Overview

overview

10

Static

static

b32acc0d68...c3.exe

windows7_x64

6

b32acc0d68...c3.exe

windows10_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    139s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    08-11-2020 14:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3.exe

  • Size

    585KB

  • MD5

    2f84065b4d10029d655fe5240b918a82

  • SHA1

    160d060a7dca7dff8e4ededa01b1981faf84fcfb

  • SHA256

    b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3

  • SHA512

    ef00a3926dd3a60b33fa6ea4eeadebc55be77100ce0425250de471b7293cb46a4336f94952399bada7f82e084d9ecb7c27b0c6272fd1bfe07e4b4fda62f87995

Score
10/10
echelondiscoveryspywarestealer

Malware Config

Signatures

  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    stealerspywareechelon
  • Echelon log file 1 IoCs

    Detects a log file produced by Echelon.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3.exe
    "C:\Users\Admin\AppData\Local\Temp\b32acc0d68b0c74f732509d25c0f03f7e9278a65fb91d83cb7f6b7aa7baeedc3.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:580
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8E3C.tmp.cmd""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1364
      • C:\Windows\system32\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:3740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp8E3C.tmp.cmd
    MD5

    05f3be4c6ff6f57d4d4fdcd79d21306a

    SHA1

    9d700b4ba20a39b47d6deabe14434760b08068b8

    SHA256

    889ba3364926044804b1dfa407fef9ce7c6172650e65959f770ff42f6f0f3977

    SHA512

    6eec235ea8a2cb41a2ff78f3f1cdab47848a81ad0c7a1051c261e01ff055852b05b1f7750abeeb9cf9caf4997d00c231c513654acab98e73fce608ed0a8e0197

    Download Submit
  • memory/580-0-0x00007FFC34C00000-0x00007FFC355EC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/580-1-0x000002123FD10000-0x000002123FD11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/580-3-0x000002125A330000-0x000002125A3A0000-memory.dmp
    Filesize

    448KB

    Download
  • memory/1364-4-0x0000000000000000-mapping.dmp
    Download
  • memory/3740-6-0x0000000000000000-mapping.dmp
    Download