Overview

overview

10

Static

static

70eb349c78...44.exe

windows7_x64

10

70eb349c78...44.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    46s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    08-07-2022 18:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe

  • Size

    6.1MB

  • MD5

    1f3198dfa1b72086ee1c49a469769c37

  • SHA1

    f98f1127388bf739996d2627efb3aac474d5ad42

  • SHA256

    70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44

  • SHA512

    9d7ecc95d774075449cdd8986a392f61ddecba97769d736b0200ac811155f37efa4ee2388ea8232e7d505f6b0c1f3c2d5b9d165ab965cf3411d905c52a9243a2

Score
10/10
echeloncollectiondiscoverypersistencespywarestealer

Malware Config

Signatures

  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    stealerspywareechelon
  • Echelon log file 1 IoCs

    Detects a log file produced by Echelon.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe
    "C:\Users\Admin\AppData\Local\Temp\70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Users\Admin\AppData\Local\Temp\Enchelon.exe
      "C:\Users\Admin\AppData\Local\Temp\Enchelon.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:1532
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1532 -s 1744
        3⤵
        • Program crash
        PID:668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ChromV1.dll
    Filesize

    46KB

    MD5

    e2a73f7858c2a2851213689f43f81cab

    SHA1

    eb9e5818abdbf061ca88bdeebd222df0c9a7d1de

    SHA256

    5d873db4b0dbc26a89e546b4b67736ba28c78e9a9680726b7af600c06c43e148

    SHA512

    1dea09265855a6b3f56fab4290ade04e4fcaca1ea8afbd3a85eff7161380ecd552190f16f4b8e0a6741e905f67899f09e68af411ded3fe43cd1b06e591d21969

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ChromV2.dll
    Filesize

    23KB

    MD5

    f4999039ba84e3dc7ff5be63c7c09ad8

    SHA1

    281fa1ad745c52745bd2c2a9e17ce820005c7a00

    SHA256

    1fb2fc14fd8d2a5479a78ae2a0bc4778a0356177f44cae418fa518574c5fdc84

    SHA512

    33acdefe6fe2710142b8bc2654fef07499648db040da758bb3e629cb7ee21653054e8f1a0713f8eb064cf4314e428a3a3caea2ffda3e19483908b7435c474725

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Enchelon.exe
    Filesize

    564KB

    MD5

    03f79d4e5bdc0b830947bf103112b3bb

    SHA1

    07d65e2d43c1bca29d8526bdc29095689b06e8b3

    SHA256

    78dbb719e5e435447c4f4273478827536c3e9bb2f5bb8f31e5bb8c00c2c38036

    SHA512

    2cbda91efb4e8db684de1e2718129ffd02663e8f97183af8c8ef4e40a1dfd89a7bee72a216c4d609b730fceb84f48b8ffd590baafb9cdcc80f4365fc9f1b9952

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Enchelon.exe
    Filesize

    564KB

    MD5

    03f79d4e5bdc0b830947bf103112b3bb

    SHA1

    07d65e2d43c1bca29d8526bdc29095689b06e8b3

    SHA256

    78dbb719e5e435447c4f4273478827536c3e9bb2f5bb8f31e5bb8c00c2c38036

    SHA512

    2cbda91efb4e8db684de1e2718129ffd02663e8f97183af8c8ef4e40a1dfd89a7bee72a216c4d609b730fceb84f48b8ffd590baafb9cdcc80f4365fc9f1b9952

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Ionic.Zip.dll
    Filesize

    451KB

    MD5

    6ded8fcbf5f1d9e422b327ca51625e24

    SHA1

    8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

    SHA256

    3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

    SHA512

    bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\MegaApiClient.dll
    Filesize

    94KB

    MD5

    27b9265bfa1c0fd0aea87a32a55b32b4

    SHA1

    861d3f9099f5b409e0990e831499eddd0da7e57f

    SHA256

    f4da53f798d62937f12171b47f72c8539845ff5ac3d011be193d3bdc271dd9f1

    SHA512

    4f0f50038a5bdc894cddf9faed00c22ea91266149710c2f5f0e7bf0974fd50cd41b0e323c602f8e0c7be7a465dddebab2befca29a284a68f97c7acd9c5b90f82

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
    Filesize

    512KB

    MD5

    505a541a82ab519e991c895a30a99852

    SHA1

    ac99dfb7a890ddb254ec65dafdcfef4b657117a1

    SHA256

    072f358c2a0a4f6f15620baf4661536c977e92add2d06b6f5e520f294feca467

    SHA512

    4d2471d371f93eb40cc36bd82dc5b778274c4db0b3e66242ad6ec7910d105cc2984f601a3343f669cdc2d35c476b747620aeb72ed678490d10bf88ccba7ff12f

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Enchelon.exe
    Filesize

    564KB

    MD5

    03f79d4e5bdc0b830947bf103112b3bb

    SHA1

    07d65e2d43c1bca29d8526bdc29095689b06e8b3

    SHA256

    78dbb719e5e435447c4f4273478827536c3e9bb2f5bb8f31e5bb8c00c2c38036

    SHA512

    2cbda91efb4e8db684de1e2718129ffd02663e8f97183af8c8ef4e40a1dfd89a7bee72a216c4d609b730fceb84f48b8ffd590baafb9cdcc80f4365fc9f1b9952

    Download Submit
  • memory/668-73-0x0000000000000000-mapping.dmp
    Download
  • memory/1532-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1532-64-0x0000000000630000-0x00000000006A8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1532-62-0x00000000010A0000-0x0000000001134000-memory.dmp
    Filesize

    592KB

    Download
  • memory/1532-66-0x0000000000A90000-0x0000000000AA2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1532-68-0x0000000000AB0000-0x0000000000ABC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1532-70-0x0000000000E00000-0x0000000000E1E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1532-72-0x000000001ACB0000-0x000000001AD36000-memory.dmp
    Filesize

    536KB

    Download
  • memory/1912-61-0x0000000000400000-0x0000000000E38000-memory.dmp
    Filesize

    10.2MB

    Download
  • memory/1912-54-0x0000000000400000-0x0000000000E38000-memory.dmp
    Filesize

    10.2MB

    Download
  • memory/1912-56-0x0000000000400000-0x0000000000E38000-memory.dmp
    Filesize

    10.2MB

    Download
  • memory/1912-55-0x0000000076721000-0x0000000076723000-memory.dmp
    Filesize

    8KB

    Download