Overview

overview

10

Static

static

94e93ada21...32.exe

windows7_x64

10

94e93ada21...32.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    42s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    08-07-2022 16:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe

  • Size

    6.0MB

  • MD5

    56bee069313ec7dbdf30acb7c93ec7a3

  • SHA1

    e8728f02760926850ec999b7c268e71fa7913585

  • SHA256

    94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32

  • SHA512

    31091c8e5b6ba413f39693022fabd6d25dda6a6cf3181934b81bbca8c396febc58b503afd52232c50081c6a1828f53d5ed2e07a2b2e9926c8160cd06ff60806e

Score
10/10
echeloncollectiondiscoverypersistencespywarestealer

Malware Config

Signatures

  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    stealerspywareechelon
  • Echelon log file 1 IoCs

    Detects a log file produced by Echelon.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe
    "C:\Users\Admin\AppData\Local\Temp\94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:384
    • C:\Users\Admin\AppData\Local\Temp\Enchelon.exe
      "C:\Users\Admin\AppData\Local\Temp\Enchelon.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:1608
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1608 -s 1816
        3⤵
        • Program crash
        PID:1028

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ChromV1.dll
    Filesize

    46KB

    MD5

    e2a73f7858c2a2851213689f43f81cab

    SHA1

    eb9e5818abdbf061ca88bdeebd222df0c9a7d1de

    SHA256

    5d873db4b0dbc26a89e546b4b67736ba28c78e9a9680726b7af600c06c43e148

    SHA512

    1dea09265855a6b3f56fab4290ade04e4fcaca1ea8afbd3a85eff7161380ecd552190f16f4b8e0a6741e905f67899f09e68af411ded3fe43cd1b06e591d21969

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ChromV2.dll
    Filesize

    23KB

    MD5

    f4999039ba84e3dc7ff5be63c7c09ad8

    SHA1

    281fa1ad745c52745bd2c2a9e17ce820005c7a00

    SHA256

    1fb2fc14fd8d2a5479a78ae2a0bc4778a0356177f44cae418fa518574c5fdc84

    SHA512

    33acdefe6fe2710142b8bc2654fef07499648db040da758bb3e629cb7ee21653054e8f1a0713f8eb064cf4314e428a3a3caea2ffda3e19483908b7435c474725

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Enchelon.exe
    Filesize

    566KB

    MD5

    caf5c96dcedbb1e5dbadc36c188a740f

    SHA1

    1b5fb7eb3c0608b84a8e330587a9424df83d4baa

    SHA256

    753d026d8373b5c14321e518a724041e3166d626e1bd584f0469c21f5f04155a

    SHA512

    c7328b1ed8b04acf6942f7404a1866048fe8644c0e262a2846f9170d745281b8fc335739356245393620754a4e1df9273f72a70ef20c0915f1a080aefd42e066

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Enchelon.exe
    Filesize

    566KB

    MD5

    caf5c96dcedbb1e5dbadc36c188a740f

    SHA1

    1b5fb7eb3c0608b84a8e330587a9424df83d4baa

    SHA256

    753d026d8373b5c14321e518a724041e3166d626e1bd584f0469c21f5f04155a

    SHA512

    c7328b1ed8b04acf6942f7404a1866048fe8644c0e262a2846f9170d745281b8fc335739356245393620754a4e1df9273f72a70ef20c0915f1a080aefd42e066

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Ionic.Zip.dll
    Filesize

    451KB

    MD5

    6ded8fcbf5f1d9e422b327ca51625e24

    SHA1

    8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

    SHA256

    3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

    SHA512

    bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MegaApiClient.dll
    Filesize

    94KB

    MD5

    27b9265bfa1c0fd0aea87a32a55b32b4

    SHA1

    861d3f9099f5b409e0990e831499eddd0da7e57f

    SHA256

    f4da53f798d62937f12171b47f72c8539845ff5ac3d011be193d3bdc271dd9f1

    SHA512

    4f0f50038a5bdc894cddf9faed00c22ea91266149710c2f5f0e7bf0974fd50cd41b0e323c602f8e0c7be7a465dddebab2befca29a284a68f97c7acd9c5b90f82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
    Filesize

    512KB

    MD5

    505a541a82ab519e991c895a30a99852

    SHA1

    ac99dfb7a890ddb254ec65dafdcfef4b657117a1

    SHA256

    072f358c2a0a4f6f15620baf4661536c977e92add2d06b6f5e520f294feca467

    SHA512

    4d2471d371f93eb40cc36bd82dc5b778274c4db0b3e66242ad6ec7910d105cc2984f601a3343f669cdc2d35c476b747620aeb72ed678490d10bf88ccba7ff12f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Enchelon.exe
    Filesize

    566KB

    MD5

    caf5c96dcedbb1e5dbadc36c188a740f

    SHA1

    1b5fb7eb3c0608b84a8e330587a9424df83d4baa

    SHA256

    753d026d8373b5c14321e518a724041e3166d626e1bd584f0469c21f5f04155a

    SHA512

    c7328b1ed8b04acf6942f7404a1866048fe8644c0e262a2846f9170d745281b8fc335739356245393620754a4e1df9273f72a70ef20c0915f1a080aefd42e066

    Download Submit

  • memory/384-54-0x0000000000400000-0x0000000000E1E000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/384-55-0x00000000763E1000-0x00000000763E3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/384-61-0x0000000000400000-0x0000000000E1E000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/1028-72-0x0000000000000000-mapping.dmp

    Download

  • memory/1608-63-0x0000000000940000-0x00000000009B8000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1608-65-0x00000000005D0000-0x00000000005E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1608-57-0x0000000000000000-mapping.dmp

    Download

  • memory/1608-67-0x00000000005F0000-0x00000000005FC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1608-69-0x0000000000AE0000-0x0000000000AFE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1608-60-0x00000000012C0000-0x0000000001354000-memory.dmp

    Filesize

    592KB

    Download

  • memory/1608-71-0x000000001BB60000-0x000000001BBE6000-memory.dmp

    Filesize

    536KB

    Download