echelon | 9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea

Analysis

max time kernel
5s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exe
Size

2.6MB
MD5

7615de772c95e664bd7cdb315205a143
SHA1

e5491ee6f2d7d63953d5ea601ef307d26188afaf
SHA256

9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea
SHA512

0b640cbca39b7955a1b724e6b2ec30a6d899d1401c670f0bfc4955b98797bce01fa1dd11c1777e57137f0c4e1e45022eabe1a430327759b1c48aa070d2b95334
SSDEEP

49152:sB41RPvlrEPdZp32cJ0nxoEXLlivMXfDVOwxlBxj6xIAX:G8PvEnzJhEXZGMXfDVhHBgIg

Score

10^/10

echelon persistence spyware stealer

Malware Config

Signatures

Detects Echelon Stealer payload 4 IoCs

resource	yara_rule
behavioral1/files/0x00040000000230de-179.dat	family_echelon
behavioral1/files/0x00040000000230de-185.dat	family_echelon
behavioral1/files/0x00040000000230de-186.dat	family_echelon
behavioral1/memory/2144-187-0x00000242C8040000-0x00000242C8108000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	EXE1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1339000.bat	3.exe

Executes dropped EXE 4 IoCs

pid	Process
1884	3.exe
2692	1089612.jpeg
4444	EXE1.exe
2648	EXE2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	1089612.jpeg
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1089612.jpeg

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	api.ipify.org
29	api.ipify.org
37	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4092	2144	WerFault.exe	98

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	EXE1.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 1884	3040	9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exe	87
PID 3040 wrote to memory of 1884	3040	9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exe	87
PID 3040 wrote to memory of 1884	3040	9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exe	87
PID 1884 wrote to memory of 2692	1884	3.exe	90
PID 1884 wrote to memory of 2692	1884	3.exe	90
PID 2692 wrote to memory of 4444	2692	1089612.jpeg	91
PID 2692 wrote to memory of 4444	2692	1089612.jpeg	91
PID 2692 wrote to memory of 4444	2692	1089612.jpeg	91
PID 4444 wrote to memory of 332	4444	EXE1.exe	94
PID 4444 wrote to memory of 332	4444	EXE1.exe	94
PID 4444 wrote to memory of 332	4444	EXE1.exe	94
PID 2692 wrote to memory of 2648	2692	1089612.jpeg	95
PID 2692 wrote to memory of 2648	2692	1089612.jpeg	95
PID 2692 wrote to memory of 2648	2692	1089612.jpeg	95

C:\Users\Admin\AppData\Local\Temp\9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exe
"C:\Users\Admin\AppData\Local\Temp\9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Roaming\3.exe
  "C:\Users\Admin\AppData\Roaming\3.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Users\Admin\AppData\Roaming\1089612.jpeg
    "C:\Users\Admin\AppData\Roaming\1089612.jpeg"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EXE1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EXE1.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4444
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\start.vbs"
        5⤵
        Checks computer location settings
        
        PID:332
      - C:\Users\Admin\AppData\Roaming\defender.exe
        
        "C:\Users\Admin\AppData\Roaming\defender.exe" -a verus -o stratum+tcp://eu.luckpool.net:3960 -u RXYt52ECeUztSRZBvaKxL2VLhzeh35ED4s.RIG -p x -t 4
        6⤵
        
        PID:1676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        7⤵
        
        PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EXE2.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EXE2.exe
      4⤵
      Executes dropped EXE
      PID:2648
    - - C:\Users\Admin\AppData\Roaming\4.exe
        
        "C:\Users\Admin\AppData\Roaming\4.exe"
        5⤵
        
        PID:2144
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2144 -s 2932
        6⤵
        Program crash
        
        PID:4092

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 2144 -ip 2144
1⤵
PID:1016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EXE1.exe

Filesize
1.5MB

MD5
59c26b9bbc70075be49ae7d80e2f5146

SHA1
ef75ff7047f26ead38e5647982ae4a4e7204fc60

SHA256
d927b4f41513d10671685a8972bc8321ae046596c9d2ca2387d1243be4371db0

SHA512
b0fb0aaab5f3d6935a22c9f52264c6ffdbd9859ab98aa1c26d0966351e7cf1e2af6e5a374fa912af1ff7fa12c242836d0493de90d218068e0e20fc515539b50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EXE1.exe

Filesize
1.5MB

MD5
59c26b9bbc70075be49ae7d80e2f5146

SHA1
ef75ff7047f26ead38e5647982ae4a4e7204fc60

SHA256
d927b4f41513d10671685a8972bc8321ae046596c9d2ca2387d1243be4371db0

SHA512
b0fb0aaab5f3d6935a22c9f52264c6ffdbd9859ab98aa1c26d0966351e7cf1e2af6e5a374fa912af1ff7fa12c242836d0493de90d218068e0e20fc515539b50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EXE1.exe

Filesize
1.5MB

MD5
59c26b9bbc70075be49ae7d80e2f5146

SHA1
ef75ff7047f26ead38e5647982ae4a4e7204fc60

SHA256
d927b4f41513d10671685a8972bc8321ae046596c9d2ca2387d1243be4371db0

SHA512
b0fb0aaab5f3d6935a22c9f52264c6ffdbd9859ab98aa1c26d0966351e7cf1e2af6e5a374fa912af1ff7fa12c242836d0493de90d218068e0e20fc515539b50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EXE2.exe

Filesize
677KB

MD5
070073c57a34b8a5f409d405eb9074fb

SHA1
56e0cbe08f996ff8c3ae3334b3e711e383f9e142

SHA256
eded5497df7c743ee541782b8ffc3317ee456c9077d7106ebf90c0ad5599beba

SHA512
de8a73f0bd337bb6f020488469b9700e6b8e0f4f0cfb427734dc379a838986829fef7bf682dd25dd194421898314c7c9678333108d518d24838b26f1aa645e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EXE2.exe

Filesize
677KB

MD5
070073c57a34b8a5f409d405eb9074fb

SHA1
56e0cbe08f996ff8c3ae3334b3e711e383f9e142

SHA256
eded5497df7c743ee541782b8ffc3317ee456c9077d7106ebf90c0ad5599beba

SHA512
de8a73f0bd337bb6f020488469b9700e6b8e0f4f0cfb427734dc379a838986829fef7bf682dd25dd194421898314c7c9678333108d518d24838b26f1aa645e54

Download Submit
C:\Users\Admin\AppData\Roaming\1089612.jpeg

Filesize
1.9MB

MD5
48ab7d994ff16743bc34404f6282209c

SHA1
2384002699b10e0e4fd230cf4b36c75d3fb7c3bc

SHA256
3090f3102eb0f9d704e34a5eed66b9c0e3f505f5fb90ddc5ba3054e91eb6713f

SHA512
05d66fa8efc235016e12499e6921307a8212457e94e198c015903dacb8d2a6e1a7eb57510e08bc87fe68749a54af7f71a39a1ad5f255f1f6bcab7a48ef381ae0

Download Submit
C:\Users\Admin\AppData\Roaming\3.exe

Filesize
5.2MB

MD5
4bb8922aed2f554aa5457d315a43c760

SHA1
5a87d57eb5046e96e56e1e43ba818855fe2c053a

SHA256
406445e1f73c0cf1fe809e54842ee915694039373b94230a163ef61a7749f2f6

SHA512
b866c8f43edcefa6cc4ec2cbcf22cf94b6b45b12815532ac794a6e42b44d65ad8e0d624313829974820325856d86a884dc85d9c4618fd1ff7283db1a3f2be7ac

Download Submit
C:\Users\Admin\AppData\Roaming\3.exe

Filesize
5.2MB

MD5
4bb8922aed2f554aa5457d315a43c760

SHA1
5a87d57eb5046e96e56e1e43ba818855fe2c053a

SHA256
406445e1f73c0cf1fe809e54842ee915694039373b94230a163ef61a7749f2f6

SHA512
b866c8f43edcefa6cc4ec2cbcf22cf94b6b45b12815532ac794a6e42b44d65ad8e0d624313829974820325856d86a884dc85d9c4618fd1ff7283db1a3f2be7ac

Download Submit
C:\Users\Admin\AppData\Roaming\3.exe

Filesize
5.2MB

MD5
4bb8922aed2f554aa5457d315a43c760

SHA1
5a87d57eb5046e96e56e1e43ba818855fe2c053a

SHA256
406445e1f73c0cf1fe809e54842ee915694039373b94230a163ef61a7749f2f6

SHA512
b866c8f43edcefa6cc4ec2cbcf22cf94b6b45b12815532ac794a6e42b44d65ad8e0d624313829974820325856d86a884dc85d9c4618fd1ff7283db1a3f2be7ac

Download Submit
C:\Users\Admin\AppData\Roaming\4.exe

Filesize
795KB

MD5
56df7a0ea82242ce7e1a58ba8280822b

SHA1
0415e883811e56483cbf0a54e9ce3cfedd6e5dd2

SHA256
cfca50d3277007bca65275606eb469261ac4d12732c05448a41811b4cde159a7

SHA512
ded49ee0228c7e60cc88fba59c6b4f4295aed1237775cbb19e90fb9a96952d2890fe2bbf0920815c98439da29076b22f720934e45cdcfef50458b042dffe4993

Download Submit
C:\Users\Admin\AppData\Roaming\4.exe

Filesize
795KB

MD5
56df7a0ea82242ce7e1a58ba8280822b

SHA1
0415e883811e56483cbf0a54e9ce3cfedd6e5dd2

SHA256
cfca50d3277007bca65275606eb469261ac4d12732c05448a41811b4cde159a7

SHA512
ded49ee0228c7e60cc88fba59c6b4f4295aed1237775cbb19e90fb9a96952d2890fe2bbf0920815c98439da29076b22f720934e45cdcfef50458b042dffe4993

Download Submit
C:\Users\Admin\AppData\Roaming\4.exe

Filesize
795KB

MD5
56df7a0ea82242ce7e1a58ba8280822b

SHA1
0415e883811e56483cbf0a54e9ce3cfedd6e5dd2

SHA256
cfca50d3277007bca65275606eb469261ac4d12732c05448a41811b4cde159a7

SHA512
ded49ee0228c7e60cc88fba59c6b4f4295aed1237775cbb19e90fb9a96952d2890fe2bbf0920815c98439da29076b22f720934e45cdcfef50458b042dffe4993

Download Submit
C:\Users\Admin\AppData\Roaming\DotNetZip.dll

Filesize
448KB

MD5
60caabbd43235889d64f230617c0e24e

SHA1
f5f922bd3c69591663187d40ad732c73a5bda290

SHA256
4d7851bb977d7bd1d7503e994bc4c4083faa2751f41624237309157b1b88681d

SHA512
fedccb31b488ec1b7b28e8614a3eb53eb130c176837f687395e61a0f3f522d742d46ece1f6852ca45e831abe21728e08dadf010d828a49fbfdc9840b42cc975c

Download Submit
C:\Users\Admin\AppData\Roaming\defender.exe

Filesize
791KB

MD5
58e92ea3a88e6b00f15c0b8da7d7c270

SHA1
2c3b4bcb08f3b5ab2e02f2f184d300d0c5567cab

SHA256
580a71f3c0c10e7df4f011f0ce6897e16b176c9e2c6a78a6ee7ab292633d6da0

SHA512
cf205fd978b814bf09f13446222b9c9f5c07072d294798e829f9a810fd0e9377ae36bb8ed77c5d1efa3b0ebb85a6a6404a55f68d2ebe528e096e2b9d56b9a114

Download Submit
C:\Users\Admin\AppData\Roaming\defender.exe

Filesize
791KB

MD5
58e92ea3a88e6b00f15c0b8da7d7c270

SHA1
2c3b4bcb08f3b5ab2e02f2f184d300d0c5567cab

SHA256
580a71f3c0c10e7df4f011f0ce6897e16b176c9e2c6a78a6ee7ab292633d6da0

SHA512
cf205fd978b814bf09f13446222b9c9f5c07072d294798e829f9a810fd0e9377ae36bb8ed77c5d1efa3b0ebb85a6a6404a55f68d2ebe528e096e2b9d56b9a114

Download Submit
C:\Users\Admin\AppData\Roaming\start.vbs

Filesize
210B

MD5
0ed388e96be16481782876ae6e57790e

SHA1
8ea5810dda85821e8737bf4b18c0ea5c1fc55198

SHA256
ece530f92f9ba5b045a723ef9321cbae9c4e582c763ccae1e4eda6f03d9b2916

SHA512
2c530cce0a9869ffd4032c871ffb736486ddbd580fdc0163dfdc847319c331b38cb62411c89323ebb99243767b34817c2547405d3b61fcf25a3ff5a4bb306dce

Download Submit
memory/1884-145-0x0000000000FA0000-0x00000000014CC000-memory.dmp

Filesize
5.2MB

Download
memory/1884-146-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download
memory/2144-187-0x00000242C8040000-0x00000242C8108000-memory.dmp

Filesize
800KB

Download
memory/2144-188-0x00000242C85F0000-0x00000242C8600000-memory.dmp

Filesize
64KB

Download
memory/2144-190-0x00000242C8560000-0x00000242C85D6000-memory.dmp

Filesize
472KB

Download
memory/2144-191-0x00000242C85F0000-0x00000242C8600000-memory.dmp

Filesize
64KB

Download