Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    25-08-2024 05:31

General

  • Target

    cac98fd47f3d1f7929ed1600304b4d4d3cfcb49fa323939dd39eb59342f2c2f5.exe

  • Size

    1.3MB

  • MD5

    14abfb51f8f57a091b87a733296c1523

  • SHA1

    947404f47050ef01f71493ccaec4f851f0c4eb30

  • SHA256

    cac98fd47f3d1f7929ed1600304b4d4d3cfcb49fa323939dd39eb59342f2c2f5

  • SHA512

    61d1149f2c911fa99bebc24a7a5b40a096fa87ddd8b7c7e44fa9acf47af066c56ff048605453458cf864b48d1b06d2440921170d1f15e819f5ffc9d47b57520d

  • SSDEEP

    24576:/qPvbuhZUTd8hhUF54clNf7+6uHAW92zt/sWu2BSMCqDoRX:obKo54clgLH+tkWJ0NJ

Malware Config

Signatures

  • Detects Echelon Stealer payload 1 IoCs
  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cac98fd47f3d1f7929ed1600304b4d4d3cfcb49fa323939dd39eb59342f2c2f5.exe
    "C:\Users\Admin\AppData\Local\Temp\cac98fd47f3d1f7929ed1600304b4d4d3cfcb49fa323939dd39eb59342f2c2f5.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\ProgramData\Decoder.exe
      "C:\ProgramData\Decoder.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2464
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\system32\timeout.exe
        timeout 4
        3⤵
        • Delays execution with timeout.exe
        PID:2120

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Decoder.exe

    Filesize

    270KB

    MD5

    de81e7651c6e62b4c7195ac2e6befbc0

    SHA1

    1f2dc517abf4b8a789ac4ef9d8c7d1a7f486fe32

    SHA256

    eef661cffbde254d5b9dba578e91f35cfc0a5fd4c6f25e959eef04ee948f1d5b

    SHA512

    3cde05ae78fcd5978cd15bf155f650997489c130cf73539b00c45eb36a5582af11e419efedb3f88cb7caca4691bc1f691b8e4e820276ced697fe82198c4f076b

  • C:\Users\Admin\AppData\Local\Temp\.cmd

    Filesize

    28B

    MD5

    217407484aac2673214337def8886072

    SHA1

    0f8c4c94064ce1f7538c43987feb5bb2d7fec0c6

    SHA256

    467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797

    SHA512

    8466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330

  • memory/2440-0-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp

    Filesize

    4KB

  • memory/2440-1-0x00000000010D0000-0x000000000121C000-memory.dmp

    Filesize

    1.3MB

  • memory/2440-2-0x0000000000D00000-0x0000000000D76000-memory.dmp

    Filesize

    472KB

  • memory/2440-3-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

    Filesize

    9.9MB

  • memory/2440-15-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

    Filesize

    9.9MB

  • memory/2464-17-0x00000000744FE000-0x00000000744FF000-memory.dmp

    Filesize

    4KB

  • memory/2464-18-0x0000000000980000-0x00000000009CA000-memory.dmp

    Filesize

    296KB