echelon | 70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44

General

Target

70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe
Size

6.1MB
MD5

1f3198dfa1b72086ee1c49a469769c37
SHA1

f98f1127388bf739996d2627efb3aac474d5ad42
SHA256

70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44
SHA512

9d7ecc95d774075449cdd8986a392f61ddecba97769d736b0200ac811155f37efa4ee2388ea8232e7d505f6b0c1f3c2d5b9d165ab965cf3411d905c52a9243a2

Score

10^/10

echelon collection discovery persistence spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Echelon log file 1 IoCs
Detects a log file produced by Echelon.

Processes:

yara_rule

echelon_log_file
Executes dropped EXE 1 IoCs

Processes:

Enchelon.exe

pid process

1232 Enchelon.exe

yara_rule
echelon_log_file

pid	process
1232	Enchelon.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Enchelon.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Enchelon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loader = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Enchelon.exe"	Enchelon.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 api.ipify.org
15 api.ipify.org
17 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe

pid process

2372 70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1980 1232 WerFault.exe Enchelon.exe
4804 1232 WerFault.exe Enchelon.exe

flow	ioc
14	api.ipify.org
15	api.ipify.org
17	ip-api.com

pid	pid_target	process	target process
1980	1232	WerFault.exe	Enchelon.exe
4804	1232	WerFault.exe	Enchelon.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exeEnchelon.exe

pid	process
2372	70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe
2372	70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe
2372	70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe
2372	70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe
1232	Enchelon.exe
1232	Enchelon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Enchelon.exe

description pid process

Token: SeDebugPrivilege 1232 Enchelon.exe

description	pid	process
Token: SeDebugPrivilege	1232	Enchelon.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exeEnchelon.exe

description	pid	process	target process
PID 2372 wrote to memory of 1232	2372	70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe	Enchelon.exe
PID 2372 wrote to memory of 1232	2372	70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe	Enchelon.exe
PID 1232 wrote to memory of 1980	1232	Enchelon.exe	WerFault.exe
PID 1232 wrote to memory of 1980	1232	Enchelon.exe	WerFault.exe

outlook_office_path 1 IoCs

Processes:

Enchelon.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe

outlook_win_path 1 IoCs

Processes:

Enchelon.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Enchelon.exe

C:\Users\Admin\AppData\Local\Temp\70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe
"C:\Users\Admin\AppData\Local\Temp\70eb349c7806b23eaa21695223c67c013b85da0d20c57c476822518ba8c7aa44.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Admin\AppData\Local\Temp\Enchelon.exe
"C:\Users\Admin\AppData\Local\Temp\Enchelon.exe"
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1232

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1232 -s 1720
3⤵
- Program crash
PID:1980

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1232 -s 1720
3⤵
- Program crash
PID:4804

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 1232 -ip 1232
1⤵
PID:4372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ChromV1.dll
Filesize
46KB

MD5
e2a73f7858c2a2851213689f43f81cab

SHA1
eb9e5818abdbf061ca88bdeebd222df0c9a7d1de

SHA256
5d873db4b0dbc26a89e546b4b67736ba28c78e9a9680726b7af600c06c43e148

SHA512
1dea09265855a6b3f56fab4290ade04e4fcaca1ea8afbd3a85eff7161380ecd552190f16f4b8e0a6741e905f67899f09e68af411ded3fe43cd1b06e591d21969

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromV2.dll
Filesize
23KB

MD5
f4999039ba84e3dc7ff5be63c7c09ad8

SHA1
281fa1ad745c52745bd2c2a9e17ce820005c7a00

SHA256
1fb2fc14fd8d2a5479a78ae2a0bc4778a0356177f44cae418fa518574c5fdc84

SHA512
33acdefe6fe2710142b8bc2654fef07499648db040da758bb3e629cb7ee21653054e8f1a0713f8eb064cf4314e428a3a3caea2ffda3e19483908b7435c474725

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enchelon.exe
Filesize
564KB

MD5
03f79d4e5bdc0b830947bf103112b3bb

SHA1
07d65e2d43c1bca29d8526bdc29095689b06e8b3

SHA256
78dbb719e5e435447c4f4273478827536c3e9bb2f5bb8f31e5bb8c00c2c38036

SHA512
2cbda91efb4e8db684de1e2718129ffd02663e8f97183af8c8ef4e40a1dfd89a7bee72a216c4d609b730fceb84f48b8ffd590baafb9cdcc80f4365fc9f1b9952

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enchelon.exe
Filesize
564KB

MD5
03f79d4e5bdc0b830947bf103112b3bb

SHA1
07d65e2d43c1bca29d8526bdc29095689b06e8b3

SHA256
78dbb719e5e435447c4f4273478827536c3e9bb2f5bb8f31e5bb8c00c2c38036

SHA512
2cbda91efb4e8db684de1e2718129ffd02663e8f97183af8c8ef4e40a1dfd89a7bee72a216c4d609b730fceb84f48b8ffd590baafb9cdcc80f4365fc9f1b9952

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ionic.Zip.dll
Filesize
451KB

MD5
6ded8fcbf5f1d9e422b327ca51625e24

SHA1
8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

SHA256
3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

SHA512
bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MegaApiClient.dll
Filesize
94KB

MD5
27b9265bfa1c0fd0aea87a32a55b32b4

SHA1
861d3f9099f5b409e0990e831499eddd0da7e57f

SHA256
f4da53f798d62937f12171b47f72c8539845ff5ac3d011be193d3bdc271dd9f1

SHA512
4f0f50038a5bdc894cddf9faed00c22ea91266149710c2f5f0e7bf0974fd50cd41b0e323c602f8e0c7be7a465dddebab2befca29a284a68f97c7acd9c5b90f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
Filesize
512KB

MD5
505a541a82ab519e991c895a30a99852

SHA1
ac99dfb7a890ddb254ec65dafdcfef4b657117a1

SHA256
072f358c2a0a4f6f15620baf4661536c977e92add2d06b6f5e520f294feca467

SHA512
4d2471d371f93eb40cc36bd82dc5b778274c4db0b3e66242ad6ec7910d105cc2984f601a3343f669cdc2d35c476b747620aeb72ed678490d10bf88ccba7ff12f

Download Submit
memory/1232-144-0x00007FFCBE280000-0x00007FFCBED41000-memory.dmp

Filesize
10.8MB

Download
memory/1232-135-0x0000000000320000-0x00000000003B4000-memory.dmp

Filesize
592KB

Download
memory/1232-139-0x00007FFCBE280000-0x00007FFCBED41000-memory.dmp

Filesize
10.8MB

Download
memory/1232-132-0x0000000000000000-mapping.dmp

Download
memory/1232-141-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/1232-151-0x00007FFCBE280000-0x00007FFCBED41000-memory.dmp

Filesize
10.8MB

Download
memory/1232-138-0x00000000025A0000-0x0000000002618000-memory.dmp

Filesize
480KB

Download
memory/1232-149-0x000000001C750000-0x000000001C772000-memory.dmp

Filesize
136KB

Download
memory/1232-143-0x0000000002420000-0x000000000242C000-memory.dmp

Filesize
48KB

Download
memory/1232-146-0x000000001C730000-0x000000001C74E000-memory.dmp

Filesize
120KB

Download
memory/1232-148-0x000000001DC20000-0x000000001DCA6000-memory.dmp

Filesize
536KB

Download
memory/1980-150-0x0000000000000000-mapping.dmp

Download
memory/2372-136-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download
memory/2372-130-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download
memory/2372-131-0x0000000000400000-0x0000000000E38000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads