Overview

overview

10

Static

static

ce8ae5acde...2b.exe

windows7_x64

8

ce8ae5acde...2b.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    118s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    09-03-2022 01:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe

  • Size

    1.7MB

  • MD5

    b0338e58388c9040a0f88d0f44ef3714

  • SHA1

    7e664c348735efed508666fec173bb17fa8025f8

  • SHA256

    ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b

  • SHA512

    b5d52004d648da1ea0973186281b0cf34a8bee04f10bcce14e6ebc231ff768d0dc37fe2b3e231cb6dfd8b8f9cf6f2af0fb2ec65d860473a2cbd2a5672aedd899

Score
10/10
echeloncollectiondiscoveryspywarestealervmprotect

Malware Config

Signatures

  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    stealerspywareechelon
  • Echelon log file 1 IoCs

    Detects a log file produced by Echelon.

  • Executes dropped EXE 4 IoCs
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe
    "C:\Users\Admin\AppData\Local\Temp\ce8ae5acdeccfbc302bf99ddc799bfc747119dce76f0dc589df4232b6247842b.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c bat.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1584
        • C:\Users\Admin\AppData\Local\Temp\Echelonyes.sfx.exe
          Echelonyes.sfx.exe -pMgXwXO}F -dC:\Users\Admin\AppData\Local\Temp
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1188
          • C:\Users\Admin\AppData\Local\Temp\Echelonyes.exe
            "C:\Users\Admin\AppData\Local\Temp\Echelonyes.exe"
            5⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Accesses Microsoft Outlook profiles
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • outlook_office_path
            • outlook_win_path
            PID:3336
            • C:\ProgramData\Decoder.exe
              "C:\ProgramData\Decoder.exe"
              6⤵
              • Executes dropped EXE
              • Checks computer location settings
              • Drops startup file
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3820
              • C:\Windows\System32\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
                7⤵
                • Creates scheduled task(s)
                PID:1484
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2000
              • C:\Windows\system32\timeout.exe
                timeout 4
                7⤵
                • Delays execution with timeout.exe
                PID:2532
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBDAB.tmp.cmd""
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2464
              • C:\Windows\system32\timeout.exe
                timeout 4
                7⤵
                • Delays execution with timeout.exe
                PID:1004
  • C:\systems32_bit\systems32.exe
    \systems32_bit\systems32.exe
    1⤵
    • Executes dropped EXE
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:240576
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
      2⤵
      • Creates scheduled task(s)
      PID:242696

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Decoder.exe
    MD5

    e753a9a4c3a393d9eccc31e5c6aded66

    SHA1

    5501ae71598925711dbee54f6ee1c827dd01d845

    SHA256

    52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

    SHA512

    ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

    Download Submit

  • C:\ProgramData\Decoder.exe
    MD5

    e753a9a4c3a393d9eccc31e5c6aded66

    SHA1

    5501ae71598925711dbee54f6ee1c827dd01d845

    SHA256

    52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

    SHA512

    ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\.cmd
    MD5

    73712247036b6a24d16502c57a3e5679

    SHA1

    65ca9edadb0773fc34db7dfefe9e6416f1ac17fa

    SHA256

    8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0

    SHA512

    548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Echelonyes.exe
    MD5

    1fa6f0632a72b1162b1b29a0b869fa90

    SHA1

    7169e89c84f7ddbd52fd4eb7363f98684e3d6a8b

    SHA256

    3d05d546ae0ab935f4fb6562945805de7d1d56957f5dfb6c6e40cf2bc3270ff2

    SHA512

    92a21ab47e57a8c6ce430607a51ea4a59e910efdbc045dd8442d74a9c5ead7c26ecc0a4b73ed379669f8be0dd710f2fd9c70b580114e53abe114a2603a4fcfba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Echelonyes.exe
    MD5

