Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25-08-2024 05:31
Behavioral task
behavioral1
Sample
cac98fd47f3d1f7929ed1600304b4d4d3cfcb49fa323939dd39eb59342f2c2f5.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
cac98fd47f3d1f7929ed1600304b4d4d3cfcb49fa323939dd39eb59342f2c2f5.exe
Resource
win10v2004-20240802-en
General
-
Target
cac98fd47f3d1f7929ed1600304b4d4d3cfcb49fa323939dd39eb59342f2c2f5.exe
-
Size
1.3MB
-
MD5
14abfb51f8f57a091b87a733296c1523
-
SHA1
947404f47050ef01f71493ccaec4f851f0c4eb30
-
SHA256
cac98fd47f3d1f7929ed1600304b4d4d3cfcb49fa323939dd39eb59342f2c2f5
-
SHA512
61d1149f2c911fa99bebc24a7a5b40a096fa87ddd8b7c7e44fa9acf47af066c56ff048605453458cf864b48d1b06d2440921170d1f15e819f5ffc9d47b57520d
-
SSDEEP
24576:/qPvbuhZUTd8hhUF54clNf7+6uHAW92zt/sWu2BSMCqDoRX:obKo54clgLH+tkWJ0NJ
Malware Config
Signatures
-
Detects Echelon Stealer payload 1 IoCs
resource yara_rule behavioral1/memory/2440-1-0x00000000010D0000-0x000000000121C000-memory.dmp family_echelon -
Executes dropped EXE 1 IoCs
pid Process 2464 Decoder.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Decoder.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2120 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2440 cac98fd47f3d1f7929ed1600304b4d4d3cfcb49fa323939dd39eb59342f2c2f5.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2464 2440 cac98fd47f3d1f7929ed1600304b4d4d3cfcb49fa323939dd39eb59342f2c2f5.exe 31 PID 2440 wrote to memory of 2464 2440 cac98fd47f3d1f7929ed1600304b4d4d3cfcb49fa323939dd39eb59342f2c2f5.exe 31 PID 2440 wrote to memory of 2464 2440 cac98fd47f3d1f7929ed1600304b4d4d3cfcb49fa323939dd39eb59342f2c2f5.exe 31 PID 2440 wrote to memory of 2464 2440 cac98fd47f3d1f7929ed1600304b4d4d3cfcb49fa323939dd39eb59342f2c2f5.exe 31 PID 2440 wrote to memory of 2780 2440 cac98fd47f3d1f7929ed1600304b4d4d3cfcb49fa323939dd39eb59342f2c2f5.exe 32 PID 2440 wrote to memory of 2780 2440 cac98fd47f3d1f7929ed1600304b4d4d3cfcb49fa323939dd39eb59342f2c2f5.exe 32 PID 2440 wrote to memory of 2780 2440 cac98fd47f3d1f7929ed1600304b4d4d3cfcb49fa323939dd39eb59342f2c2f5.exe 32 PID 2780 wrote to memory of 2120 2780 cmd.exe 34 PID 2780 wrote to memory of 2120 2780 cmd.exe 34 PID 2780 wrote to memory of 2120 2780 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\cac98fd47f3d1f7929ed1600304b4d4d3cfcb49fa323939dd39eb59342f2c2f5.exe"C:\Users\Admin\AppData\Local\Temp\cac98fd47f3d1f7929ed1600304b4d4d3cfcb49fa323939dd39eb59342f2c2f5.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\ProgramData\Decoder.exe"C:\ProgramData\Decoder.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2464
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""2⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\system32\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:2120
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
270KB
MD5de81e7651c6e62b4c7195ac2e6befbc0
SHA11f2dc517abf4b8a789ac4ef9d8c7d1a7f486fe32
SHA256eef661cffbde254d5b9dba578e91f35cfc0a5fd4c6f25e959eef04ee948f1d5b
SHA5123cde05ae78fcd5978cd15bf155f650997489c130cf73539b00c45eb36a5582af11e419efedb3f88cb7caca4691bc1f691b8e4e820276ced697fe82198c4f076b
-
Filesize
28B
MD5217407484aac2673214337def8886072
SHA10f8c4c94064ce1f7538c43987feb5bb2d7fec0c6
SHA256467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797
SHA5128466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330