echelon | baf63544b018ab9aa6640ebe48422f77fd81a61ad6ca8d5aeb9cfbe63f01a9c4

Analysis

max time kernel
4294180s
max time network
123s
platform
windows7_x64
resource
win7-20220223-en
submitted
06-03-2022 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

baf63544b018ab9aa6640ebe48422f77fd81a61ad6ca8d5aeb9cfbe63f01a9c4.exe
Size

4.1MB
MD5

7a7da0b227e440ed8ed25dd058976f44
SHA1

c8ed414480d675be16dbfcce03f14db25330dc4f
SHA256

baf63544b018ab9aa6640ebe48422f77fd81a61ad6ca8d5aeb9cfbe63f01a9c4
SHA512

3cd8497e3d74bd9f94c25f088ed22a427c38b3e5cec5e51a3e49862b6ed4b3ac41ca11a1e0b0bb9923af68b7ee8585b2b09defc795c6c74cd35ac0b1afe820e3

Score

10^/10

echelon collection discovery persistence spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Echelon log file 1 IoCs

Detects a log file produced by Echelon.

Processes:

yara_rule
echelon_log_file

Executes dropped EXE 2 IoCs

Processes:

CDS.execrypted.exe

pid	Process
1832	CDS.exe
1352	crypted.exe

Loads dropped DLL 14 IoCs

Processes:

baf63544b018ab9aa6640ebe48422f77fd81a61ad6ca8d5aeb9cfbe63f01a9c4.exeCDS.execrypted.exeWerFault.exe

pid	Process
1824	baf63544b018ab9aa6640ebe48422f77fd81a61ad6ca8d5aeb9cfbe63f01a9c4.exe
1832	CDS.exe
1832	CDS.exe
1832	CDS.exe
1832	CDS.exe
1832	CDS.exe
1832	CDS.exe
1832	CDS.exe
1352	crypted.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe
900	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

crypted.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	crypted.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	crypted.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	crypted.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

baf63544b018ab9aa6640ebe48422f77fd81a61ad6ca8d5aeb9cfbe63f01a9c4.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	baf63544b018ab9aa6640ebe48422f77fd81a61ad6ca8d5aeb9cfbe63f01a9c4.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	baf63544b018ab9aa6640ebe48422f77fd81a61ad6ca8d5aeb9cfbe63f01a9c4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
4	api.ipify.org
5	api.ipify.org
6	ip-api.com
8	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
900	1352	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

crypted.exeCDS.exe

pid	Process
1352	crypted.exe
1352	crypted.exe
1832	CDS.exe
1832	CDS.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

crypted.exe

description	pid	Process
Token: SeDebugPrivilege	1352	crypted.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

CDS.exe

pid	Process
1832	CDS.exe
1832	CDS.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

baf63544b018ab9aa6640ebe48422f77fd81a61ad6ca8d5aeb9cfbe63f01a9c4.exeCDS.execrypted.exe

description	pid	Process	procid_target
PID 1824 wrote to memory of 1832	1824	baf63544b018ab9aa6640ebe48422f77fd81a61ad6ca8d5aeb9cfbe63f01a9c4.exe	27
PID 1824 wrote to memory of 1832	1824	baf63544b018ab9aa6640ebe48422f77fd81a61ad6ca8d5aeb9cfbe63f01a9c4.exe	27
PID 1824 wrote to memory of 1832	1824	baf63544b018ab9aa6640ebe48422f77fd81a61ad6ca8d5aeb9cfbe63f01a9c4.exe	27
PID 1824 wrote to memory of 1832	1824	baf63544b018ab9aa6640ebe48422f77fd81a61ad6ca8d5aeb9cfbe63f01a9c4.exe	27
PID 1824 wrote to memory of 1832	1824	baf63544b018ab9aa6640ebe48422f77fd81a61ad6ca8d5aeb9cfbe63f01a9c4.exe	27
PID 1824 wrote to memory of 1832	1824	baf63544b018ab9aa6640ebe48422f77fd81a61ad6ca8d5aeb9cfbe63f01a9c4.exe	27
PID 1824 wrote to memory of 1832	1824	baf63544b018ab9aa6640ebe48422f77fd81a61ad6ca8d5aeb9cfbe63f01a9c4.exe	27
PID 1832 wrote to memory of 1352	1832	CDS.exe	28
PID 1832 wrote to memory of 1352	1832	CDS.exe	28
PID 1832 wrote to memory of 1352	1832	CDS.exe	28
PID 1832 wrote to memory of 1352	1832	CDS.exe	28
PID 1832 wrote to memory of 1352	1832	CDS.exe	28
PID 1832 wrote to memory of 1352	1832	CDS.exe	28
PID 1832 wrote to memory of 1352	1832	CDS.exe	28
PID 1352 wrote to memory of 900	1352	crypted.exe	30
PID 1352 wrote to memory of 900	1352	crypted.exe	30
PID 1352 wrote to memory of 900	1352	crypted.exe	30
PID 1352 wrote to memory of 900	1352	crypted.exe	30
PID 1352 wrote to memory of 900	1352	crypted.exe	30
PID 1352 wrote to memory of 900	1352	crypted.exe	30
PID 1352 wrote to memory of 900	1352	crypted.exe	30

outlook_office_path 1 IoCs

Processes:

crypted.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	crypted.exe

outlook_win_path 1 IoCs

Processes:

crypted.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	crypted.exe

C:\Users\Admin\AppData\Local\Temp\baf63544b018ab9aa6640ebe48422f77fd81a61ad6ca8d5aeb9cfbe63f01a9c4.exe
"C:\Users\Admin\AppData\Local\Temp\baf63544b018ab9aa6640ebe48422f77fd81a61ad6ca8d5aeb9cfbe63f01a9c4.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:1352
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 1340
      4⤵
      Loads dropped DLL
      Program crash
      PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png

MD5
340b294efc691d1b20c64175d565ebc7

SHA1
81cb9649bd1c9a62ae79e781818fc24d15c29ce7

SHA256
72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9

SHA512
1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd

MD5
3e7ecaeb51c2812d13b07ec852d74aaf

SHA1
e9bdab93596ffb0f7f8c65243c579180939acb26

SHA256
e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

SHA512
635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat

MD5
5dded2a7c0bcdcc17d3523ea3b0921f1

SHA1
2395122d10657d9a8a27f5754ef34b2df72f9632

SHA256
e46903ec8353cbdb5552052cd2e2732777645ad750f7c613bdaf9dd11c27751a

SHA512
a5a79acb47f8d37a265b8812c7cdeca7af5c52ab2cc7132db15235bc7a6e6d84f77b1a07f8c0c9801ede15853a0206fab9e2dbbebc9a3d99a4fa9a155a2fe052

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5
366074429e3bb2198bf0cc3d4dfaa327

SHA1
988ab0aa37c7fad9ef36831a249e745b4d3d2117

SHA256
15ee08dbd85a4c7be9069400fd5f008631f72ec8ca72c60e14bd535fac57104d

SHA512
919e2bc03a0a10e08bf63646f4452dcc7f71a11c44f51bfb33bb24162157ef752d54baadc1900d1c5c04f6b81bdca33b48c868ffc014748b8ab0c4728393f961

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5
366074429e3bb2198bf0cc3d4dfaa327

SHA1
988ab0aa37c7fad9ef36831a249e745b4d3d2117

SHA256
15ee08dbd85a4c7be9069400fd5f008631f72ec8ca72c60e14bd535fac57104d

SHA512
919e2bc03a0a10e08bf63646f4452dcc7f71a11c44f51bfb33bb24162157ef752d54baadc1900d1c5c04f6b81bdca33b48c868ffc014748b8ab0c4728393f961

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings

MD5
68934a3e9455fa72420237eb05902327

SHA1
7cb6efb98ba5972a9b5090dc2e517fe14d12cb04

SHA256
fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa

SHA512
719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5
366074429e3bb2198bf0cc3d4dfaa327

SHA1
988ab0aa37c7fad9ef36831a249e745b4d3d2117

SHA256
15ee08dbd85a4c7be9069400fd5f008631f72ec8ca72c60e14bd535fac57104d

SHA512
919e2bc03a0a10e08bf63646f4452dcc7f71a11c44f51bfb33bb24162157ef752d54baadc1900d1c5c04f6b81bdca33b48c868ffc014748b8ab0c4728393f961

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5
366074429e3bb2198bf0cc3d4dfaa327

SHA1
988ab0aa37c7fad9ef36831a249e745b4d3d2117

SHA256
15ee08dbd85a4c7be9069400fd5f008631f72ec8ca72c60e14bd535fac57104d

SHA512
919e2bc03a0a10e08bf63646f4452dcc7f71a11c44f51bfb33bb24162157ef752d54baadc1900d1c5c04f6b81bdca33b48c868ffc014748b8ab0c4728393f961

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5
366074429e3bb2198bf0cc3d4dfaa327

SHA1
988ab0aa37c7fad9ef36831a249e745b4d3d2117

SHA256
15ee08dbd85a4c7be9069400fd5f008631f72ec8ca72c60e14bd535fac57104d

SHA512
919e2bc03a0a10e08bf63646f4452dcc7f71a11c44f51bfb33bb24162157ef752d54baadc1900d1c5c04f6b81bdca33b48c868ffc014748b8ab0c4728393f961

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5
366074429e3bb2198bf0cc3d4dfaa327

SHA1
988ab0aa37c7fad9ef36831a249e745b4d3d2117

SHA256
15ee08dbd85a4c7be9069400fd5f008631f72ec8ca72c60e14bd535fac57104d

SHA512
919e2bc03a0a10e08bf63646f4452dcc7f71a11c44f51bfb33bb24162157ef752d54baadc1900d1c5c04f6b81bdca33b48c868ffc014748b8ab0c4728393f961

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5
366074429e3bb2198bf0cc3d4dfaa327

SHA1
988ab0aa37c7fad9ef36831a249e745b4d3d2117

SHA256
15ee08dbd85a4c7be9069400fd5f008631f72ec8ca72c60e14bd535fac57104d

SHA512
919e2bc03a0a10e08bf63646f4452dcc7f71a11c44f51bfb33bb24162157ef752d54baadc1900d1c5c04f6b81bdca33b48c868ffc014748b8ab0c4728393f961

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5
366074429e3bb2198bf0cc3d4dfaa327

SHA1
988ab0aa37c7fad9ef36831a249e745b4d3d2117

SHA256
15ee08dbd85a4c7be9069400fd5f008631f72ec8ca72c60e14bd535fac57104d

SHA512
919e2bc03a0a10e08bf63646f4452dcc7f71a11c44f51bfb33bb24162157ef752d54baadc1900d1c5c04f6b81bdca33b48c868ffc014748b8ab0c4728393f961

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5
366074429e3bb2198bf0cc3d4dfaa327

SHA1
988ab0aa37c7fad9ef36831a249e745b4d3d2117

SHA256
15ee08dbd85a4c7be9069400fd5f008631f72ec8ca72c60e14bd535fac57104d

SHA512
919e2bc03a0a10e08bf63646f4452dcc7f71a11c44f51bfb33bb24162157ef752d54baadc1900d1c5c04f6b81bdca33b48c868ffc014748b8ab0c4728393f961

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5
366074429e3bb2198bf0cc3d4dfaa327

SHA1
988ab0aa37c7fad9ef36831a249e745b4d3d2117

SHA256
15ee08dbd85a4c7be9069400fd5f008631f72ec8ca72c60e14bd535fac57104d

SHA512
919e2bc03a0a10e08bf63646f4452dcc7f71a11c44f51bfb33bb24162157ef752d54baadc1900d1c5c04f6b81bdca33b48c868ffc014748b8ab0c4728393f961

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5
366074429e3bb2198bf0cc3d4dfaa327

SHA1
988ab0aa37c7fad9ef36831a249e745b4d3d2117

SHA256
15ee08dbd85a4c7be9069400fd5f008631f72ec8ca72c60e14bd535fac57104d

SHA512
919e2bc03a0a10e08bf63646f4452dcc7f71a11c44f51bfb33bb24162157ef752d54baadc1900d1c5c04f6b81bdca33b48c868ffc014748b8ab0c4728393f961

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5
366074429e3bb2198bf0cc3d4dfaa327

SHA1
988ab0aa37c7fad9ef36831a249e745b4d3d2117

SHA256
15ee08dbd85a4c7be9069400fd5f008631f72ec8ca72c60e14bd535fac57104d

SHA512
919e2bc03a0a10e08bf63646f4452dcc7f71a11c44f51bfb33bb24162157ef752d54baadc1900d1c5c04f6b81bdca33b48c868ffc014748b8ab0c4728393f961

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
memory/1352-76-0x0000000072CC0000-0x00000000733AE000-memory.dmp

Filesize
6.9MB

Download
memory/1352-77-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/1352-75-0x00000000011C0000-0x000000000133E000-memory.dmp

Filesize
1.5MB

Download
memory/1824-54-0x0000000075251000-0x0000000075253000-memory.dmp

Filesize
8KB

Download