echelon | 94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32

General

Target

94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe
Size

6.0MB
MD5

56bee069313ec7dbdf30acb7c93ec7a3
SHA1

e8728f02760926850ec999b7c268e71fa7913585
SHA256

94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32
SHA512

31091c8e5b6ba413f39693022fabd6d25dda6a6cf3181934b81bbca8c396febc58b503afd52232c50081c6a1828f53d5ed2e07a2b2e9926c8160cd06ff60806e

Score

10^/10

echelon collection discovery persistence spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Echelon log file 1 IoCs
Detects a log file produced by Echelon.

Processes:

yara_rule

echelon_log_file
Executes dropped EXE 1 IoCs

Processes:

Enchelon.exe

pid process

3148 Enchelon.exe

yara_rule
echelon_log_file

pid	process
3148	Enchelon.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Enchelon.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Enchelon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loader = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Enchelon.exe"	Enchelon.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 api.ipify.org
49 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe

pid process

4504 94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
18	api.ipify.org
49	ip-api.com

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exeEnchelon.exe

pid	process
4504	94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe
4504	94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe
4504	94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe
4504	94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe
3148	Enchelon.exe
3148	Enchelon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Enchelon.exe

description pid process

Token: SeDebugPrivilege 3148 Enchelon.exe

description	pid	process
Token: SeDebugPrivilege	3148	Enchelon.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe

description	pid	process	target process
PID 4504 wrote to memory of 3148	4504	94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe	Enchelon.exe
PID 4504 wrote to memory of 3148	4504	94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe	Enchelon.exe

outlook_office_path 1 IoCs

Processes:

Enchelon.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe

outlook_win_path 1 IoCs

Processes:

Enchelon.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe

C:\Users\Admin\AppData\Local\Temp\94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe
"C:\Users\Admin\AppData\Local\Temp\94e93ada2127d906e40067ec89da68685df86d537878d47415ab8dac1a9a0d32.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4504

C:\Users\Admin\AppData\Local\Temp\Enchelon.exe
"C:\Users\Admin\AppData\Local\Temp\Enchelon.exe"
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ChromV1.dll
Filesize
46KB

MD5
e2a73f7858c2a2851213689f43f81cab

SHA1
eb9e5818abdbf061ca88bdeebd222df0c9a7d1de

SHA256
5d873db4b0dbc26a89e546b4b67736ba28c78e9a9680726b7af600c06c43e148

SHA512
1dea09265855a6b3f56fab4290ade04e4fcaca1ea8afbd3a85eff7161380ecd552190f16f4b8e0a6741e905f67899f09e68af411ded3fe43cd1b06e591d21969

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromV2.dll
Filesize
23KB

MD5
f4999039ba84e3dc7ff5be63c7c09ad8

SHA1
281fa1ad745c52745bd2c2a9e17ce820005c7a00

SHA256
1fb2fc14fd8d2a5479a78ae2a0bc4778a0356177f44cae418fa518574c5fdc84

SHA512
33acdefe6fe2710142b8bc2654fef07499648db040da758bb3e629cb7ee21653054e8f1a0713f8eb064cf4314e428a3a3caea2ffda3e19483908b7435c474725

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enchelon.exe
Filesize
566KB

MD5
caf5c96dcedbb1e5dbadc36c188a740f

SHA1
1b5fb7eb3c0608b84a8e330587a9424df83d4baa

SHA256
753d026d8373b5c14321e518a724041e3166d626e1bd584f0469c21f5f04155a

SHA512
c7328b1ed8b04acf6942f7404a1866048fe8644c0e262a2846f9170d745281b8fc335739356245393620754a4e1df9273f72a70ef20c0915f1a080aefd42e066

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enchelon.exe
Filesize
566KB

MD5
caf5c96dcedbb1e5dbadc36c188a740f

SHA1
1b5fb7eb3c0608b84a8e330587a9424df83d4baa

SHA256
753d026d8373b5c14321e518a724041e3166d626e1bd584f0469c21f5f04155a

SHA512
c7328b1ed8b04acf6942f7404a1866048fe8644c0e262a2846f9170d745281b8fc335739356245393620754a4e1df9273f72a70ef20c0915f1a080aefd42e066

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ionic.Zip.dll
Filesize
451KB

MD5
6ded8fcbf5f1d9e422b327ca51625e24

SHA1
8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

SHA256
3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

SHA512
bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

Download Submit
memory/3148-132-0x0000000000000000-mapping.dmp

Download
memory/3148-138-0x000000001B250000-0x000000001B2C8000-memory.dmp

Filesize
480KB

Download
memory/3148-139-0x00007FFADD3B0000-0x00007FFADDE71000-memory.dmp

Filesize
10.8MB

Download
memory/3148-141-0x000000001ADC0000-0x000000001ADD2000-memory.dmp

Filesize
72KB

Download
memory/3148-135-0x00000000001C0000-0x0000000000254000-memory.dmp

Filesize
592KB

Download
memory/3148-143-0x000000001ADB0000-0x000000001ADBC000-memory.dmp

Filesize
48KB

Download
memory/3148-144-0x00007FFADD3B0000-0x00007FFADDE71000-memory.dmp

Filesize
10.8MB

Download
memory/4504-136-0x0000000000400000-0x0000000000E1E000-memory.dmp

Filesize
10.1MB

Download
memory/4504-131-0x0000000000400000-0x0000000000E1E000-memory.dmp

Filesize
10.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads