917f2.exe Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 74a17459d4f6eee883845c4601c74ea6a0dd293e24bac22f88b46da440f917f2.exe Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 74a17459d4f6eee883845c4601c74ea6a0dd293e24bac22f88b46da440f917f2.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org 22 ip-api.com -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
74a17459d4f6eee883845c4601c74ea6a0dd293e24bac22f88b46da440f917f2.exepid Process 1956 74a17459d4f6eee883845c4601c74ea6a0dd293e24bac22f88b46da440f917f2.exe 1956 74a17459d4f6eee883845c4601c74ea6a0dd293e24bac22f88b46da440f917f2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
74a17459d4f6eee883845c4601c74ea6a0dd293e24bac22f88b46da440f917f2.exedescription pid Process Token: SeDebugPrivilege 1956 74a17459d4f6eee883845c4601c74ea6a0dd293e24bac22f88b46da440f917f2.exe -
outlook_office_path 1 IoCs
Processes:
74a17459d4f6eee883845c4601c74ea6a0dd293e24bac22f88b46da440f917f2.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 74a17459d4f6eee883845c4601c74ea6a0dd293e24bac22f88b46da440f917f2.exe -
outlook_win_path 1 IoCs
Processes:
74a17459d4f6eee883845c4601c74ea6a0dd293e24bac22f88b46da440f917f2.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 74a17459d4f6eee883845c4601c74ea6a0dd293e24bac22f88b46da440f917f2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74a17459d4f6eee883845c4601c74ea6a0dd293e24bac22f88b46da440f917f2.exe"C:\Users\Admin\AppData\Local\Temp\74a17459d4f6eee883845c4601c74ea6a0dd293e24bac22f88b46da440f917f2.exe"1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1956