Overview

overview

10

Static

static

14e6a9a5cd...97.exe

windows7_x64

10

14e6a9a5cd...97.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    09-03-2022 02:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    14e6a9a5cdf93f21bf9a399a2578646628283e18203db77f1683415a690bf097.exe

  • Size

    4.1MB

  • MD5

    fe7cd92b40ea9ebf51959a1b919a20d7

  • SHA1

    73bfb575f745c52915fe31fb2e6a2232d5552bdd

  • SHA256

    14e6a9a5cdf93f21bf9a399a2578646628283e18203db77f1683415a690bf097

  • SHA512

    2dc856319e9b716e7dbe96051b19128d478ae333411e0d68c13400d02aef69e63006dcfc5640716f9f3a35310184b8a53ef451af411c9f7a9c168bad17d4a9f0

Score
10/10
echeloncollectiondiscoverypersistencespywarestealer

Malware Config

Signatures

  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    stealerspywareechelon
  • Echelon log file 1 IoCs

    Detects a log file produced by Echelon.

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14e6a9a5cdf93f21bf9a399a2578646628283e18203db77f1683415a690bf097.exe
    "C:\Users\Admin\AppData\Local\Temp\14e6a9a5cdf93f21bf9a399a2578646628283e18203db77f1683415a690bf097.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3712
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:3232
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x4f8 0x240
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1352

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png
    MD5

    340b294efc691d1b20c64175d565ebc7

    SHA1

    81cb9649bd1c9a62ae79e781818fc24d15c29ce7

    SHA256

    72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9

    SHA512

    1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd
    MD5

    3e7ecaeb51c2812d13b07ec852d74aaf

    SHA1

    e9bdab93596ffb0f7f8c65243c579180939acb26

    SHA256

    e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

    SHA512

    635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
    MD5

    424bf196deaeb4ddcafb78e137fa560a

    SHA1

    007738e9486c904a3115daa6e8ba2ee692af58c8

    SHA256

    0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

    SHA512

    a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
    MD5

    424bf196deaeb4ddcafb78e137fa560a

    SHA1

    007738e9486c904a3115daa6e8ba2ee692af58c8

    SHA256

    0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

    SHA512

    a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat
    MD5

    618d5f06c3868bfc064320778aa79ff6

    SHA1

    2d23833601c3b5fb2a99ed98fc4913d8c5f1b623

    SHA256

    35374518d7f7512fb154d97922e2ca8ea79c57063fe1a23f71662a9c6ec08fec

    SHA512

    9a963740fa86c298cda8f5622d1de84a9afc58ec549c3b4c09e6eb2355b0dff7ff238e1f1cc9131893fed40144408b03feb7528dead10f4ba46e1d7eada2f606

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
    MD5

    72b3025c34e21be41ef25a3692fd8d51

    SHA1

    6eaae8a9e3bf10705a4c8bc99302725cadd6f777

    SHA256

    fa5ceb4b01a7b0b77b7f229422e00921c46dd683d81a686550be51994b0d7ca3

    SHA512

    56276ce8c4c7341c2edd1c041ee6eba2cb525e181cf1cece3f8546394ea9521523823ab5981a2740e894a406908d7102c955428784a03d6e25b4e86401ff7197

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
    MD5

    72b3025c34e21be41ef25a3692fd8d51

    SHA1

    6eaae8a9e3bf10705a4c8bc99302725cadd6f777

    SHA256

    fa5ceb4b01a7b0b77b7f229422e00921c46dd683d81a686550be51994b0d7ca3

    SHA512

    56276ce8c4c7341c2edd1c041ee6eba2cb525e181cf1cece3f8546394ea9521523823ab5981a2740e894a406908d7102c955428784a03d6e25b4e86401ff7197

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings
    MD5

    68934a3e9455fa72420237eb05902327

    SHA1

    7cb6efb98ba5972a9b5090dc2e517fe14d12cb04

    SHA256

    fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa

    SHA512

    719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
    MD5

    c3256800dce47c14acc83ccca4c3e2ac

    SHA1

    9d126818c66991dbc3813a65eddb88bbcf77f30a

    SHA256

    f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

    SHA512

    6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
    MD5

    c3256800dce47c14acc83ccca4c3e2ac

    SHA1

    9d126818c66991dbc3813a65eddb88bbcf77f30a

    SHA256

    f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

    SHA512

    6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

    Download Submit

  • memory/3232-140-0x00000000008A0000-0x00000000009C8000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3232-142-0x000000001B490000-0x000000001B492000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3232-141-0x00007FFA9D680000-0x00007FFA9E141000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3232-143-0x000000001CB30000-0x000000001CB52000-memory.dmp

    Filesize

    136KB

    Download