Analysis
-
max time kernel
186s -
max time network
201s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 16:48
General
-
Target
94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe
-
Size
6.0MB
-
MD5
56bee069313ec7dbdf30acb7c93ec7a3
-
SHA1
e8728f02760926850ec999b7c268e71fa7913585
-
SHA256
94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32
-
SHA512
31091c8e5b6ba413f39693022fabd6d25dda6a6cf3181934b81bbca8c396febc58b503afd52232c50081c6a1828f53d5ed2e07a2b2e9926c8160cd06ff60806e
Malware Config
Signatures
-
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
-
Echelon log file 1 IoCs
Detects a log file produced by Echelon.
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe"C:\Users\Admin\AppData\Local\Temp\94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Enchelon.exe"C:\Users\Admin\AppData\Local\Temp\Enchelon.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD5e2a73f7858c2a2851213689f43f81cab
SHA1eb9e5818abdbf061ca88bdeebd222df0c9a7d1de
SHA2565d873db4b0dbc26a89e546b4b67736ba28c78e9a9680726b7af600c06c43e148
SHA5121dea09265855a6b3f56fab4290ade04e4fcaca1ea8afbd3a85eff7161380ecd552190f16f4b8e0a6741e905f67899f09e68af411ded3fe43cd1b06e591d21969
-
Filesize
23KB
MD5f4999039ba84e3dc7ff5be63c7c09ad8
SHA1281fa1ad745c52745bd2c2a9e17ce820005c7a00
SHA2561fb2fc14fd8d2a5479a78ae2a0bc4778a0356177f44cae418fa518574c5fdc84
SHA51233acdefe6fe2710142b8bc2654fef07499648db040da758bb3e629cb7ee21653054e8f1a0713f8eb064cf4314e428a3a3caea2ffda3e19483908b7435c474725
-
Filesize
566KB
MD5caf5c96dcedbb1e5dbadc36c188a740f
SHA11b5fb7eb3c0608b84a8e330587a9424df83d4baa
SHA256753d026d8373b5c14321e518a724041e3166d626e1bd584f0469c21f5f04155a
SHA512c7328b1ed8b04acf6942f7404a1866048fe8644c0e262a2846f9170d745281b8fc335739356245393620754a4e1df9273f72a70ef20c0915f1a080aefd42e066
-
Filesize
566KB
MD5caf5c96dcedbb1e5dbadc36c188a740f
SHA11b5fb7eb3c0608b84a8e330587a9424df83d4baa
SHA256753d026d8373b5c14321e518a724041e3166d626e1bd584f0469c21f5f04155a
SHA512c7328b1ed8b04acf6942f7404a1866048fe8644c0e262a2846f9170d745281b8fc335739356245393620754a4e1df9273f72a70ef20c0915f1a080aefd42e066
-
Filesize
451KB
MD56ded8fcbf5f1d9e422b327ca51625e24
SHA18a1140cebc39f6994eef7e8de4627fb7b72a2dd9
SHA2563b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd
SHA512bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4
-
-
Filesize
480KB
-
Filesize
10.8MB
-
Filesize
72KB
-
Filesize
592KB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
10.1MB
-
Filesize
10.1MB