echelon | f90072375238d4883d4116dc9900751ac431ad8322e0fd58323a82ec5d69cbe4

General

Target

12a4c7c6742cbd46487d9960b79a7e65.exe
Size

908KB
MD5

12a4c7c6742cbd46487d9960b79a7e65
SHA1

8175c5eb646937158646dbe603a7e8bfbc50110f
SHA256

f90072375238d4883d4116dc9900751ac431ad8322e0fd58323a82ec5d69cbe4
SHA512

c6b364c467f9d5e470debb6c40e2426dd410ca7da3fdd68ab3da0f1e0c2e080876ee6006a90371965be27897b7ecd304da42b69e13fa9cc4a9035fb35ceac3f9

Score

10^/10

echelon discovery spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Echelon log file 1 IoCs
Detects a log file produced by Echelon.

Processes:

yara_rule

echelon_log_file
Executes dropped EXE 2 IoCs

Processes:

Decoder.exesystems32.exe

pid process

200 Decoder.exe
133828 systems32.exe

yara_rule
echelon_log_file

pid	process
200	Decoder.exe
133828	systems32.exe

Drops startup file 2 IoCs

Processes:

Decoder.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 api.ipify.org
8 api.ipify.org
11 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1224 schtasks.exe
134360 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2968 timeout.exe
4064 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

12a4c7c6742cbd46487d9960b79a7e65.exeDecoder.exesystems32.exe

pid process

3952 12a4c7c6742cbd46487d9960b79a7e65.exe
3952 12a4c7c6742cbd46487d9960b79a7e65.exe
200 Decoder.exe
133828 systems32.exe

flow	ioc
7	api.ipify.org
8	api.ipify.org
11	ip-api.com

pid	process
1224	schtasks.exe
134360	schtasks.exe

pid	process
2968	timeout.exe
4064	timeout.exe

pid	process
3952	12a4c7c6742cbd46487d9960b79a7e65.exe
3952	12a4c7c6742cbd46487d9960b79a7e65.exe
200	Decoder.exe
133828	systems32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

12a4c7c6742cbd46487d9960b79a7e65.exeDecoder.exesystems32.exe

description	pid	process
Token: SeDebugPrivilege	3952	12a4c7c6742cbd46487d9960b79a7e65.exe
Token: SeDebugPrivilege	200	Decoder.exe
Token: SeDebugPrivilege	133828	systems32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

12a4c7c6742cbd46487d9960b79a7e65.execmd.execmd.exeDecoder.exesystems32.exe

description	pid	process	target process
PID 3952 wrote to memory of 200	3952	12a4c7c6742cbd46487d9960b79a7e65.exe	Decoder.exe
PID 3952 wrote to memory of 200	3952	12a4c7c6742cbd46487d9960b79a7e65.exe	Decoder.exe
PID 3952 wrote to memory of 3012	3952	12a4c7c6742cbd46487d9960b79a7e65.exe	cmd.exe
PID 3952 wrote to memory of 3012	3952	12a4c7c6742cbd46487d9960b79a7e65.exe	cmd.exe
PID 3952 wrote to memory of 4004	3952	12a4c7c6742cbd46487d9960b79a7e65.exe	cmd.exe
PID 3952 wrote to memory of 4004	3952	12a4c7c6742cbd46487d9960b79a7e65.exe	cmd.exe
PID 3012 wrote to memory of 2968	3012	cmd.exe	timeout.exe
PID 3012 wrote to memory of 2968	3012	cmd.exe	timeout.exe
PID 4004 wrote to memory of 4064	4004	cmd.exe	timeout.exe
PID 4004 wrote to memory of 4064	4004	cmd.exe	timeout.exe
PID 200 wrote to memory of 1224	200	Decoder.exe	schtasks.exe
PID 200 wrote to memory of 1224	200	Decoder.exe	schtasks.exe
PID 133828 wrote to memory of 134360	133828	systems32.exe	schtasks.exe
PID 133828 wrote to memory of 134360	133828	systems32.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\12a4c7c6742cbd46487d9960b79a7e65.exe
"C:\Users\Admin\AppData\Local\Temp\12a4c7c6742cbd46487d9960b79a7e65.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952

C:\ProgramData\Decoder.exe
"C:\ProgramData\Decoder.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:200

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
3⤵
- Creates scheduled task(s)
PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\system32\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2D5F.tmp.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\system32\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:4064

C:\systems32_bit\systems32.exe
\systems32_bit\systems32.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:133828

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
2⤵
- Creates scheduled task(s)
PID:134360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Decoder.exe
MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
C:\ProgramData\Decoder.exe
MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd
MD5
73712247036b6a24d16502c57a3e5679

SHA1
65ca9edadb0773fc34db7dfefe9e6416f1ac17fa

SHA256
8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0

SHA512
548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2D5F.tmp.cmd
MD5
46cc65fc0bde5d1adbb3c7b72e19e596

SHA1
822aed5b85618a9237d10531dd15270a64011a9b

SHA256
7f18a7c45b341ff958736f94e04b2e039f2ad1116d2e2efd902362e59635d7cc

SHA512
e32c6442d72828b0789d803f2cf68a3f51b52aec12317a90bb361036c79fff8a7e5505bceec9ecf63075742511e384bfaa7bf4833d4daad69b562274380f9a85

Download Submit
C:\systems32_bit\systems32.exe
MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
C:\systems32_bit\systems32.exe
MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
memory/200-8-0x00007FFD07230000-0x00007FFD07C1C000-memory.dmp

Filesize
9.9MB

Download
memory/200-10-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/200-4-0x0000000000000000-mapping.dmp

Download
memory/1224-16-0x0000000000000000-mapping.dmp

Download
memory/2968-13-0x0000000000000000-mapping.dmp

Download
memory/3012-7-0x0000000000000000-mapping.dmp

Download
memory/3952-1-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/3952-0-0x00007FFD07230000-0x00007FFD07C1C000-memory.dmp

Filesize
9.9MB

Download
memory/3952-3-0x000000001B360000-0x000000001B3D0000-memory.dmp

Filesize
448KB

Download
memory/4004-9-0x0000000000000000-mapping.dmp

Download
memory/4064-15-0x0000000000000000-mapping.dmp

Download
memory/133828-19-0x00007FFD07230000-0x00007FFD07C1C000-memory.dmp

Filesize
9.9MB

Download
memory/134360-22-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads