Overview

overview

10

Static

static

e44277fe9e...1b.exe

windows7_x64

8

e44277fe9e...1b.exe

windows10_x64

10

Analysis

  • max time kernel
    62s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    20-09-2020 13:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e44277fe9e90ba3107391676ad548812f33749da46db34ea877b1d6cdfb48d1b.exe

  • Size

    814KB

  • MD5

    f855dffcbd21d4e4a59eed5a7a392af9

  • SHA1

    178dc356191ebca6bf294525183212ac2e5a0bd8

  • SHA256

    e44277fe9e90ba3107391676ad548812f33749da46db34ea877b1d6cdfb48d1b

  • SHA512

    0a08d1242a13c85f0f88ef54b77400da1a5c20570163635274ab9f63514e4b8b46a912dab28e3cc8a25963e39ade97b6310437587475893ff4935b4819c8ffbc

Score
10/10
discoverystealerspywareechelon

Malware Config

Signatures

  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    stealerspywareechelon
  • Executes dropped EXE 2 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Accesses cryptocurrency wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e44277fe9e90ba3107391676ad548812f33749da46db34ea877b1d6cdfb48d1b.exe
    "C:\Users\Admin\AppData\Local\Temp\e44277fe9e90ba3107391676ad548812f33749da46db34ea877b1d6cdfb48d1b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3992
    • C:\Users\Admin\AppData\Local\Temp\e44277fe9e90ba3107391676ad548812f33749da46db34ea877b1d6cdfb48d1b.exe
      "C:\Users\Admin\AppData\Local\Temp\e44277fe9e90ba3107391676ad548812f33749da46db34ea877b1d6cdfb48d1b.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4008
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp857D.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Windows\SysWOW64\timeout.exe
          timeout 4
          4⤵
          • Delays execution with timeout.exe
          PID:3876
    • C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
      "C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3560
      • C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
        "C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe"
        3⤵
        • Executes dropped EXE
        • Drops startup file
        PID:2620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e44277fe9e90ba3107391676ad548812f33749da46db34ea877b1d6cdfb48d1b.exe.log
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp857D.tmp.bat
    Download Submit
  • C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
    Download Submit
  • C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
    Download Submit
  • C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
    Download Submit
  • memory/2428-39-0x0000000000000000-mapping.dmp
    Download
  • memory/2620-31-0x0000000073490000-0x0000000073B7E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2620-29-0x000000000040D54E-mapping.dmp
    Download
  • memory/2620-28-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/3560-17-0x0000000073490000-0x0000000073B7E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3560-19-0x0000000000320000-0x0000000000321000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3560-26-0x0000000006E10000-0x0000000006E15000-memory.dmp
    Filesize

    20KB

    Download
  • memory/3560-25-0x0000000004ED0000-0x0000000004ED4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/3560-14-0x0000000000000000-mapping.dmp
    Download
  • memory/3876-42-0x0000000000000000-mapping.dmp
    Download
  • memory/3992-0-0x0000000073490000-0x0000000073B7E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3992-7-0x0000000004EC0000-0x0000000004EC5000-memory.dmp
    Filesize

    20KB

    Download
  • memory/3992-6-0x0000000004CA0000-0x0000000004CA4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/3992-5-0x0000000004A70000-0x0000000004A71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3992-4-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3992-3-0x0000000004F50000-0x0000000004F51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3992-1-0x0000000000020000-0x0000000000021000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4008-24-0x0000000006120000-0x0000000006190000-memory.dmp
    Filesize

    448KB

    Download
  • memory/4008-18-0x0000000005260000-0x0000000005261000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4008-10-0x00000000004A110E-mapping.dmp
    Download
  • memory/4008-9-0x0000000000400000-0x00000000004AA000-memory.dmp
    Filesize

    680KB

    Download
  • memory/4008-36-0x0000000006260000-0x0000000006261000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4008-11-0x0000000073490000-0x0000000073B7E000-memory.dmp
    Filesize

    6.9MB

    Download