echelon | 631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2023 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb.exe
Size

7.4MB
MD5

9fb9fa81c7386f881964404f24375532
SHA1

c1d1786f3020c27f05e2256da2caacf6f28c63f5
SHA256

631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb
SHA512

848a725bb188682f6bb3c464c40da5fc10a92718d4636208c87c719464c1fb24d05a9ec28cb8d0933c8251a2f887097d0c358a26fa41dc624b9909368c4ac366
SSDEEP

196608:8O5f05FNTCfLaGpBMyxmopvou4Pind6M0zV/STY:zsnhIbNkopvou4PIwzV/V

Score

10^/10

echelon spyware stealer vmprotect

Malware Config

Signatures

Detects Echelon Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x00050000000222d5-6.dat	family_echelon
behavioral2/files/0x00050000000222d5-12.dat	family_echelon
behavioral2/files/0x00050000000222d5-15.dat	family_echelon
behavioral2/memory/2288-18-0x0000000000D60000-0x0000000000EAC000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb.exeLucky_Fixed.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	Lucky_Fixed.exe

Executes dropped EXE 3 IoCs

Processes:

Lucky_Fixed.exeweave_loader.exeDecoder.exe

pid	Process
2288	Lucky_Fixed.exe
3552	weave_loader.exe
2788	Decoder.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/files/0x0008000000022ded-16.dat	vmprotect
behavioral2/files/0x0008000000022ded-20.dat	vmprotect
behavioral2/files/0x0008000000022ded-21.dat	vmprotect

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
23	api.ipify.org
37	ip-api.com
22	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
316	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Lucky_Fixed.exe

pid	Process
2288	Lucky_Fixed.exe
2288	Lucky_Fixed.exe
2288	Lucky_Fixed.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Lucky_Fixed.exe

description	pid	Process
Token: SeDebugPrivilege	2288	Lucky_Fixed.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb.exeLucky_Fixed.execmd.exe

description	pid	Process	procid_target
PID 3692 wrote to memory of 2288	3692	631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb.exe	89
PID 3692 wrote to memory of 2288	3692	631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb.exe	89
PID 3692 wrote to memory of 3552	3692	631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb.exe	91
PID 3692 wrote to memory of 3552	3692	631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb.exe	91
PID 3692 wrote to memory of 3552	3692	631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb.exe	91
PID 2288 wrote to memory of 2788	2288	Lucky_Fixed.exe	98
PID 2288 wrote to memory of 2788	2288	Lucky_Fixed.exe	98
PID 2288 wrote to memory of 2788	2288	Lucky_Fixed.exe	98
PID 2288 wrote to memory of 1524	2288	Lucky_Fixed.exe	99
PID 2288 wrote to memory of 1524	2288	Lucky_Fixed.exe	99
PID 1524 wrote to memory of 316	1524	cmd.exe	101
PID 1524 wrote to memory of 316	1524	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb.exe
"C:\Users\Admin\AppData\Local\Temp\631b5eaf7f1cde808364a10d16638ba1fd1f0bcfbfa8100b3c3ded10c11fe7cb.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3692
- C:\Lucky_Fixed.exe
  "C:\Lucky_Fixed.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\ProgramData\Decoder.exe
    "C:\ProgramData\Decoder.exe"
    3⤵
    - Executes dropped EXE
    PID:2788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Windows\system32\timeout.exe
      timeout 4
      4⤵
      Delays execution with timeout.exe
      PID:316
- C:\weave_loader.exe
  "C:\weave_loader.exe"
  2⤵
  - Executes dropped EXE
  PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Lucky_Fixed.exe

Filesize
1.3MB

MD5
77295bc75e23524cddb21282b9c31c9f

SHA1
616832b17fd5a1764d970afb9ce2d6a067d67682

SHA256
fa564a170c9309a420e5ebfbe9c5f0c1bd379c2d5008fede4c7b39af002dd723

SHA512
4cc40ee2909b0fb89c6e83d669f9299d739164c0cba2c5f3ac7cc1770ea3d918e1de52faabaf3c25e25e6830316ad3c683623702bfed60c3385cf50f576d9af1

Download Submit
C:\Lucky_Fixed.exe

Filesize
1.3MB

MD5
77295bc75e23524cddb21282b9c31c9f

SHA1
616832b17fd5a1764d970afb9ce2d6a067d67682

SHA256
fa564a170c9309a420e5ebfbe9c5f0c1bd379c2d5008fede4c7b39af002dd723

SHA512
4cc40ee2909b0fb89c6e83d669f9299d739164c0cba2c5f3ac7cc1770ea3d918e1de52faabaf3c25e25e6830316ad3c683623702bfed60c3385cf50f576d9af1

Download Submit
C:\Lucky_Fixed.exe

Filesize
1.3MB

MD5
77295bc75e23524cddb21282b9c31c9f

SHA1
616832b17fd5a1764d970afb9ce2d6a067d67682

SHA256
fa564a170c9309a420e5ebfbe9c5f0c1bd379c2d5008fede4c7b39af002dd723

SHA512
4cc40ee2909b0fb89c6e83d669f9299d739164c0cba2c5f3ac7cc1770ea3d918e1de52faabaf3c25e25e6830316ad3c683623702bfed60c3385cf50f576d9af1

Download Submit
C:\ProgramData\Decoder.exe

Filesize
270KB

MD5
de81e7651c6e62b4c7195ac2e6befbc0

SHA1
1f2dc517abf4b8a789ac4ef9d8c7d1a7f486fe32

SHA256
eef661cffbde254d5b9dba578e91f35cfc0a5fd4c6f25e959eef04ee948f1d5b

SHA512
3cde05ae78fcd5978cd15bf155f650997489c130cf73539b00c45eb36a5582af11e419efedb3f88cb7caca4691bc1f691b8e4e820276ced697fe82198c4f076b

Download Submit
C:\ProgramData\Decoder.exe

Filesize
270KB

MD5
de81e7651c6e62b4c7195ac2e6befbc0

SHA1
1f2dc517abf4b8a789ac4ef9d8c7d1a7f486fe32

SHA256
eef661cffbde254d5b9dba578e91f35cfc0a5fd4c6f25e959eef04ee948f1d5b

SHA512
3cde05ae78fcd5978cd15bf155f650997489c130cf73539b00c45eb36a5582af11e419efedb3f88cb7caca4691bc1f691b8e4e820276ced697fe82198c4f076b

Download Submit
C:\ProgramData\Decoder.exe

Filesize
270KB

MD5
de81e7651c6e62b4c7195ac2e6befbc0

SHA1
1f2dc517abf4b8a789ac4ef9d8c7d1a7f486fe32

SHA256
eef661cffbde254d5b9dba578e91f35cfc0a5fd4c6f25e959eef04ee948f1d5b

SHA512
3cde05ae78fcd5978cd15bf155f650997489c130cf73539b00c45eb36a5582af11e419efedb3f88cb7caca4691bc1f691b8e4e820276ced697fe82198c4f076b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd

Filesize
85B

MD5
73712247036b6a24d16502c57a3e5679

SHA1
65ca9edadb0773fc34db7dfefe9e6416f1ac17fa

SHA256
8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0

SHA512
548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

Download Submit
C:\Users\Admin\AppData\Local\Temp\HTZyBNVLwZwFNHRH078BFBFF000306D2C4481AD566\66078BFBFF000306D2C4481AD5HTZyBNVLwZwFNHRH\Browsers\Passwords\Passwords_Edge.txt

Filesize
426B

MD5
42fa959509b3ed7c94c0cf3728b03f6d

SHA1
661292176640beb0b38dc9e7a462518eb592d27d

SHA256
870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

SHA512
7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

Download Submit
C:\weave_loader.exe

Filesize
6.3MB

MD5
6d6190b3e248040a5db1bf08495f2fdf

SHA1
913411595a51e0b50a7429980bfcb0bd1d524885

SHA256
3ae19a5392609fc2a5fff6330d82a2d2938611ac1311ed11bd17168874ed6c08

SHA512
52ba95ceeebe241020bbf8ab214fadce5cbb2337a34080d1c9e519aaa7079294861966af1fccea801d5b418903e170bb51feb9b30d58c36e1c4c0d4bfb90ce7c

Download Submit
C:\weave_loader.exe

Filesize
6.3MB

MD5
6d6190b3e248040a5db1bf08495f2fdf

SHA1
913411595a51e0b50a7429980bfcb0bd1d524885

SHA256
3ae19a5392609fc2a5fff6330d82a2d2938611ac1311ed11bd17168874ed6c08

SHA512
52ba95ceeebe241020bbf8ab214fadce5cbb2337a34080d1c9e519aaa7079294861966af1fccea801d5b418903e170bb51feb9b30d58c36e1c4c0d4bfb90ce7c

Download Submit
C:\weave_loader.exe

Filesize
6.3MB

MD5
6d6190b3e248040a5db1bf08495f2fdf

SHA1
913411595a51e0b50a7429980bfcb0bd1d524885

SHA256
3ae19a5392609fc2a5fff6330d82a2d2938611ac1311ed11bd17168874ed6c08

SHA512
52ba95ceeebe241020bbf8ab214fadce5cbb2337a34080d1c9e519aaa7079294861966af1fccea801d5b418903e170bb51feb9b30d58c36e1c4c0d4bfb90ce7c

Download Submit
memory/2288-18-0x0000000000D60000-0x0000000000EAC000-memory.dmp

Filesize
1.3MB

Download
memory/2288-23-0x000000001BB30000-0x000000001BB40000-memory.dmp

Filesize
64KB

Download
memory/2288-24-0x000000001B9B0000-0x000000001BA26000-memory.dmp

Filesize
472KB

Download
memory/2288-22-0x00007FFF7D9E0000-0x00007FFF7E4A1000-memory.dmp

Filesize
10.8MB

Download
memory/2288-121-0x00007FFF7D9E0000-0x00007FFF7E4A1000-memory.dmp

Filesize
10.8MB

Download
memory/2788-122-0x0000000073C00000-0x00000000743B0000-memory.dmp

Filesize
7.7MB

Download
memory/2788-123-0x00000000006C0000-0x000000000070A000-memory.dmp

Filesize
296KB

Download
memory/2788-125-0x0000000073C00000-0x00000000743B0000-memory.dmp

Filesize
7.7MB

Download