echelon | 631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb

Analysis

max time kernel
121s
max time network
129s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
14-11-2023 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb.exe
Size

7.4MB
MD5

9fb9fa81c7386f881964404f24375532
SHA1

c1d1786f3020c27f05e2256da2caacf6f28c63f5
SHA256

631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb
SHA512

848a725bb188682f6bb3c464c40da5fc10a92718d4636208c87c719464c1fb24d05a9ec28cb8d0933c8251a2f887097d0c358a26fa41dc624b9909368c4ac366
SSDEEP

196608:8O5f05FNTCfLaGpBMyxmopvou4Pind6M0zV/STY:zsnhIbNkopvou4PIwzV/V

Score

10^/10

echelon spyware stealer vmprotect

Malware Config

Signatures

Detects Echelon Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000e00000001201d-6.dat	family_echelon
behavioral1/files/0x000e00000001201d-11.dat	family_echelon
behavioral1/files/0x000e00000001201d-13.dat	family_echelon
behavioral1/memory/2668-21-0x0000000000BD0000-0x0000000000D1C000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Executes dropped EXE 3 IoCs

Processes:

Lucky_Fixed.exeweave_loader.exeDecoder.exe

pid	Process
2668	Lucky_Fixed.exe
2788	weave_loader.exe
2604	Decoder.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/files/0x000a000000012282-15.dat	vmprotect
behavioral1/files/0x000a000000012282-20.dat	vmprotect

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	api.ipify.org
3	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
1720	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Lucky_Fixed.exe

description	pid	Process
Token: SeDebugPrivilege	2668	Lucky_Fixed.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb.exeLucky_Fixed.execmd.exe

description	pid	Process	procid_target
PID 3044 wrote to memory of 2668	3044	631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb.exe	28
PID 3044 wrote to memory of 2668	3044	631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb.exe	28
PID 3044 wrote to memory of 2668	3044	631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb.exe	28
PID 3044 wrote to memory of 2668	3044	631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb.exe	28
PID 3044 wrote to memory of 2788	3044	631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb.exe	29
PID 3044 wrote to memory of 2788	3044	631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb.exe	29
PID 3044 wrote to memory of 2788	3044	631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb.exe	29
PID 3044 wrote to memory of 2788	3044	631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb.exe	29
PID 2668 wrote to memory of 2604	2668	Lucky_Fixed.exe	31
PID 2668 wrote to memory of 2604	2668	Lucky_Fixed.exe	31
PID 2668 wrote to memory of 2604	2668	Lucky_Fixed.exe	31
PID 2668 wrote to memory of 2604	2668	Lucky_Fixed.exe	31
PID 2668 wrote to memory of 3004	2668	Lucky_Fixed.exe	32
PID 2668 wrote to memory of 3004	2668	Lucky_Fixed.exe	32
PID 2668 wrote to memory of 3004	2668	Lucky_Fixed.exe	32
PID 3004 wrote to memory of 1720	3004	cmd.exe	34
PID 3004 wrote to memory of 1720	3004	cmd.exe	34
PID 3004 wrote to memory of 1720	3004	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb.exe
"C:\Users\Admin\AppData\Local\Temp\631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Lucky_Fixed.exe
  "C:\Lucky_Fixed.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\ProgramData\Decoder.exe
    "C:\ProgramData\Decoder.exe"
    3⤵
    - Executes dropped EXE
    PID:2604
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\system32\timeout.exe
      timeout 4
      4⤵
      Delays execution with timeout.exe
      PID:1720
- C:\weave_loader.exe
  "C:\weave_loader.exe"
  2⤵
  - Executes dropped EXE
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Lucky_Fixed.exe

Filesize
1.3MB

MD5
77295bc75e23524cddb21282b9c31c9f

SHA1
616832b17fd5a1764d970afb9ce2d6a067d67682

SHA256
fa564a170c9309a420e5ebfbe9c5f0c1bd379c2d5008fede4c7b39af002dd723

SHA512
4cc40ee2909b0fb89c6e83d669f9299d739164c0cba2c5f3ac7cc1770ea3d918e1de52faabaf3c25e25e6830316ad3c683623702bfed60c3385cf50f576d9af1

Download Submit
C:\Lucky_Fixed.exe

Filesize
1.3MB

MD5
77295bc75e23524cddb21282b9c31c9f

SHA1
616832b17fd5a1764d970afb9ce2d6a067d67682

SHA256
fa564a170c9309a420e5ebfbe9c5f0c1bd379c2d5008fede4c7b39af002dd723

SHA512
4cc40ee2909b0fb89c6e83d669f9299d739164c0cba2c5f3ac7cc1770ea3d918e1de52faabaf3c25e25e6830316ad3c683623702bfed60c3385cf50f576d9af1

Download Submit
C:\Lucky_Fixed.exe

Filesize
1.3MB

MD5
77295bc75e23524cddb21282b9c31c9f

SHA1
616832b17fd5a1764d970afb9ce2d6a067d67682

SHA256
fa564a170c9309a420e5ebfbe9c5f0c1bd379c2d5008fede4c7b39af002dd723

SHA512
4cc40ee2909b0fb89c6e83d669f9299d739164c0cba2c5f3ac7cc1770ea3d918e1de52faabaf3c25e25e6830316ad3c683623702bfed60c3385cf50f576d9af1

Download Submit
C:\ProgramData\Decoder.exe

Filesize
270KB

MD5
de81e7651c6e62b4c7195ac2e6befbc0

SHA1
1f2dc517abf4b8a789ac4ef9d8c7d1a7f486fe32

SHA256
eef661cffbde254d5b9dba578e91f35cfc0a5fd4c6f25e959eef04ee948f1d5b

SHA512
3cde05ae78fcd5978cd15bf155f650997489c130cf73539b00c45eb36a5582af11e419efedb3f88cb7caca4691bc1f691b8e4e820276ced697fe82198c4f076b

Download Submit
C:\ProgramData\Decoder.exe

Filesize
270KB

MD5
de81e7651c6e62b4c7195ac2e6befbc0

SHA1
1f2dc517abf4b8a789ac4ef9d8c7d1a7f486fe32

SHA256
eef661cffbde254d5b9dba578e91f35cfc0a5fd4c6f25e959eef04ee948f1d5b

SHA512
3cde05ae78fcd5978cd15bf155f650997489c130cf73539b00c45eb36a5582af11e419efedb3f88cb7caca4691bc1f691b8e4e820276ced697fe82198c4f076b

Download Submit
C:\ProgramData\Decoder.exe

Filesize
270KB

MD5
de81e7651c6e62b4c7195ac2e6befbc0

SHA1
1f2dc517abf4b8a789ac4ef9d8c7d1a7f486fe32

SHA256
eef661cffbde254d5b9dba578e91f35cfc0a5fd4c6f25e959eef04ee948f1d5b

SHA512
3cde05ae78fcd5978cd15bf155f650997489c130cf73539b00c45eb36a5582af11e419efedb3f88cb7caca4691bc1f691b8e4e820276ced697fe82198c4f076b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd

Filesize
28B

MD5
217407484aac2673214337def8886072

SHA1
0f8c4c94064ce1f7538c43987feb5bb2d7fec0c6

SHA256
467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797

SHA512
8466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330

Download Submit
C:\weave_loader.exe

Filesize
6.3MB

MD5
6d6190b3e248040a5db1bf08495f2fdf

SHA1
913411595a51e0b50a7429980bfcb0bd1d524885

SHA256
3ae19a5392609fc2a5fff6330d82a2d2938611ac1311ed11bd17168874ed6c08

SHA512
52ba95ceeebe241020bbf8ab214fadce5cbb2337a34080d1c9e519aaa7079294861966af1fccea801d5b418903e170bb51feb9b30d58c36e1c4c0d4bfb90ce7c

Download Submit
C:\weave_loader.exe

Filesize
6.3MB

MD5
6d6190b3e248040a5db1bf08495f2fdf

SHA1
913411595a51e0b50a7429980bfcb0bd1d524885

SHA256
3ae19a5392609fc2a5fff6330d82a2d2938611ac1311ed11bd17168874ed6c08

SHA512
52ba95ceeebe241020bbf8ab214fadce5cbb2337a34080d1c9e519aaa7079294861966af1fccea801d5b418903e170bb51feb9b30d58c36e1c4c0d4bfb90ce7c

Download Submit
memory/2604-38-0x0000000000BF0000-0x0000000000C3A000-memory.dmp

Filesize
296KB

Download
memory/2604-39-0x00000000738C0000-0x0000000073FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2604-40-0x00000000738C0000-0x0000000073FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2668-24-0x000000001AD20000-0x000000001AD96000-memory.dmp

Filesize
472KB

Download
memory/2668-23-0x000000001B070000-0x000000001B0F0000-memory.dmp

Filesize
512KB

Download
memory/2668-22-0x000007FEF5320000-0x000007FEF5D0C000-memory.dmp

Filesize
9.9MB

Download
memory/2668-21-0x0000000000BD0000-0x0000000000D1C000-memory.dmp

Filesize
1.3MB

Download
memory/2668-37-0x000007FEF5320000-0x000007FEF5D0C000-memory.dmp

Filesize
9.9MB

Download