echelon | 0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9

General

Target

0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9.exe
Size

1.3MB
MD5

9706ff18ad84be5c698f4ab7a8281bff
SHA1

4185e6bc2543925d96babb928a15f8dfd84027d8
SHA256

0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9
SHA512

fef75d0c0852e5ae5f8160f711b0c0d7d2c45529fbb863be9d3aee429e8f736477d353f7ae1541101e125658c2a9534596bfbef8e917a6a438df61ae98d1d711

Score

10^/10

echelon collection discovery spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Echelon log file 1 IoCs
Detects a log file produced by Echelon.

Processes:

yara_rule

echelon_log_file
Executes dropped EXE 1 IoCs

Processes:

Decoder.exe

pid process

4532 Decoder.exe

yara_rule
echelon_log_file

pid	process
4532	Decoder.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9.exeDecoder.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Decoder.exe

Drops startup file 2 IoCs

Processes:

Decoder.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 api.ipify.org
11 api.ipify.org
12 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1016 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

4584 timeout.exe
2580 timeout.exe

flow	ioc
10	api.ipify.org
11	api.ipify.org
12	ip-api.com

pid	process
1016	schtasks.exe

pid	process
4584	timeout.exe
2580	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9.exeDecoder.exe

pid	process
1440	0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9.exe
1440	0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9.exe
4532	Decoder.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9.exeDecoder.exe

description	pid	process
Token: SeDebugPrivilege	1440	0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9.exe
Token: SeDebugPrivilege	4532	Decoder.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9.execmd.execmd.exeDecoder.exe

description	pid	process	target process
PID 1440 wrote to memory of 4532	1440	0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9.exe	Decoder.exe
PID 1440 wrote to memory of 4532	1440	0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9.exe	Decoder.exe
PID 1440 wrote to memory of 4708	1440	0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9.exe	cmd.exe
PID 1440 wrote to memory of 4708	1440	0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9.exe	cmd.exe
PID 1440 wrote to memory of 3384	1440	0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9.exe	cmd.exe
PID 1440 wrote to memory of 3384	1440	0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9.exe	cmd.exe
PID 4708 wrote to memory of 4584	4708	cmd.exe	timeout.exe
PID 4708 wrote to memory of 4584	4708	cmd.exe	timeout.exe
PID 3384 wrote to memory of 2580	3384	cmd.exe	timeout.exe
PID 3384 wrote to memory of 2580	3384	cmd.exe	timeout.exe
PID 4532 wrote to memory of 1016	4532	Decoder.exe	schtasks.exe
PID 4532 wrote to memory of 1016	4532	Decoder.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9.exe

outlook_win_path 1 IoCs

Processes:

0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9.exe

C:\Users\Admin\AppData\Local\Temp\0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9.exe
"C:\Users\Admin\AppData\Local\Temp\0a63a636528473bd9ae6170a601ebf535de5eb0d4700dd653345bad8833c4bc9.exe"
1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6937.tmp.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:3384

C:\Windows\system32\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\system32\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:4584

C:\ProgramData\Decoder.exe
"C:\ProgramData\Decoder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
3⤵
- Creates scheduled task(s)
PID:1016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Decoder.exe
MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
C:\ProgramData\Decoder.exe
MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd
MD5
73712247036b6a24d16502c57a3e5679

SHA1
65ca9edadb0773fc34db7dfefe9e6416f1ac17fa

SHA256
8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0

SHA512
548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6937.tmp.cmd
MD5
0c75761cd5029fbbf1e07c38cf0e52ae

SHA1
fedfd770ddf5c809d5e6b6f16ff012781805f47d

SHA256
28b1d7e93951a5838b9dbf55832e5baff5566502f899062b5584f34562d8480e

SHA512
14d992fe0d4f71b4fd9948a2c739df3fc4fcd16beb33bb11eeba0651dc9af0d7859fc01e09bd9b54ba4eec510b19393dd549c3f93f11321388e9a0e01954c3ae

Download Submit
memory/1440-130-0x0000000000F60000-0x00000000010B4000-memory.dmp

Filesize
1.3MB

Download
memory/1440-132-0x000000001BE80000-0x000000001BE82000-memory.dmp

Filesize
8KB

Download
memory/1440-131-0x00007FFE82B80000-0x00007FFE83641000-memory.dmp

Filesize
10.8MB

Download
memory/4532-135-0x00000000007A0000-0x00000000007B0000-memory.dmp

Filesize
64KB

Download
memory/4532-138-0x00007FFE82B80000-0x00007FFE83641000-memory.dmp

Filesize
10.8MB

Download
memory/4532-139-0x000000001C620000-0x000000001C622000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads