echelon | ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b

Analysis

max time kernel
118s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
09-03-2022 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe
Size

1.7MB
MD5

b0338e58388c9040a0f88d0f44ef3714
SHA1

7e664c348735efed508666fec173bb17fa8025f8
SHA256

ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b
SHA512

b5d52004d648da1ea0973186281b0cf34a8bee04f10bcce14e6ebc231ff768d0dc37fe2b3e231cb6dfd8b8f9cf6f2af0fb2ec65d860473a2cbd2a5672aedd899

Score

10^/10

echelon collection discovery spyware stealer vmprotect

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Echelon log file 1 IoCs
Detects a log file produced by Echelon.

Processes:

yara_rule

echelon_log_file
Executes dropped EXE 4 IoCs

Processes:

Echelonyes.sfx.exeEchelonyes.exeDecoder.exesystems32.exe

pid process

1188 Echelonyes.sfx.exe
3336 Echelonyes.exe
3820 Decoder.exe
240576 systems32.exe

yara_rule
echelon_log_file

pid	process
1188	Echelonyes.sfx.exe
3336	Echelonyes.exe
3820	Decoder.exe
240576	systems32.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Echelonyes.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\Echelonyes.exe	vmprotect
behavioral2/memory/3336-136-0x0000000000350000-0x0000000000606000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exeWScript.exeEchelonyes.sfx.exeEchelonyes.exeDecoder.exesystems32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	Echelonyes.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	Echelonyes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	Decoder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	systems32.exe

Drops startup file 2 IoCs

Processes:

Decoder.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Echelonyes.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Echelonyes.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Echelonyes.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Echelonyes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

27 api.ipify.org
28 api.ipify.org
36 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1484 schtasks.exe
242696 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2532 timeout.exe
1004 timeout.exe

flow	ioc
27	api.ipify.org
28	api.ipify.org
36	ip-api.com

pid	process
1484	schtasks.exe
242696	schtasks.exe

pid	process
2532	timeout.exe
1004	timeout.exe

Modifies registry class 1 IoCs

Processes:

ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Echelonyes.exeDecoder.exesystems32.exe

pid process

3336 Echelonyes.exe
3336 Echelonyes.exe
3820 Decoder.exe
240576 systems32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Echelonyes.exeDecoder.exesystems32.exe

description pid process

Token: SeDebugPrivilege 3336 Echelonyes.exe
Token: SeDebugPrivilege 3820 Decoder.exe
Token: SeDebugPrivilege 240576 systems32.exe

pid	process
3336	Echelonyes.exe
3336	Echelonyes.exe
3820	Decoder.exe
240576	systems32.exe

description	pid	process
Token: SeDebugPrivilege	3336	Echelonyes.exe
Token: SeDebugPrivilege	3820	Decoder.exe
Token: SeDebugPrivilege	240576	systems32.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exeWScript.execmd.exeEchelonyes.sfx.exeEchelonyes.execmd.execmd.exeDecoder.exesystems32.exe

description	pid	process	target process
PID 2544 wrote to memory of 1484	2544	ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe	WScript.exe
PID 2544 wrote to memory of 1484	2544	ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe	WScript.exe
PID 2544 wrote to memory of 1484	2544	ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe	WScript.exe
PID 1484 wrote to memory of 1584	1484	WScript.exe	cmd.exe
PID 1484 wrote to memory of 1584	1484	WScript.exe	cmd.exe
PID 1484 wrote to memory of 1584	1484	WScript.exe	cmd.exe
PID 1584 wrote to memory of 1188	1584	cmd.exe	Echelonyes.sfx.exe
PID 1584 wrote to memory of 1188	1584	cmd.exe	Echelonyes.sfx.exe
PID 1584 wrote to memory of 1188	1584	cmd.exe	Echelonyes.sfx.exe
PID 1188 wrote to memory of 3336	1188	Echelonyes.sfx.exe	Echelonyes.exe
PID 1188 wrote to memory of 3336	1188	Echelonyes.sfx.exe	Echelonyes.exe
PID 3336 wrote to memory of 3820	3336	Echelonyes.exe	Decoder.exe
PID 3336 wrote to memory of 3820	3336	Echelonyes.exe	Decoder.exe
PID 3336 wrote to memory of 2000	3336	Echelonyes.exe	cmd.exe
PID 3336 wrote to memory of 2000	3336	Echelonyes.exe	cmd.exe
PID 3336 wrote to memory of 2464	3336	Echelonyes.exe	cmd.exe
PID 3336 wrote to memory of 2464	3336	Echelonyes.exe	cmd.exe
PID 2000 wrote to memory of 2532	2000	cmd.exe	timeout.exe
PID 2000 wrote to memory of 2532	2000	cmd.exe	timeout.exe
PID 2464 wrote to memory of 1004	2464	cmd.exe	timeout.exe
PID 2464 wrote to memory of 1004	2464	cmd.exe	timeout.exe
PID 3820 wrote to memory of 1484	3820	Decoder.exe	schtasks.exe
PID 3820 wrote to memory of 1484	3820	Decoder.exe	schtasks.exe
PID 240576 wrote to memory of 242696	240576	systems32.exe	schtasks.exe
PID 240576 wrote to memory of 242696	240576	systems32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

Echelonyes.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Echelonyes.exe

outlook_win_path 1 IoCs

Processes:

Echelonyes.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Echelonyes.exe

C:\Users\Admin\AppData\Local\Temp\ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe
"C:\Users\Admin\AppData\Local\Temp\ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bat.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Local\Temp\Echelonyes.sfx.exe
Echelonyes.sfx.exe -pMgXwXO}F -dC:\Users\Admin\AppData\Local\Temp
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1188

C:\Users\Admin\AppData\Local\Temp\Echelonyes.exe
"C:\Users\Admin\AppData\Local\Temp\Echelonyes.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3336

C:\ProgramData\Decoder.exe
"C:\ProgramData\Decoder.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3820

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
7⤵
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
6⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\system32\timeout.exe
timeout 4
7⤵
- Delays execution with timeout.exe
PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBDAB.tmp.cmd""
6⤵
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\system32\timeout.exe
timeout 4
7⤵
- Delays execution with timeout.exe
PID:1004

C:\systems32_bit\systems32.exe
\systems32_bit\systems32.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:240576

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
2⤵
- Creates scheduled task(s)
PID:242696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Decoder.exe
MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
C:\ProgramData\Decoder.exe
MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd
MD5
73712247036b6a24d16502c57a3e5679

SHA1
65ca9edadb0773fc34db7dfefe9e6416f1ac17fa

SHA256
8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0

SHA512
548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Echelonyes.exe
MD5
1fa6f0632a72b1162b1b29a0b869fa90

SHA1
7169e89c84f7ddbd52fd4eb7363f98684e3d6a8b

SHA256
3d05d546ae0ab935f4fb6562945805de7d1d56957f5dfb6c6e40cf2bc3270ff2

SHA512
92a21ab47e57a8c6ce430607a51ea4a59e910efdbc045dd8442d74a9c5ead7c26ecc0a4b73ed379669f8be0dd710f2fd9c70b580114e53abe114a2603a4fcfba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Echelonyes.exe
MD5
1fa6f0632a72b1162b1b29a0b869fa90

SHA1
7169e89c84f7ddbd52fd4eb7363f98684e3d6a8b

SHA256
3d05d546ae0ab935f4fb6562945805de7d1d56957f5dfb6c6e40cf2bc3270ff2

SHA512
92a21ab47e57a8c6ce430607a51ea4a59e910efdbc045dd8442d74a9c5ead7c26ecc0a4b73ed379669f8be0dd710f2fd9c70b580114e53abe114a2603a4fcfba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Echelonyes.sfx.exe
MD5
379c4da3d182dc8adbc5df1f0dbde542

SHA1
7b43213139780da48b2d36430d664f09c0568faf

SHA256
080fdedd00b6d9b82fd6c758591cac8c4c53ce4994cfd127eecbffdc74cccbc0

SHA512
7f55ba9a1296534743805abe8210d1649696f0361d9c35fe61d72c7e3e51e17dcc6b6e3ebaf4f4385a8b0777ad933ffd8d47ed37e786fdf90404750c6b7d0d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Echelonyes.sfx.exe
MD5
379c4da3d182dc8adbc5df1f0dbde542

SHA1
7b43213139780da48b2d36430d664f09c0568faf

SHA256
080fdedd00b6d9b82fd6c758591cac8c4c53ce4994cfd127eecbffdc74cccbc0

SHA512
7f55ba9a1296534743805abe8210d1649696f0361d9c35fe61d72c7e3e51e17dcc6b6e3ebaf4f4385a8b0777ad933ffd8d47ed37e786fdf90404750c6b7d0d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bat.bat
MD5
bfcc1b768af96c396d04795313972815

SHA1
26a9be4a505b98beacc0291c9ec43de739568444

SHA256
858c103ed517819c917bd859da7c0664cab0a6d5d868d7381aa7091ebbe6c240

SHA512
eabcfed61407fe3e350aeb7ba5a2948647747970da6cbe62f5ed3b12138f4924dbcd8036d69c88669031a6cc82a88dfe14c8d39906309d74a237e86daf753921

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBDAB.tmp.cmd
MD5
f5e2aa477ee0ad18903b72a51bfbb190

SHA1
61fdb205c6e0b7d81e5b0212b65d9a82cf815db8

SHA256
462e253e94aa2a0d700433846b2507e8356c65b9693a909db8acdd27941b9ab0

SHA512
4eed3b39c05b797f6d806abf0a8accfb0aac1eaf5961ca20fd434f4eac2eac5158995887c228439fb4489b5ae61f6d5c17eb947e99edf7478d2396eecfbd46cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbs.vbs
MD5
dc06d3c7415f4f6b05272426a63e9fd1

SHA1
2a148ec726cde2a19222c03ebf2cf48e8a5c171f

SHA256
101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093

SHA512
d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a

Download Submit
C:\systems32_bit\systems32.exe
MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
C:\systems32_bit\systems32.exe
MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
memory/3336-136-0x0000000000350000-0x0000000000606000-memory.dmp

Filesize
2.7MB

Download
memory/3336-137-0x00007FF9E5A10000-0x00007FF9E64D1000-memory.dmp

Filesize
10.8MB

Download
memory/3336-140-0x000000001B4D0000-0x000000001B4D2000-memory.dmp

Filesize
8KB

Download
memory/3336-141-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/3820-144-0x0000000000F50000-0x0000000000F60000-memory.dmp

Filesize
64KB

Download
memory/3820-148-0x000000001C050000-0x000000001C052000-memory.dmp

Filesize
8KB

Download
memory/3820-147-0x00007FF9E5A10000-0x00007FF9E64D1000-memory.dmp

Filesize
10.8MB

Download
memory/240576-152-0x000000001B780000-0x000000001B782000-memory.dmp

Filesize
8KB

Download
memory/240576-151-0x00007FF9E5A10000-0x00007FF9E64D1000-memory.dmp

Filesize
10.8MB

Download