echelon | be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702

Analysis

max time kernel
4294180s
max time network
132s
platform
windows7_x64
resource
win7-20220311-en
submitted
20-03-2022 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702.exe
Size

2.3MB
MD5

33457a5418912781388994b3d6380669
SHA1

afb62f3fa4d7a5f08066e16160b567842e9321f3
SHA256

be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702
SHA512

172b1f756c23d9455935f5f1a4e6f060b85485fae6f89a83a077106a5769dc4dbc69c98a119d5e5f9c40c8532dcfda2cafdb70599019bcf1d413d41e853c0844

Score

10^/10

echelon collection discovery spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Echelon log file 1 IoCs

Detects a log file produced by Echelon.

Processes:

yara_rule
echelon_log_file

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid	Process
588	images.exe

Loads dropped DLL 9 IoCs

Processes:

be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702.exeWerFault.exe

pid	Process
2012	be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702.exe
2012	be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702.exe
2012	be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702.exe
2012	be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702.exe
560	WerFault.exe
560	WerFault.exe
560	WerFault.exe
560	WerFault.exe
560	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

images.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	images.exe
Key opened	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	images.exe
Key opened	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	images.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
4	api.ipify.org
5	api.ipify.org
6	ip-api.com
8	api.ipify.org

Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs

Processes:

images.exe

pid	Process
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
560	588	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

images.exe

pid	Process
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe
588	images.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

images.exe

description	pid	Process
Token: SeDebugPrivilege	588	images.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

images.exe

pid	Process
588	images.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702.exeimages.exe

description	pid	Process	procid_target
PID 2012 wrote to memory of 588	2012	be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702.exe	27
PID 2012 wrote to memory of 588	2012	be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702.exe	27
PID 2012 wrote to memory of 588	2012	be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702.exe	27
PID 2012 wrote to memory of 588	2012	be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702.exe	27
PID 588 wrote to memory of 560	588	images.exe	31
PID 588 wrote to memory of 560	588	images.exe	31
PID 588 wrote to memory of 560	588	images.exe	31
PID 588 wrote to memory of 560	588	images.exe	31

outlook_office_path 1 IoCs

Processes:

images.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	images.exe

outlook_win_path 1 IoCs

Processes:

images.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	images.exe

C:\Users\Admin\AppData\Local\Temp\be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702.exe
"C:\Users\Admin\AppData\Local\Temp\be998bee0c372d6f3b93b35ffc71b31f7f708d72ec4999a663162de9d1e23702.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Public\Downloads\images.exe
  "C:\Users\Public\Downloads\images.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 588 -s 1860
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Downloads\images.exe

MD5
3f7049b2c628eac94f17629f3e7d5830

SHA1
61ad825e39e19472d06a3080367a858e18187d05

SHA256
af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7

SHA512
6a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff

Download Submit
\??\c:\users\public\downloads\images.exe

MD5
3f7049b2c628eac94f17629f3e7d5830

SHA1
61ad825e39e19472d06a3080367a858e18187d05

SHA256
af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7

SHA512
6a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff

Download Submit
\Users\Public\Downloads\images.exe

MD5
3f7049b2c628eac94f17629f3e7d5830

SHA1
61ad825e39e19472d06a3080367a858e18187d05

SHA256
af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7

SHA512
6a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff

Download Submit
\Users\Public\Downloads\images.exe

MD5
3f7049b2c628eac94f17629f3e7d5830

SHA1
61ad825e39e19472d06a3080367a858e18187d05

SHA256
af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7

SHA512
6a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff

Download Submit
\Users\Public\Downloads\images.exe

MD5
3f7049b2c628eac94f17629f3e7d5830

SHA1
61ad825e39e19472d06a3080367a858e18187d05

SHA256
af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7

SHA512
6a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff

Download Submit
\Users\Public\Downloads\images.exe

MD5
3f7049b2c628eac94f17629f3e7d5830

SHA1
61ad825e39e19472d06a3080367a858e18187d05

SHA256
af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7

SHA512
6a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff

Download Submit
\Users\Public\Downloads\images.exe

MD5
3f7049b2c628eac94f17629f3e7d5830

SHA1
61ad825e39e19472d06a3080367a858e18187d05

SHA256
af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7

SHA512
6a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff

Download Submit
\Users\Public\Downloads\images.exe

MD5
3f7049b2c628eac94f17629f3e7d5830

SHA1
61ad825e39e19472d06a3080367a858e18187d05

SHA256
af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7

SHA512
6a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff

Download Submit
\Users\Public\Downloads\images.exe

MD5
3f7049b2c628eac94f17629f3e7d5830

SHA1
61ad825e39e19472d06a3080367a858e18187d05

SHA256
af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7

SHA512
6a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff

Download Submit
\Users\Public\Downloads\images.exe

MD5
3f7049b2c628eac94f17629f3e7d5830

SHA1
61ad825e39e19472d06a3080367a858e18187d05

SHA256
af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7

SHA512
6a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff

Download Submit
\Users\Public\Downloads\images.exe

MD5
3f7049b2c628eac94f17629f3e7d5830

SHA1
61ad825e39e19472d06a3080367a858e18187d05

SHA256
af6007d4070af7905884ce20a46aaf674edf8e983912ced713575fdd867d6ab7

SHA512
6a1f40a580edc535fdf3a0e0ebe32e18b532d316258a709e59ba7fca96699de58fb42ee20e1098df9f832829bc30acb09f1c8ee6c44231dad3892b2d961644ff

Download Submit
memory/588-67-0x0000000002B40000-0x0000000002B4E000-memory.dmp

Filesize
56KB

Download
memory/588-68-0x0000000003405000-0x0000000003416000-memory.dmp

Filesize
68KB

Download
memory/588-69-0x0000000003416000-0x0000000003417000-memory.dmp

Filesize
4KB

Download
memory/588-70-0x0000000003417000-0x0000000003418000-memory.dmp

Filesize
4KB

Download
memory/588-71-0x0000000003418000-0x0000000003419000-memory.dmp

Filesize
4KB

Download
memory/588-72-0x0000000003020000-0x000000000303E000-memory.dmp

Filesize
120KB

Download
memory/588-73-0x0000000006E10000-0x0000000006EA0000-memory.dmp

Filesize
576KB

Download
memory/588-66-0x0000000001330000-0x0000000001344000-memory.dmp

Filesize
80KB

Download
memory/588-65-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/588-64-0x0000000002EC0000-0x0000000002F04000-memory.dmp

Filesize
272KB

Download
memory/588-63-0x00000000745E0000-0x0000000074CCE000-memory.dmp

Filesize
6.9MB

Download
memory/588-62-0x0000000001340000-0x0000000001736000-memory.dmp

Filesize
4.0MB

Download
memory/2012-54-0x0000000075D31000-0x0000000075D33000-memory.dmp

Filesize
8KB

Download