Overview

overview

10

Static

static

19b887f37f...9c.exe

windows7_x64

10

19b887f37f...9c.exe

windows10_x64

10

Analysis

  • max time kernel
    107s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 21:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19b887f37f75fca000084389a46800c513b1c42ff36c4781869243eef5d21b9c.exe

  • Size

    2.0MB

  • MD5

    eb66520231ebf47315435acdfbb52691

  • SHA1

    482f7fa8e6169cba5de41141de61df9c7f609234

  • SHA256

    19b887f37f75fca000084389a46800c513b1c42ff36c4781869243eef5d21b9c

  • SHA512

    f5edb3e08b951c56df637d66ce0ea968bb8daabe32a2b91a339719ea220096fdec83c16a092bdfa9ac96b14450f571e00e88340238f49e17ab10895d45c3ceb2

Score
10/10
echelondiscoveryspywarestealer

Malware Config

Signatures

  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    stealerspywareechelon
  • Echelon log file 1 IoCs

    Detects a log file produced by Echelon.

  • ServiceHost packer 24 IoCs

    Detects ServiceHost packer used for .NET malware

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs
  • Program crash 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\19b887f37f75fca000084389a46800c513b1c42ff36c4781869243eef5d21b9c.exe
    "C:\Users\Admin\AppData\Local\Temp\19b887f37f75fca000084389a46800c513b1c42ff36c4781869243eef5d21b9c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Users\Public\Downloads\images.exe
      "C:\Users\Public\Downloads\images.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 2604
        3⤵
        • Loads dropped DLL
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1956

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Downloads\images.exe
    MD5

    3f7049b2c628eac94f17629f3e7d5830

    SHA1

    61ad825e39e19472d06a3080367a858e18187d05

    SHA256

    af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7

    SHA512

    6a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff

    Download Submit
  • \??\c:\users\public\downloads\images.exe
    MD5

    3f7049b2c628eac94f17629f3e7d5830

    SHA1

    61ad825e39e19472d06a3080367a858e18187d05

    SHA256

    af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7

    SHA512

    6a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff

    Download Submit
  • \Users\Public\Downloads\images.exe
    MD5

    3f7049b2c628eac94f17629f3e7d5830

    SHA1

    61ad825e39e19472d06a3080367a858e18187d05

    SHA256

    af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7

    SHA512

    6a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff

    Download Submit
  • \Users\Public\Downloads\images.exe
    MD5

    608a7fb2707b4bea6927f76d6460632c

    SHA1

    dd9e694779d9ff67a69aa38a3156430543f1df08

    SHA256

    b4bb355c06b470363ca70a6f95cf2d9a6245310633de9267ba8045600c7d4a8f

    SHA512

    796c29145ae1d1f83b22e729da16e4c31140ff151950e704b07ff7ba5ba6d1d7043066c83fd56dc2838844d959ad9d4f3e508b35d4551fcbbcf42d2e3523142e

    Download Submit
  • \Users\Public\Downloads\images.exe
    MD5

    10cedd205c413ecd51bafb5b86204f91

    SHA1

    d86e0f10cf2d6513455c4016db82ee80281df8aa

    SHA256

    b815c1b20d0fd96d3797b355b3d0527097d85d67473f9cc6318c59b0ab5c522b

    SHA512

    f8eef2100379312870e3d9f9da97c1ec6ac4af7f59ea033a40e98377129fb32da6e2af5a637e66a6f1c2e70ffa18b5d53007d8b14e9abf3b6e061ca41f1eea4a

    Download Submit
  • \Users\Public\Downloads\images.exe
    MD5

    0f436c19925ef100bd3c3a6440c0bce8

    SHA1

    a12e67cc3b3193629f2e176c1179ec9ff58b19ae

    SHA256

    d5eb33f1c6d993549dc5af825fe9bba882b5f8c28e887e74952e65d4f21df8e7

    SHA512

    4088e8089dcc66f71de1d9a286998e27e070889a06e8eaae16d8a16e24ca900db9887bd4379643e76f98805d2cd12b7f50109c9aa8c267810ab84b212f144c87

    Download Submit
  • \Users\Public\Downloads\images.exe
    MD5

    2dbecbfab6b295b0e3269c018202512c

    SHA1

    095991b151fc72807051742f3cd9ccf0b7c914d8

    SHA256

    4d9971651283fd2ada036a58863557a9850ec69dace5551f18cd9cefa715e898

    SHA512

    eabcf472c08f7f053ae8151203adfcab61af2798ae94b43411f73013145c8b9f684a2488c6f2f5311aa8e628d2c3e99bf8472c7db11c0bb78694c58fac45964a

    Download Submit
  • \Users\Public\Downloads\images.exe
    MD5

    3f7049b2c628eac94f17629f3e7d5830

    SHA1

    61ad825e39e19472d06a3080367a858e18187d05

    SHA256

    af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7

    SHA512

    6a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff

    Download Submit
  • \Users\Public\Downloads\images.exe
    MD5

    3f7049b2c628eac94f17629f3e7d5830

    SHA1

    61ad825e39e19472d06a3080367a858e18187d05

    SHA256

    af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7

    SHA512

    6a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff

    Download Submit
  • \Users\Public\Downloads\images.exe
    MD5

    3f7049b2c628eac94f17629f3e7d5830

    SHA1

    61ad825e39e19472d06a3080367a858e18187d05

    SHA256

    af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7

    SHA512

    6a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff

    Download Submit
  • \Users\Public\Downloads\images.exe
    MD5

    243661b6335a1d70d84a4d0ff5cc0c2f

    SHA1

    d744b4cb60acd44ff1bc3c3f1cc44ced9dcddfd1

    SHA256

    dd3ba336990b8eccbe187ca04682fce5440e29c9abcb8eb990ffb075a5a348d2

    SHA512

    e6f775e229578b1dee198d1763d007e74aaa2fe6c6555e58d7bfe9df3d0f1fb7677b0895f2711572675ffb5dd305ccaad40164287f9520d7bd001b1b4bacd0fd

    Download Submit
  • memory/1684-0-0x0000000000FF0000-0x00000000010F1000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1956-53-0x0000000002760000-0x0000000002771000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1956-19-0x0000000000000000-mapping.dmp
    Download
  • memory/1956-20-0x00000000021D0000-0x00000000021E1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/2012-30-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-39-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-17-0x0000000002F70000-0x0000000002F88000-memory.dmp
    Filesize

    96KB

    Download
  • memory/2012-16-0x00000000009C0000-0x00000000009C9000-memory.dmp
    Filesize

    36KB

    Download
  • memory/2012-15-0x0000000000720000-0x000000000072F000-memory.dmp
    Filesize

    60KB

    Download
  • memory/2012-14-0x00000000032A0000-0x00000000032DE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2012-12-0x0000000000A30000-0x0000000000A31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2012-11-0x0000000073C70000-0x000000007435E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2012-29-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-10-0x0000000003250000-0x0000000003261000-memory.dmp
    Filesize

    68KB

    Download
  • memory/2012-31-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-32-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-33-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-34-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-35-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-36-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-37-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-18-0x0000000006C90000-0x0000000006D1D000-memory.dmp
    Filesize

    564KB

    Download
  • memory/2012-38-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-41-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-40-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-42-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-44-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-43-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-46-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-45-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-47-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-49-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-48-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-52-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-51-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-50-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-9-0x0000000002F70000-0x0000000002F81000-memory.dmp
    Filesize

    68KB

    Download
  • memory/2012-6-0x0000000000000000-mapping.dmp
    Download