Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 01:38
Behavioral task
behavioral1
Sample
8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe
Resource
win10v2004-20240508-en
General
-
Target
8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe
-
Size
592KB
-
MD5
4adf2dcdd159d53b5b783534fe72ab9e
-
SHA1
9b06ed6123769b99fb9367162df0de08af72d280
-
SHA256
8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458
-
SHA512
8056de9abf8a9d9329f0b6e2d324049e6c30770c4073e5cd515a10f73e85ee11c47dda93625cba203d0af633c8be5adffdb289eeb657212e8112ee1d629f6e6c
-
SSDEEP
12288:QPWs8S7TzZLJLUf9snBS4csPYae6qfzIAA:87TzhhUF54clNf7IB
Malware Config
Signatures
-
Detects Echelon Stealer payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2888-1-0x0000000000B00000-0x0000000000B9A000-memory.dmp family_echelon -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exedescription pid process Token: SeDebugPrivilege 2888 8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exedescription pid process target process PID 2888 wrote to memory of 2088 2888 8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe WerFault.exe PID 2888 wrote to memory of 2088 2888 8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe WerFault.exe PID 2888 wrote to memory of 2088 2888 8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe"C:\Users\Admin\AppData\Local\Temp\8d6ba5b508f3377849eb1aa298000583c66e81ac9304c23ca86d1c8c6e46c458.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2888 -s 12682⤵PID:2088