echelon | 70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44

General

Target

70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe
Size

6.1MB
MD5

1f3198dfa1b72086ee1c49a469769c37
SHA1

f98f1127388bf739996d2627efb3aac474d5ad42
SHA256

70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44
SHA512

9d7ecc95d774075449cdd8986a392f61ddecba97769d736b0200ac811155f37efa4ee2388ea8232e7d505f6b0c1f3c2d5b9d165ab965cf3411d905c52a9243a2

Score

10^/10

echelon collection discovery persistence spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Echelon log file 1 IoCs

Detects a log file produced by Echelon.

yara_rule
echelon_log_file

Executes dropped EXE 1 IoCs

pid	Process
1232	Enchelon.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loader = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Enchelon.exe"	Enchelon.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	api.ipify.org
15	api.ipify.org
17	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2372	70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1980	1232	WerFault.exe	81
4804	1232	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2372	70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe
2372	70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe
2372	70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe
2372	70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe
1232	Enchelon.exe
1232	Enchelon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1232	Enchelon.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 1232	2372	70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe	81
PID 2372 wrote to memory of 1232	2372	70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe	81
PID 1232 wrote to memory of 1980	1232	Enchelon.exe	86
PID 1232 wrote to memory of 1980	1232	Enchelon.exe	86

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe

C:\Users\Admin\AppData\Local\Temp\70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe
"C:\Users\Admin\AppData\Local\Temp\70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\Enchelon.exe
  "C:\Users\Admin\AppData\Local\Temp\Enchelon.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:1232
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1232 -s 1720
    3⤵
    - Program crash
    PID:1980
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1232 -s 1720
    3⤵
    - Program crash
    PID:4804

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 1232 -ip 1232
1⤵
PID:4372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ChromV1.dll

Filesize
46KB

MD5
e2a73f7858c2a2851213689f43f81cab

SHA1
eb9e5818abdbf061ca88bdeebd222df0c9a7d1de

SHA256
5d873db4b0dbc26a89e546b4b67736ba28c78e9a9680726b7af600c06c43e148

SHA512
1dea09265855a6b3f56fab4290ade04e4fcaca1ea8afbd3a85eff7161380ecd552190f16f4b8e0a6741e905f67899f09e68af411ded3fe43cd1b06e591d21969

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromV2.dll

Filesize
23KB

MD5
f4999039ba84e3dc7ff5be63c7c09ad8

SHA1
281fa1ad745c52745bd2c2a9e17ce820005c7a00

SHA256
1fb2fc14fd8d2a5479a78ae2a0bc4778a0356177f44cae418fa518574c5fdc84

SHA512
33acdefe6fe2710142b8bc2654fef07499648db040da758bb3e629cb7ee21653054e8f1a0713f8eb064cf4314e428a3a3caea2ffda3e19483908b7435c474725

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enchelon.exe

Filesize
564KB

MD5
03f79d4e5bdc0b830947bf103112b3bb

SHA1
07d65e2d43c1bca29d8526bdc29095689b06e8b3

SHA256
78dbb719e5e435447c4f4273478827536c3e9bb2f5bb8f31e5bb8c00c2c38036

SHA512
2cbda91efb4e8db684de1e2718129ffd02663e8f97183af8c8ef4e40a1dfd89a7bee72a216c4d609b730fceb84f48b8ffd590baafb9cdcc80f4365fc9f1b9952

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enchelon.exe

Filesize
564KB

MD5
03f79d4e5bdc0b830947bf103112b3bb

SHA1
07d65e2d43c1bca29d8526bdc29095689b06e8b3

SHA256
78dbb719e5e435447c4f4273478827536c3e9bb2f5bb8f31e5bb8c00c2c38036

SHA512
2cbda91efb4e8db684de1e2718129ffd02663e8f97183af8c8ef4e40a1dfd89a7bee72a216c4d609b730fceb84f48b8ffd590baafb9cdcc80f4365fc9f1b9952

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ionic.Zip.dll

Filesize
451KB

MD5
6ded8fcbf5f1d9e422b327ca51625e24

SHA1
8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

SHA256
3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

SHA512
bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MegaApiClient.dll

Filesize
94KB

MD5
27b9265bfa1c0fd0aea87a32a55b32b4

SHA1
861d3f9099f5b409e0990e831499eddd0da7e57f

SHA256
f4da53f798d62937f12171b47f72c8539845ff5ac3d011be193d3bdc271dd9f1

SHA512
4f0f50038a5bdc894cddf9faed00c22ea91266149710c2f5f0e7bf0974fd50cd41b0e323c602f8e0c7be7a465dddebab2befca29a284a68f97c7acd9c5b90f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
512KB

MD5
505a541a82ab519e991c895a30a99852

SHA1
ac99dfb7a890ddb254ec65dafdcfef4b657117a1

SHA256
072f358c2a0a4f6f15620baf4661536c977e92add2d06b6f5e520f294feca467

SHA512
4d2471d371f93eb40cc36bd82dc5b778274c4db0b3e66242ad6ec7910d105cc2984f601a3343f669cdc2d35c476b747620aeb72ed678490d10bf88ccba7ff12f

Download Submit
memory/1232-144-0x00007FFCBE280000-0x00007FFCBED41000-memory.dmp

Filesize
10.8MB

Download
memory/1232-135-0x0000000000320000-0x00000000003B4000-memory.dmp

Filesize
592KB

Download
memory/1232-139-0x00007FFCBE280000-0x00007FFCBED41000-memory.dmp

Filesize
10.8MB

Download
memory/1232-141-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/1232-151-0x00007FFCBE280000-0x00007FFCBED41000-memory.dmp

Filesize
10.8MB

Download
memory/1232-138-0x00000000025A0000-0x0000000002618000-memory.dmp

Filesize
480KB

Download
memory/1232-149-0x000000001C750000-0x000000001C772000-memory.dmp

Filesize
136KB

Download
memory/1232-143-0x0000000002420000-0x000000000242C000-memory.dmp

Filesize
48KB

Download
memory/1232-146-0x000000001C730000-0x000000001C74E000-memory.dmp

Filesize
120KB

Download
memory/1232-148-0x000000001DC20000-0x000000001DCA6000-memory.dmp

Filesize
536KB

Download
memory/2372-136-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download
memory/2372-130-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download
memory/2372-131-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing