echelon | 9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea

Analysis

max time kernel
84s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2023 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exe
Size

2.6MB
MD5

7615de772c95e664bd7cdb315205a143
SHA1

e5491ee6f2d7d63953d5ea601ef307d26188afaf
SHA256

9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea
SHA512

0b640cbca39b7955a1b724e6b2ec30a6d899d1401c670f0bfc4955b98797bce01fa1dd11c1777e57137f0c4e1e45022eabe1a430327759b1c48aa070d2b95334
SSDEEP

49152:sB41RPvlrEPdZp32cJ0nxoEXLlivMXfDVOwxlBxj6xIAX:G8PvEnzJhEXZGMXfDVhHBgIg

Score

10^/10

echelon persistence spyware stealer

Malware Config

Signatures

Detects Echelon Stealer payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\4.exe	family_echelon
C:\Users\Admin\AppData\Roaming\4.exe	family_echelon
C:\Users\Admin\AppData\Roaming\4.exe	family_echelon
behavioral2/memory/4584-187-0x000002734DC30000-0x000002734DCF8000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exeEXE1.exeWScript.exeEXE2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	EXE1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	EXE2.exe

Drops startup file 1 IoCs

Processes:

3.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1284928.bat 3.exe
Executes dropped EXE 6 IoCs

Processes:

3.exe4856802.jpegEXE1.exeEXE2.exedefender.exe4.exe

pid process

4012 3.exe
620 4856802.jpeg
4164 EXE1.exe
3672 EXE2.exe
3396 defender.exe
4584 4.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1284928.bat	3.exe

pid	process
4012	3.exe
620	4856802.jpeg
4164	EXE1.exe
3672	EXE2.exe
3396	defender.exe
4584	4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4856802.jpeg

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	4856802.jpeg
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4856802.jpeg

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

21 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1340 4584 WerFault.exe 4.exe
Modifies registry class 1 IoCs

Processes:

EXE1.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings EXE1.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4.exe

description pid process

Token: SeDebugPrivilege 4584 4.exe

flow	ioc
21	api.ipify.org

pid	pid_target	process	target process
1340	4584	WerFault.exe	4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	EXE1.exe

description	pid	process
Token: SeDebugPrivilege	4584	4.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exe3.exe4856802.jpegEXE1.exeWScript.exeEXE2.exedefender.exe

description	pid	process	target process
PID 616 wrote to memory of 4012	616	9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exe	3.exe
PID 616 wrote to memory of 4012	616	9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exe	3.exe
PID 616 wrote to memory of 4012	616	9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exe	3.exe
PID 4012 wrote to memory of 620	4012	3.exe	4856802.jpeg
PID 4012 wrote to memory of 620	4012	3.exe	4856802.jpeg
PID 620 wrote to memory of 4164	620	4856802.jpeg	EXE1.exe
PID 620 wrote to memory of 4164	620	4856802.jpeg	EXE1.exe
PID 620 wrote to memory of 4164	620	4856802.jpeg	EXE1.exe
PID 4164 wrote to memory of 5008	4164	EXE1.exe	WScript.exe
PID 4164 wrote to memory of 5008	4164	EXE1.exe	WScript.exe
PID 4164 wrote to memory of 5008	4164	EXE1.exe	WScript.exe
PID 620 wrote to memory of 3672	620	4856802.jpeg	EXE2.exe
PID 620 wrote to memory of 3672	620	4856802.jpeg	EXE2.exe
PID 620 wrote to memory of 3672	620	4856802.jpeg	EXE2.exe
PID 5008 wrote to memory of 3396	5008	WScript.exe	defender.exe
PID 5008 wrote to memory of 3396	5008	WScript.exe	defender.exe
PID 3672 wrote to memory of 4584	3672	EXE2.exe	4.exe
PID 3672 wrote to memory of 4584	3672	EXE2.exe	4.exe
PID 3396 wrote to memory of 4716	3396	defender.exe	cmd.exe
PID 3396 wrote to memory of 4716	3396	defender.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exe
"C:\Users\Admin\AppData\Local\Temp\9323e2a6cbf294a47ba3a632ac6d02c7ea0c0d49fbf6582befc574a700b43cea.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:616

C:\Users\Admin\AppData\Roaming\3.exe
"C:\Users\Admin\AppData\Roaming\3.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012

C:\Users\Admin\AppData\Roaming\4856802.jpeg
"C:\Users\Admin\AppData\Roaming\4856802.jpeg"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:620

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EXE1.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EXE1.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4164

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\start.vbs"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5008

C:\Users\Admin\AppData\Roaming\defender.exe
"C:\Users\Admin\AppData\Roaming\defender.exe" -a verus -o stratum+tcp://eu.luckpool.net:3960 -u RXYt52ECeUztSRZBvaKxL2VLhzeh35ED4s.RIG -p x -t 4
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
7⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EXE2.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EXE2.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672

C:\Users\Admin\AppData\Roaming\4.exe
"C:\Users\Admin\AppData\Roaming\4.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4584 -s 1120
6⤵
- Program crash
PID:1340

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 188 -p 4584 -ip 4584
1⤵
PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EXE1.exe

Filesize
1.5MB

MD5
59c26b9bbc70075be49ae7d80e2f5146

SHA1
ef75ff7047f26ead38e5647982ae4a4e7204fc60

SHA256
d927b4f41513d10671685a8972bc8321ae046596c9d2ca2387d1243be4371db0

SHA512
b0fb0aaab5f3d6935a22c9f52264c6ffdbd9859ab98aa1c26d0966351e7cf1e2af6e5a374fa912af1ff7fa12c242836d0493de90d218068e0e20fc515539b50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EXE1.exe

Filesize
1.5MB

MD5
59c26b9bbc70075be49ae7d80e2f5146

SHA1
ef75ff7047f26ead38e5647982ae4a4e7204fc60

SHA256
d927b4f41513d10671685a8972bc8321ae046596c9d2ca2387d1243be4371db0

SHA512
b0fb0aaab5f3d6935a22c9f52264c6ffdbd9859ab98aa1c26d0966351e7cf1e2af6e5a374fa912af1ff7fa12c242836d0493de90d218068e0e20fc515539b50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EXE1.exe

Filesize
1.5MB

MD5
59c26b9bbc70075be49ae7d80e2f5146

SHA1
ef75ff7047f26ead38e5647982ae4a4e7204fc60

SHA256
d927b4f41513d10671685a8972bc8321ae046596c9d2ca2387d1243be4371db0

SHA512
b0fb0aaab5f3d6935a22c9f52264c6ffdbd9859ab98aa1c26d0966351e7cf1e2af6e5a374fa912af1ff7fa12c242836d0493de90d218068e0e20fc515539b50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EXE2.exe

Filesize
677KB

MD5
070073c57a34b8a5f409d405eb9074fb

SHA1
56e0cbe08f996ff8c3ae3334b3e711e383f9e142

SHA256
eded5497df7c743ee541782b8ffc3317ee456c9077d7106ebf90c0ad5599beba

SHA512
de8a73f0bd337bb6f020488469b9700e6b8e0f4f0cfb427734dc379a838986829fef7bf682dd25dd194421898314c7c9678333108d518d24838b26f1aa645e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EXE2.exe

Filesize
677KB

MD5
070073c57a34b8a5f409d405eb9074fb

SHA1
56e0cbe08f996ff8c3ae3334b3e711e383f9e142

SHA256
eded5497df7c743ee541782b8ffc3317ee456c9077d7106ebf90c0ad5599beba

SHA512
de8a73f0bd337bb6f020488469b9700e6b8e0f4f0cfb427734dc379a838986829fef7bf682dd25dd194421898314c7c9678333108d518d24838b26f1aa645e54

Download Submit
C:\Users\Admin\AppData\Roaming\3.exe

Filesize
5.2MB

MD5
4bb8922aed2f554aa5457d315a43c760

SHA1
5a87d57eb5046e96e56e1e43ba818855fe2c053a

SHA256
406445e1f73c0cf1fe809e54842ee915694039373b94230a163ef61a7749f2f6

SHA512
b866c8f43edcefa6cc4ec2cbcf22cf94b6b45b12815532ac794a6e42b44d65ad8e0d624313829974820325856d86a884dc85d9c4618fd1ff7283db1a3f2be7ac

Download Submit
C:\Users\Admin\AppData\Roaming\3.exe

Filesize
5.2MB

MD5
4bb8922aed2f554aa5457d315a43c760

SHA1
5a87d57eb5046e96e56e1e43ba818855fe2c053a

SHA256
406445e1f73c0cf1fe809e54842ee915694039373b94230a163ef61a7749f2f6

SHA512
b866c8f43edcefa6cc4ec2cbcf22cf94b6b45b12815532ac794a6e42b44d65ad8e0d624313829974820325856d86a884dc85d9c4618fd1ff7283db1a3f2be7ac

Download Submit
C:\Users\Admin\AppData\Roaming\3.exe

Filesize
5.2MB

MD5
4bb8922aed2f554aa5457d315a43c760

SHA1
5a87d57eb5046e96e56e1e43ba818855fe2c053a

SHA256
406445e1f73c0cf1fe809e54842ee915694039373b94230a163ef61a7749f2f6

SHA512
b866c8f43edcefa6cc4ec2cbcf22cf94b6b45b12815532ac794a6e42b44d65ad8e0d624313829974820325856d86a884dc85d9c4618fd1ff7283db1a3f2be7ac

Download Submit
C:\Users\Admin\AppData\Roaming\4.exe

Filesize
795KB

MD5
56df7a0ea82242ce7e1a58ba8280822b

SHA1
0415e883811e56483cbf0a54e9ce3cfedd6e5dd2

SHA256
cfca50d3277007bca65275606eb469261ac4d12732c05448a41811b4cde159a7

SHA512
ded49ee0228c7e60cc88fba59c6b4f4295aed1237775cbb19e90fb9a96952d2890fe2bbf0920815c98439da29076b22f720934e45cdcfef50458b042dffe4993

Download Submit
C:\Users\Admin\AppData\Roaming\4.exe

Filesize
795KB

MD5
56df7a0ea82242ce7e1a58ba8280822b

SHA1
0415e883811e56483cbf0a54e9ce3cfedd6e5dd2

SHA256
cfca50d3277007bca65275606eb469261ac4d12732c05448a41811b4cde159a7

SHA512
ded49ee0228c7e60cc88fba59c6b4f4295aed1237775cbb19e90fb9a96952d2890fe2bbf0920815c98439da29076b22f720934e45cdcfef50458b042dffe4993

Download Submit
C:\Users\Admin\AppData\Roaming\4.exe

Filesize
795KB

MD5
56df7a0ea82242ce7e1a58ba8280822b

SHA1
0415e883811e56483cbf0a54e9ce3cfedd6e5dd2

SHA256
cfca50d3277007bca65275606eb469261ac4d12732c05448a41811b4cde159a7

SHA512
ded49ee0228c7e60cc88fba59c6b4f4295aed1237775cbb19e90fb9a96952d2890fe2bbf0920815c98439da29076b22f720934e45cdcfef50458b042dffe4993

Download Submit
C:\Users\Admin\AppData\Roaming\4856802.jpeg

Filesize
1.9MB

MD5
48ab7d994ff16743bc34404f6282209c

SHA1
2384002699b10e0e4fd230cf4b36c75d3fb7c3bc

SHA256
3090f3102eb0f9d704e34a5eed66b9c0e3f505f5fb90ddc5ba3054e91eb6713f

SHA512
05d66fa8efc235016e12499e6921307a8212457e94e198c015903dacb8d2a6e1a7eb57510e08bc87fe68749a54af7f71a39a1ad5f255f1f6bcab7a48ef381ae0

Download Submit
C:\Users\Admin\AppData\Roaming\defender.exe

Filesize
791KB

MD5
58e92ea3a88e6b00f15c0b8da7d7c270

SHA1
2c3b4bcb08f3b5ab2e02f2f184d300d0c5567cab

SHA256
580a71f3c0c10e7df4f011f0ce6897e16b176c9e2c6a78a6ee7ab292633d6da0

SHA512
cf205fd978b814bf09f13446222b9c9f5c07072d294798e829f9a810fd0e9377ae36bb8ed77c5d1efa3b0ebb85a6a6404a55f68d2ebe528e096e2b9d56b9a114

Download Submit
C:\Users\Admin\AppData\Roaming\defender.exe

Filesize
791KB

MD5
58e92ea3a88e6b00f15c0b8da7d7c270

SHA1
2c3b4bcb08f3b5ab2e02f2f184d300d0c5567cab

SHA256
580a71f3c0c10e7df4f011f0ce6897e16b176c9e2c6a78a6ee7ab292633d6da0

SHA512
cf205fd978b814bf09f13446222b9c9f5c07072d294798e829f9a810fd0e9377ae36bb8ed77c5d1efa3b0ebb85a6a6404a55f68d2ebe528e096e2b9d56b9a114

Download Submit
C:\Users\Admin\AppData\Roaming\start.vbs

Filesize
210B

MD5
0ed388e96be16481782876ae6e57790e

SHA1
8ea5810dda85821e8737bf4b18c0ea5c1fc55198

SHA256
ece530f92f9ba5b045a723ef9321cbae9c4e582c763ccae1e4eda6f03d9b2916

SHA512
2c530cce0a9869ffd4032c871ffb736486ddbd580fdc0163dfdc847319c331b38cb62411c89323ebb99243767b34817c2547405d3b61fcf25a3ff5a4bb306dce

Download Submit
memory/4012-146-0x0000000004EE0000-0x0000000004F46000-memory.dmp

Filesize
408KB

Download
memory/4012-145-0x00000000000A0000-0x00000000005CC000-memory.dmp

Filesize
5.2MB

Download
memory/4584-187-0x000002734DC30000-0x000002734DCF8000-memory.dmp

Filesize
800KB

Download
memory/4584-188-0x000002734E060000-0x000002734E070000-memory.dmp

Filesize
64KB

Download
memory/4584-189-0x000002734E060000-0x000002734E070000-memory.dmp

Filesize
64KB

Download