echelon | 70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44

General

Target

70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe
Size

6.1MB
MD5

1f3198dfa1b72086ee1c49a469769c37
SHA1

f98f1127388bf739996d2627efb3aac474d5ad42
SHA256

70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44
SHA512

9d7ecc95d774075449cdd8986a392f61ddecba97769d736b0200ac811155f37efa4ee2388ea8232e7d505f6b0c1f3c2d5b9d165ab965cf3411d905c52a9243a2

Score

10^/10

echelon collection discovery persistence spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Echelon log file 1 IoCs

Detects a log file produced by Echelon.

yara_rule
echelon_log_file

Executes dropped EXE 1 IoCs

pid	Process
1532	Enchelon.exe

Loads dropped DLL 1 IoCs

pid	Process
1912	70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\loader = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Enchelon.exe"	Enchelon.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	api.ipify.org
4	api.ipify.org
5	api.ipify.org
6	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1912	70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
668	1532	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1912	70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe
1912	70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe
1532	Enchelon.exe
1532	Enchelon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1532	Enchelon.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 1532	1912	70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe	28
PID 1912 wrote to memory of 1532	1912	70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe	28
PID 1912 wrote to memory of 1532	1912	70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe	28
PID 1912 wrote to memory of 1532	1912	70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe	28
PID 1532 wrote to memory of 668	1532	Enchelon.exe	30
PID 1532 wrote to memory of 668	1532	Enchelon.exe	30
PID 1532 wrote to memory of 668	1532	Enchelon.exe	30

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe

C:\Users\Admin\AppData\Local\Temp\70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe
"C:\Users\Admin\AppData\Local\Temp\70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Users\Admin\AppData\Local\Temp\Enchelon.exe
  "C:\Users\Admin\AppData\Local\Temp\Enchelon.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:1532
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1532 -s 1744
    3⤵
    - Program crash
    PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ChromV1.dll

Filesize
46KB

MD5
e2a73f7858c2a2851213689f43f81cab

SHA1
eb9e5818abdbf061ca88bdeebd222df0c9a7d1de

SHA256
5d873db4b0dbc26a89e546b4b67736ba28c78e9a9680726b7af600c06c43e148

SHA512
1dea09265855a6b3f56fab4290ade04e4fcaca1ea8afbd3a85eff7161380ecd552190f16f4b8e0a6741e905f67899f09e68af411ded3fe43cd1b06e591d21969

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromV2.dll

Filesize
23KB

MD5
f4999039ba84e3dc7ff5be63c7c09ad8

SHA1
281fa1ad745c52745bd2c2a9e17ce820005c7a00

SHA256
1fb2fc14fd8d2a5479a78ae2a0bc4778a0356177f44cae418fa518574c5fdc84

SHA512
33acdefe6fe2710142b8bc2654fef07499648db040da758bb3e629cb7ee21653054e8f1a0713f8eb064cf4314e428a3a3caea2ffda3e19483908b7435c474725

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enchelon.exe

Filesize
564KB

MD5
03f79d4e5bdc0b830947bf103112b3bb

SHA1
07d65e2d43c1bca29d8526bdc29095689b06e8b3

SHA256
78dbb719e5e435447c4f4273478827536c3e9bb2f5bb8f31e5bb8c00c2c38036

SHA512
2cbda91efb4e8db684de1e2718129ffd02663e8f97183af8c8ef4e40a1dfd89a7bee72a216c4d609b730fceb84f48b8ffd590baafb9cdcc80f4365fc9f1b9952

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enchelon.exe

Filesize
564KB

MD5
03f79d4e5bdc0b830947bf103112b3bb

SHA1
07d65e2d43c1bca29d8526bdc29095689b06e8b3

SHA256
78dbb719e5e435447c4f4273478827536c3e9bb2f5bb8f31e5bb8c00c2c38036

SHA512
2cbda91efb4e8db684de1e2718129ffd02663e8f97183af8c8ef4e40a1dfd89a7bee72a216c4d609b730fceb84f48b8ffd590baafb9cdcc80f4365fc9f1b9952

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ionic.Zip.dll

Filesize
451KB

MD5
6ded8fcbf5f1d9e422b327ca51625e24

SHA1
8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

SHA256
3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

SHA512
bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MegaApiClient.dll

Filesize
94KB

MD5
27b9265bfa1c0fd0aea87a32a55b32b4

SHA1
861d3f9099f5b409e0990e831499eddd0da7e57f

SHA256
f4da53f798d62937f12171b47f72c8539845ff5ac3d011be193d3bdc271dd9f1

SHA512
4f0f50038a5bdc894cddf9faed00c22ea91266149710c2f5f0e7bf0974fd50cd41b0e323c602f8e0c7be7a465dddebab2befca29a284a68f97c7acd9c5b90f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
512KB

MD5
505a541a82ab519e991c895a30a99852

SHA1
ac99dfb7a890ddb254ec65dafdcfef4b657117a1

SHA256
072f358c2a0a4f6f15620baf4661536c977e92add2d06b6f5e520f294feca467

SHA512
4d2471d371f93eb40cc36bd82dc5b778274c4db0b3e66242ad6ec7910d105cc2984f601a3343f669cdc2d35c476b747620aeb72ed678490d10bf88ccba7ff12f

Download Submit
\Users\Admin\AppData\Local\Temp\Enchelon.exe

Filesize
564KB

MD5
03f79d4e5bdc0b830947bf103112b3bb

SHA1
07d65e2d43c1bca29d8526bdc29095689b06e8b3

SHA256
78dbb719e5e435447c4f4273478827536c3e9bb2f5bb8f31e5bb8c00c2c38036

SHA512
2cbda91efb4e8db684de1e2718129ffd02663e8f97183af8c8ef4e40a1dfd89a7bee72a216c4d609b730fceb84f48b8ffd590baafb9cdcc80f4365fc9f1b9952

Download Submit
memory/668-73-0x0000000000000000-mapping.dmp

Download
memory/1532-58-0x0000000000000000-mapping.dmp

Download
memory/1532-64-0x0000000000630000-0x00000000006A8000-memory.dmp

Filesize
480KB

Download
memory/1532-62-0x00000000010A0000-0x0000000001134000-memory.dmp

Filesize
592KB

Download
memory/1532-66-0x0000000000A90000-0x0000000000AA2000-memory.dmp

Filesize
72KB

Download
memory/1532-68-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

Filesize
48KB

Download
memory/1532-70-0x0000000000E00000-0x0000000000E1E000-memory.dmp

Filesize
120KB

Download
memory/1532-72-0x000000001ACB0000-0x000000001AD36000-memory.dmp

Filesize
536KB

Download
memory/1912-61-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download
memory/1912-54-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download
memory/1912-56-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download
memory/1912-55-0x0000000076721000-0x0000000076723000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing