Overview

overview

10

Static

static

8d26ad6421...e9.exe

windows7_x64

10

8d26ad6421...e9.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    41s
  • max time network
    103s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    08-07-2022 08:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe

  • Size

    6.0MB

  • MD5

    bb0296a088bb59beb5a1036deaf7fdd9

  • SHA1

    9d21aeeb734f80d302c82098a3033463842ebb1f

  • SHA256

    8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9

  • SHA512

    1bb684a262198a033f06d45d6712a89a2783644783947febe9e1a9b77c1577249c4691bc256c4a975b498c650efd5bf1e0016f2a354f8a3939d33168df72f671

Score
10/10
echeloncollectiondiscoverypersistencespywarestealer

Malware Config

Signatures

  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    stealerspywareechelon
  • Echelon log file 1 IoCs

    Detects a log file produced by Echelon.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe
    "C:\Users\Admin\AppData\Local\Temp\8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Users\Admin\AppData\Local\Temp\Enchelon.exe
      "C:\Users\Admin\AppData\Local\Temp\Enchelon.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:1840
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1840 -s 1732
        3⤵
        • Program crash
        PID:584

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ChromV1.dll
    Filesize

    46KB

    MD5

    e2a73f7858c2a2851213689f43f81cab

    SHA1

    eb9e5818abdbf061ca88bdeebd222df0c9a7d1de

    SHA256

    5d873db4b0dbc26a89e546b4b67736ba28c78e9a9680726b7af600c06c43e148

    SHA512

    1dea09265855a6b3f56fab4290ade04e4fcaca1ea8afbd3a85eff7161380ecd552190f16f4b8e0a6741e905f67899f09e68af411ded3fe43cd1b06e591d21969

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ChromV2.dll
    Filesize

    23KB

    MD5

    f4999039ba84e3dc7ff5be63c7c09ad8

    SHA1

    281fa1ad745c52745bd2c2a9e17ce820005c7a00

    SHA256

    1fb2fc14fd8d2a5479a78ae2a0bc4778a0356177f44cae418fa518574c5fdc84

    SHA512

    33acdefe6fe2710142b8bc2654fef07499648db040da758bb3e629cb7ee21653054e8f1a0713f8eb064cf4314e428a3a3caea2ffda3e19483908b7435c474725

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Enchelon.exe
    Filesize

    566KB

    MD5

    e2e0aa6290348b2b784c882d38e244a9

    SHA1

    6bb4d477947ca1d935ba4d004e97b2a9428251a5

    SHA256

    bb7b792d50aa66d1a405fd5a05b93d14dca8533a803edf28921e4744c0d255ca

    SHA512

    df43fe049a5e473c2a7c47726d7cc7a88323bfc3ea3655c2a8a89545ae315cf95547f1c02d5af6471f18fc4e15c040bf525f19b6ca84963f6927014b35f05d1a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Enchelon.exe
    Filesize

    566KB

    MD5

    e2e0aa6290348b2b784c882d38e244a9

    SHA1

    6bb4d477947ca1d935ba4d004e97b2a9428251a5

    SHA256

    bb7b792d50aa66d1a405fd5a05b93d14dca8533a803edf28921e4744c0d255ca

    SHA512

    df43fe049a5e473c2a7c47726d7cc7a88323bfc3ea3655c2a8a89545ae315cf95547f1c02d5af6471f18fc4e15c040bf525f19b6ca84963f6927014b35f05d1a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Ionic.Zip.dll
    Filesize

    451KB

    MD5

    6ded8fcbf5f1d9e422b327ca51625e24

    SHA1

    8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

    SHA256

    3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

    SHA512

    bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MegaApiClient.dll
    Filesize

    94KB

    MD5

    27b9265bfa1c0fd0aea87a32a55b32b4

    SHA1

    861d3f9099f5b409e0990e831499eddd0da7e57f

    SHA256

    f4da53f798d62937f12171b47f72c8539845ff5ac3d011be193d3bdc271dd9f1

    SHA512

    4f0f50038a5bdc894cddf9faed00c22ea91266149710c2f5f0e7bf0974fd50cd41b0e323c602f8e0c7be7a465dddebab2befca29a284a68f97c7acd9c5b90f82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
    Filesize

    512KB

    MD5

    505a541a82ab519e991c895a30a99852

    SHA1

    ac99dfb7a890ddb254ec65dafdcfef4b657117a1

    SHA256

    072f358c2a0a4f6f15620baf4661536c977e92add2d06b6f5e520f294feca467

    SHA512

    4d2471d371f93eb40cc36bd82dc5b778274c4db0b3e66242ad6ec7910d105cc2984f601a3343f669cdc2d35c476b747620aeb72ed678490d10bf88ccba7ff12f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Enchelon.exe
    Filesize

    566KB

    MD5

    e2e0aa6290348b2b784c882d38e244a9

    SHA1

    6bb4d477947ca1d935ba4d004e97b2a9428251a5

    SHA256

    bb7b792d50aa66d1a405fd5a05b93d14dca8533a803edf28921e4744c0d255ca

    SHA512

    df43fe049a5e473c2a7c47726d7cc7a88323bfc3ea3655c2a8a89545ae315cf95547f1c02d5af6471f18fc4e15c040bf525f19b6ca84963f6927014b35f05d1a

    Download Submit

  • memory/584-72-0x0000000000000000-mapping.dmp

    Download

  • memory/1764-55-0x0000000074F91000-0x0000000074F93000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1764-60-0x0000000000400000-0x0000000000E1D000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/1764-54-0x0000000000400000-0x0000000000E1D000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/1840-61-0x0000000000B20000-0x0000000000BB4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/1840-67-0x00000000002C0000-0x00000000002CC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1840-65-0x0000000000660000-0x0000000000672000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1840-69-0x0000000000AC0000-0x0000000000ADE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1840-63-0x00000000005E0000-0x0000000000658000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1840-71-0x000000001BC80000-0x000000001BD06000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1840-57-0x0000000000000000-mapping.dmp

    Download