Overview
overview
10Static
static
10Bird.exe
windows7-x64
10Bird.exe
windows10-2004-x64
10Crystal.exe
windows7-x64
10Crystal.exe
windows10-2004-x64
10Install.exe
windows7-x64
10Install.exe
windows10-2004-x64
10Minecraft_v4.4.exe
windows7-x64
10Minecraft_v4.4.exe
windows10-2004-x64
10NewHacks.exe
windows7-x64
10NewHacks.exe
windows10-2004-x64
10Setup.exe
windows7-x64
10Setup.exe
windows10-2004-x64
10Software p....5.exe
windows7-x64
9Software p....5.exe
windows10-2004-x64
9file3.exe
windows7-x64
8file3.exe
windows10-2004-x64
8forcenitro2.4.1.exe
windows7-x64
7forcenitro2.4.1.exe
windows10-2004-x64
7nitro_gen.exe
windows7-x64
10nitro_gen.exe
windows10-2004-x64
10Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 04:18
Behavioral task
behavioral1
Sample
Bird.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Bird.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Crystal.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
Crystal.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Install.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Install.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Minecraft_v4.4.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
Minecraft_v4.4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
NewHacks.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
NewHacks.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Setup.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
Setup.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Software patch v2.0.5.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Software patch v2.0.5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
file3.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
file3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
forcenitro2.4.1.exe
Resource
win7-20241023-en
Behavioral task
behavioral18
Sample
forcenitro2.4.1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
nitro_gen.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
nitro_gen.exe
Resource
win10v2004-20241007-en
General
-
Target
NewHacks.exe
-
Size
1.1MB
-
MD5
d59bf492da2f21db13264aba7b40f464
-
SHA1
c69eadf5aa174c34c90445548d5b2d5888957eae
-
SHA256
4732655de9b6a0497a825ab53ef9e8c3db1a9d1520d1ae505ec2b07df305cef1
-
SHA512
f781f75e84f88c9aa015644ba5744d5b360951fc753d054f2e999244907baae5a109563c5b4817a2e7ee2f91c2048366552d22364e593503ba8aec05ce4cef59
-
SSDEEP
12288:74OAp4Hqw3QMrTM6TgMcnFO1sQATEQkhXdwWjgRNKjyjlG7bWsd:74OAp4KQrTMhOGRTodwWjWjlGes
Malware Config
Signatures
-
Detects Echelon Stealer payload 1 IoCs
resource yara_rule behavioral9/memory/2800-1-0x0000000000CF0000-0x0000000000E18000-memory.dmp family_echelon -
Echelon family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NewHacks.exe Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NewHacks.exe Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NewHacks.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 api.ipify.org 6 ip-api.com 8 api.ipify.org 4 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2800 NewHacks.exe 2800 NewHacks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2800 NewHacks.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2800 wrote to memory of 1820 2800 NewHacks.exe 32 PID 2800 wrote to memory of 1820 2800 NewHacks.exe 32 PID 2800 wrote to memory of 1820 2800 NewHacks.exe 32 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NewHacks.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NewHacks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NewHacks.exe"C:\Users\Admin\AppData\Local\Temp\NewHacks.exe"1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2800 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2800 -s 15042⤵PID:1820
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\BByyXyDZJDHB8BB80FD49\49B8BB80FDBByyXyDZJDH\Browsers\Passwords\Passwords_Edge.txt
Filesize52B
MD5fdec4452a98b7d7f3dc83904cd82a724
SHA12b447ea859993ab549ee1547c72071e59cace07c
SHA25659b16ba683aaf821362d2061fef52b52a909ad63be1192ef3d2374f3e8a4b235
SHA51287a573d8a9a085ffeea49335d213f96cd55385a3afa281d1a4a321043e82cd81a324d1131c764d024966d9dcbcc219d78514b0cdce74f849fe33e0f9ce2df432