    1fa6f0632a72b1162b1b29a0b869fa90

    SHA1

    7169e89c84f7ddbd52fd4eb7363f98684e3d6a8b

    SHA256

    3d05d546ae0ab935f4fb6562945805de7d1d56957f5dfb6c6e40cf2bc3270ff2

    SHA512

    92a21ab47e57a8c6ce430607a51ea4a59e910efdbc045dd8442d74a9c5ead7c26ecc0a4b73ed379669f8be0dd710f2fd9c70b580114e53abe114a2603a4fcfba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Echelonyes.sfx.exe
    MD5

    379c4da3d182dc8adbc5df1f0dbde542

    SHA1

    7b43213139780da48b2d36430d664f09c0568faf

    SHA256

    080fdedd00b6d9b82fd6c758591cac8c4c53ce4994cfd127eecbffdc74cccbc0

    SHA512

    7f55ba9a1296534743805abe8210d1649696f0361d9c35fe61d72c7e3e51e17dcc6b6e3ebaf4f4385a8b0777ad933ffd8d47ed37e786fdf90404750c6b7d0d8b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Echelonyes.sfx.exe
    MD5

    379c4da3d182dc8adbc5df1f0dbde542

    SHA1

    7b43213139780da48b2d36430d664f09c0568faf

    SHA256

    080fdedd00b6d9b82fd6c758591cac8c4c53ce4994cfd127eecbffdc74cccbc0

    SHA512

    7f55ba9a1296534743805abe8210d1649696f0361d9c35fe61d72c7e3e51e17dcc6b6e3ebaf4f4385a8b0777ad933ffd8d47ed37e786fdf90404750c6b7d0d8b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\bat.bat
    MD5

    bfcc1b768af96c396d04795313972815

    SHA1

    26a9be4a505b98beacc0291c9ec43de739568444

    SHA256

    858c103ed517819c917bd859da7c0664cab0a6d5d868d7381aa7091ebbe6c240

    SHA512

    eabcfed61407fe3e350aeb7ba5a2948647747970da6cbe62f5ed3b12138f4924dbcd8036d69c88669031a6cc82a88dfe14c8d39906309d74a237e86daf753921

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpBDAB.tmp.cmd
    MD5

    f5e2aa477ee0ad18903b72a51bfbb190

    SHA1

    61fdb205c6e0b7d81e5b0212b65d9a82cf815db8

    SHA256

    462e253e94aa2a0d700433846b2507e8356c65b9693a909db8acdd27941b9ab0

    SHA512

    4eed3b39c05b797f6d806abf0a8accfb0aac1eaf5961ca20fd434f4eac2eac5158995887c228439fb4489b5ae61f6d5c17eb947e99edf7478d2396eecfbd46cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbs.vbs
    MD5

    dc06d3c7415f4f6b05272426a63e9fd1

    SHA1

    2a148ec726cde2a19222c03ebf2cf48e8a5c171f

    SHA256

    101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093

    SHA512

    d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a

    Download Submit

  • C:\systems32_bit\systems32.exe
    MD5

    e753a9a4c3a393d9eccc31e5c6aded66

    SHA1

    5501ae71598925711dbee54f6ee1c827dd01d845

    SHA256

    52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

    SHA512

    ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

    Download Submit

  • C:\systems32_bit\systems32.exe
    MD5

    e753a9a4c3a393d9eccc31e5c6aded66

    SHA1

    5501ae71598925711dbee54f6ee1c827dd01d845

    SHA256

    52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

    SHA512

    ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

    Download Submit

  • memory/3336-136-0x0000000000350000-0x0000000000606000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/3336-137-0x00007FF9E5A10000-0x00007FF9E64D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3336-140-0x000000001B4D0000-0x000000001B4D2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3336-141-0x0000000000B10000-0x0000000000B11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3820-144-0x0000000000F50000-0x0000000000F60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3820-148-0x000000001C050000-0x000000001C052000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3820-147-0x00007FF9E5A10000-0x00007FF9E64D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/240576-152-0x000000001B780000-0x000000001B782000-memory.dmp

    Filesize

    8KB

    Download

  • memory/240576-151-0x00007FF9E5A10000-0x00007FF9E64D1000-memory.dmp

    Filesize

    10.8MB

    Download