echelon | ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905

General

Target

ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe
Size

1018KB
MD5

6ac52086b2353d329f2c6b96dfc4b2bd
SHA1

c9ab0a3a4c3439d15ad30a6ea0ad738296853b24
SHA256

ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905
SHA512

c86f4ce9c915419fe4f43af577ac930413665e4ae9df7453047abe445a08f3910a2e7929d580ba57ecf694302e4f08949ca24278e5f463cc947f32036979f6ff

Score

10^/10

echelon collection discovery spyware stealer vmprotect

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Executes dropped EXE 2 IoCs

pid	Process
4036	Decoder.exe
83960	systems32.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4036-136-0x00000000001C0000-0x00000000001F2000-memory.dmp	vmprotect
behavioral2/files/0x0006000000023184-135.dat	vmprotect
behavioral2/files/0x0006000000023184-133.dat	vmprotect
behavioral2/files/0x000700000002311c-144.dat	vmprotect
behavioral2/files/0x000700000002311c-145.dat	vmprotect

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Decoder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	systems32.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	api.ipify.org
7	api.ipify.org
9	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
368	schtasks.exe
85884	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
3696	timeout.exe
4004	timeout.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
688	ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe
688	ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe
4036	Decoder.exe
83960	systems32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	688	ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe
Token: SeDebugPrivilege	4036	Decoder.exe
Token: SeDebugPrivilege	83960	systems32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 688 wrote to memory of 4036	688	ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe	80
PID 688 wrote to memory of 4036	688	ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe	80
PID 688 wrote to memory of 1584	688	ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe	81
PID 688 wrote to memory of 1584	688	ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe	81
PID 688 wrote to memory of 1992	688	ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe	82
PID 688 wrote to memory of 1992	688	ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe	82
PID 1584 wrote to memory of 3696	1584	cmd.exe	85
PID 1584 wrote to memory of 3696	1584	cmd.exe	85
PID 1992 wrote to memory of 4004	1992	cmd.exe	86
PID 1992 wrote to memory of 4004	1992	cmd.exe	86
PID 4036 wrote to memory of 368	4036	Decoder.exe	87
PID 4036 wrote to memory of 368	4036	Decoder.exe	87
PID 83960 wrote to memory of 85884	83960	systems32.exe	90
PID 83960 wrote to memory of 85884	83960	systems32.exe	90

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe

C:\Users\Admin\AppData\Local\Temp\ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe
"C:\Users\Admin\AppData\Local\Temp\ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905.exe"
1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:688
- C:\ProgramData\Decoder.exe
  "C:\ProgramData\Decoder.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\system32\timeout.exe
    timeout 4
    3⤵
    - Delays execution with timeout.exe
    PID:3696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4631.tmp.cmd""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\system32\timeout.exe
    timeout 4
    3⤵
    - Delays execution with timeout.exe
    PID:4004

C:\systems32_bit\systems32.exe
\systems32_bit\systems32.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:83960
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:85884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Decoder.exe

Filesize
148KB

MD5
21998709466c12a52cbc5aff86744aae

SHA1
5cbb11d167af1e1e1d10f920b084e26a89d5441f

SHA256
96d5aff39e576f94994c005b9b7db5d41a6f8db9505f4a462d259f2141830c03

SHA512
75398142630308dcf5d90f75b5eafab0a182d63522626cff3798973ab098fc80fda1c767aa6c14649951a54130b8ac12bdcfd8d2e09e01b8cbd91b552b8a3862

Download Submit
C:\ProgramData\Decoder.exe

Filesize
148KB

MD5
21998709466c12a52cbc5aff86744aae

SHA1
5cbb11d167af1e1e1d10f920b084e26a89d5441f

SHA256
96d5aff39e576f94994c005b9b7db5d41a6f8db9505f4a462d259f2141830c03

SHA512
75398142630308dcf5d90f75b5eafab0a182d63522626cff3798973ab098fc80fda1c767aa6c14649951a54130b8ac12bdcfd8d2e09e01b8cbd91b552b8a3862

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd

Filesize
85B

MD5
73712247036b6a24d16502c57a3e5679

SHA1
65ca9edadb0773fc34db7dfefe9e6416f1ac17fa

SHA256
8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0

SHA512
548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4631.tmp.cmd

Filesize
131B

MD5
ec87d705492f21072aa8ed84d8460913

SHA1
8c60316ebe1363711bca79834b0c3188ab671e7c

SHA256
752bb68b499557b284e696e1a55cb521e54d7420f5ee6c62232ade6f0610222e

SHA512
ee133a34e9c84b7d23c3c5032a8ec397b61fcef7dd3053eb232410e6c6016b1322723cec9e6735ae33cf20ea6093854d1e010dbc54181b52c0657a91c5498696

Download Submit
C:\systems32_bit\systems32.exe

Filesize
148KB

MD5
21998709466c12a52cbc5aff86744aae

SHA1
5cbb11d167af1e1e1d10f920b084e26a89d5441f

SHA256
96d5aff39e576f94994c005b9b7db5d41a6f8db9505f4a462d259f2141830c03

SHA512
75398142630308dcf5d90f75b5eafab0a182d63522626cff3798973ab098fc80fda1c767aa6c14649951a54130b8ac12bdcfd8d2e09e01b8cbd91b552b8a3862

Download Submit
C:\systems32_bit\systems32.exe

Filesize
148KB

MD5
21998709466c12a52cbc5aff86744aae

SHA1
5cbb11d167af1e1e1d10f920b084e26a89d5441f

SHA256
96d5aff39e576f94994c005b9b7db5d41a6f8db9505f4a462d259f2141830c03

SHA512
75398142630308dcf5d90f75b5eafab0a182d63522626cff3798973ab098fc80fda1c767aa6c14649951a54130b8ac12bdcfd8d2e09e01b8cbd91b552b8a3862

Download Submit
memory/688-130-0x0000000000FE0000-0x00000000010E4000-memory.dmp

Filesize
1.0MB

Download
memory/688-131-0x00007FF9F8710000-0x00007FF9F91D1000-memory.dmp

Filesize
10.8MB

Download
memory/4036-143-0x00007FF9F8710000-0x00007FF9F91D1000-memory.dmp

Filesize
10.8MB

Download
memory/4036-136-0x00000000001C0000-0x00000000001F2000-memory.dmp

Filesize
200KB

Download
memory/83960-147-0x00007FF9F8710000-0x00007FF9F91D1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads