echelon | 8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9

General

Target

8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe
Size

6.0MB
MD5

bb0296a088bb59beb5a1036deaf7fdd9
SHA1

9d21aeeb734f80d302c82098a3033463842ebb1f
SHA256

8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9
SHA512

1bb684a262198a033f06d45d6712a89a2783644783947febe9e1a9b77c1577249c4691bc256c4a975b498c650efd5bf1e0016f2a354f8a3939d33168df72f671

Score

10^/10

echelon collection discovery persistence spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Echelon log file 1 IoCs

Detects a log file produced by Echelon.

Processes:

yara_rule
echelon_log_file

Executes dropped EXE 1 IoCs

Processes:

Enchelon.exe

pid	Process
1436	Enchelon.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Enchelon.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Enchelon.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loader = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Enchelon.exe"	Enchelon.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
23	api.ipify.org
24	ip-api.com
22	api.ipify.org

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe

pid	Process
1416	8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
60	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exeEnchelon.exe

pid	Process
1416	8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe
1416	8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe
1416	8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe
1416	8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe
1436	Enchelon.exe
1436	Enchelon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Enchelon.exe

description	pid	Process
Token: SeDebugPrivilege	1436	Enchelon.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exeEnchelon.execmd.exe

description	pid	Process	procid_target
PID 1416 wrote to memory of 1436	1416	8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe	82
PID 1416 wrote to memory of 1436	1416	8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe	82
PID 1436 wrote to memory of 3844	1436	Enchelon.exe	91
PID 1436 wrote to memory of 3844	1436	Enchelon.exe	91
PID 3844 wrote to memory of 60	3844	cmd.exe	93
PID 3844 wrote to memory of 60	3844	cmd.exe	93

outlook_office_path 1 IoCs

Processes:

Enchelon.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe

outlook_win_path 1 IoCs

Processes:

Enchelon.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe

C:\Users\Admin\AppData\Local\Temp\8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe
"C:\Users\Admin\AppData\Local\Temp\8d26ad6421d84b4d824b1f31e33f9cf878e14e4a06da9e404230bbbee07286e9.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\Local\Temp\Enchelon.exe
  "C:\Users\Admin\AppData\Local\Temp\Enchelon.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:1436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBC1C.tmp.cmd""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3844
  - - C:\Windows\system32\timeout.exe
      timeout 4
      4⤵
      Delays execution with timeout.exe
      PID:60

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ChromV1.dll

Filesize
46KB

MD5
e2a73f7858c2a2851213689f43f81cab

SHA1
eb9e5818abdbf061ca88bdeebd222df0c9a7d1de

SHA256
5d873db4b0dbc26a89e546b4b67736ba28c78e9a9680726b7af600c06c43e148

SHA512
1dea09265855a6b3f56fab4290ade04e4fcaca1ea8afbd3a85eff7161380ecd552190f16f4b8e0a6741e905f67899f09e68af411ded3fe43cd1b06e591d21969

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromV2.dll

Filesize
23KB

MD5
f4999039ba84e3dc7ff5be63c7c09ad8

SHA1
281fa1ad745c52745bd2c2a9e17ce820005c7a00

SHA256
1fb2fc14fd8d2a5479a78ae2a0bc4778a0356177f44cae418fa518574c5fdc84

SHA512
33acdefe6fe2710142b8bc2654fef07499648db040da758bb3e629cb7ee21653054e8f1a0713f8eb064cf4314e428a3a3caea2ffda3e19483908b7435c474725

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enchelon.exe

Filesize
566KB

MD5
e2e0aa6290348b2b784c882d38e244a9

SHA1
6bb4d477947ca1d935ba4d004e97b2a9428251a5

SHA256
bb7b792d50aa66d1a405fd5a05b93d14dca8533a803edf28921e4744c0d255ca

SHA512
df43fe049a5e473c2a7c47726d7cc7a88323bfc3ea3655c2a8a89545ae315cf95547f1c02d5af6471f18fc4e15c040bf525f19b6ca84963f6927014b35f05d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enchelon.exe

Filesize
566KB

MD5
e2e0aa6290348b2b784c882d38e244a9

SHA1
6bb4d477947ca1d935ba4d004e97b2a9428251a5

SHA256
bb7b792d50aa66d1a405fd5a05b93d14dca8533a803edf28921e4744c0d255ca

SHA512
df43fe049a5e473c2a7c47726d7cc7a88323bfc3ea3655c2a8a89545ae315cf95547f1c02d5af6471f18fc4e15c040bf525f19b6ca84963f6927014b35f05d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ionic.Zip.dll

Filesize
451KB

MD5
6ded8fcbf5f1d9e422b327ca51625e24

SHA1
8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

SHA256
3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

SHA512
bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MegaApiClient.dll

Filesize
94KB

MD5
27b9265bfa1c0fd0aea87a32a55b32b4

SHA1
861d3f9099f5b409e0990e831499eddd0da7e57f

SHA256
f4da53f798d62937f12171b47f72c8539845ff5ac3d011be193d3bdc271dd9f1

SHA512
4f0f50038a5bdc894cddf9faed00c22ea91266149710c2f5f0e7bf0974fd50cd41b0e323c602f8e0c7be7a465dddebab2befca29a284a68f97c7acd9c5b90f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
512KB

MD5
505a541a82ab519e991c895a30a99852

SHA1
ac99dfb7a890ddb254ec65dafdcfef4b657117a1

SHA256
072f358c2a0a4f6f15620baf4661536c977e92add2d06b6f5e520f294feca467

SHA512
4d2471d371f93eb40cc36bd82dc5b778274c4db0b3e66242ad6ec7910d105cc2984f601a3343f669cdc2d35c476b747620aeb72ed678490d10bf88ccba7ff12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC1C.tmp.cmd

Filesize
157B

MD5
2c24ebb2a37822757bab4d8b1a303940

SHA1
bbd21ec81fd9c7141e18e41e0fa9ff9728c1be9f

SHA256
8cb36377393e2561e84fc1991a30028efdf49f63f66ab780e3263178750c17d4

SHA512
1378e72fe8eea4f67acfb577ff639bb154aa560ceeda24cb3b46a95a527095bd7eb538faae013f96fe59923fbd0d4e453d90343045c8b461902d9529a3674bb0

Download Submit
memory/60-153-0x0000000000000000-mapping.dmp

Download
memory/1416-137-0x0000000000400000-0x0000000000E1D000-memory.dmp

Filesize
10.1MB

Download
memory/1416-130-0x0000000000400000-0x0000000000E1D000-memory.dmp

Filesize
10.1MB

Download
memory/1416-132-0x0000000000400000-0x0000000000E1D000-memory.dmp

Filesize
10.1MB

Download
memory/1416-131-0x0000000000400000-0x0000000000E1D000-memory.dmp

Filesize
10.1MB

Download
memory/1436-136-0x00000000009F0000-0x0000000000A84000-memory.dmp

Filesize
592KB

Download
memory/1436-144-0x000000001B5E0000-0x000000001B5EC000-memory.dmp

Filesize
48KB

Download
memory/1436-145-0x00007FF922F40000-0x00007FF923A01000-memory.dmp

Filesize
10.8MB

Download
memory/1436-142-0x000000001B5F0000-0x000000001B602000-memory.dmp

Filesize
72KB

Download
memory/1436-147-0x000000001D0F0000-0x000000001D10E000-memory.dmp

Filesize
120KB

Download
memory/1436-140-0x000000001BAD0000-0x000000001BB48000-memory.dmp

Filesize
480KB

Download
memory/1436-149-0x000000001D8F0000-0x000000001D976000-memory.dmp

Filesize
536KB

Download
memory/1436-150-0x000000001D110000-0x000000001D132000-memory.dmp

Filesize
136KB

Download
memory/1436-138-0x00007FF922F40000-0x00007FF923A01000-memory.dmp

Filesize
10.8MB

Download
memory/1436-133-0x0000000000000000-mapping.dmp

Download
memory/1436-154-0x00007FF922F40000-0x00007FF923A01000-memory.dmp

Filesize
10.8MB

Download
memory/3844-151-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads