Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
17-06-2024 01:10
Behavioral task
behavioral1
Sample
4a583f488698e92ae927fcbc9ad262208ad535ea6140443d35875f33a9e25017.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
4a583f488698e92ae927fcbc9ad262208ad535ea6140443d35875f33a9e25017.exe
Resource
win10v2004-20240611-en
General
-
Target
4a583f488698e92ae927fcbc9ad262208ad535ea6140443d35875f33a9e25017.exe
-
Size
581KB
-
MD5
39c64b7bdf9dd6ddfde23780315058e2
-
SHA1
a2d9ee67c3f96305477feb0b48e221520c519b6c
-
SHA256
4a583f488698e92ae927fcbc9ad262208ad535ea6140443d35875f33a9e25017
-
SHA512
cad870ca9302a288658882adb9aeb9280ae22790eadb526e31792480fb6d78bdac05d7945e571ac616d632a2641eecd87fd44f3284d55138c4424a378bf3ae75
-
SSDEEP
12288:6EIV3v4dN7ImqoxwRdwrjZLJLUf9snBS4csPYae6qfzQAA:KkhIarjhhUF54clNf7QB
Malware Config
Signatures
-
Detects Echelon Stealer payload 1 IoCs
resource yara_rule behavioral1/memory/1580-1-0x0000000000B30000-0x0000000000BC8000-memory.dmp family_echelon -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1580 4a583f488698e92ae927fcbc9ad262208ad535ea6140443d35875f33a9e25017.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1580 wrote to memory of 2764 1580 4a583f488698e92ae927fcbc9ad262208ad535ea6140443d35875f33a9e25017.exe 29 PID 1580 wrote to memory of 2764 1580 4a583f488698e92ae927fcbc9ad262208ad535ea6140443d35875f33a9e25017.exe 29 PID 1580 wrote to memory of 2764 1580 4a583f488698e92ae927fcbc9ad262208ad535ea6140443d35875f33a9e25017.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a583f488698e92ae927fcbc9ad262208ad535ea6140443d35875f33a9e25017.exe"C:\Users\Admin\AppData\Local\Temp\4a583f488698e92ae927fcbc9ad262208ad535ea6140443d35875f33a9e25017.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1580 -s 12482⤵PID:2764
-