echelon | e29d997a018fcaed3a5d6296b72d9845c899a5211aeeafad8762869c906447b8

General

Target

91e732fa9ba5234e1978aac4b4a59a0e.exe
Size

631KB
MD5

91e732fa9ba5234e1978aac4b4a59a0e
SHA1

fb87bfff59f2ccddd3830a70b2d581532be3f3aa
SHA256

e29d997a018fcaed3a5d6296b72d9845c899a5211aeeafad8762869c906447b8
SHA512

76fe05dcf0dea26a5210dd92c1ae3c357f43f5c170642e99a50d3c7b412d25d1518a958960e25230fb6c055100159f29c080fb354f2cbe93a805ba419fb01976
SSDEEP

12288:q+khQMwkEo9EtZLJLUf9snBS4csPYae6qfzAAA:q+khQMlEthhUF54clNf7AB

Score

10^/10

echelon spyware stealer

Malware Config

Signatures

Detects Echelon Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2252-0-0x0000000000C70000-0x0000000000D14000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Drops startup file 2 IoCs

Processes:

Decoder.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe

Executes dropped EXE 2 IoCs

Processes:

Decoder.exesystems32.exe

pid	Process
2336	Decoder.exe
127224	systems32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
127492	schtasks.exe
2208	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
2604	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Decoder.exesystems32.exe

pid	Process
2336	Decoder.exe
127224	systems32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Decoder.exesystems32.exe

description	pid	Process
Token: SeDebugPrivilege	2336	Decoder.exe
Token: SeDebugPrivilege	127224	systems32.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

91e732fa9ba5234e1978aac4b4a59a0e.execmd.exeDecoder.exetaskeng.exesystems32.exe

description	pid	Process	procid_target
PID 2252 wrote to memory of 2336	2252	91e732fa9ba5234e1978aac4b4a59a0e.exe	29
PID 2252 wrote to memory of 2336	2252	91e732fa9ba5234e1978aac4b4a59a0e.exe	29
PID 2252 wrote to memory of 2336	2252	91e732fa9ba5234e1978aac4b4a59a0e.exe	29
PID 2252 wrote to memory of 2820	2252	91e732fa9ba5234e1978aac4b4a59a0e.exe	30
PID 2252 wrote to memory of 2820	2252	91e732fa9ba5234e1978aac4b4a59a0e.exe	30
PID 2252 wrote to memory of 2820	2252	91e732fa9ba5234e1978aac4b4a59a0e.exe	30
PID 2252 wrote to memory of 2840	2252	91e732fa9ba5234e1978aac4b4a59a0e.exe	34
PID 2252 wrote to memory of 2840	2252	91e732fa9ba5234e1978aac4b4a59a0e.exe	34
PID 2252 wrote to memory of 2840	2252	91e732fa9ba5234e1978aac4b4a59a0e.exe	34
PID 2840 wrote to memory of 2604	2840	cmd.exe	32
PID 2840 wrote to memory of 2604	2840	cmd.exe	32
PID 2840 wrote to memory of 2604	2840	cmd.exe	32
PID 2336 wrote to memory of 2208	2336	Decoder.exe	35
PID 2336 wrote to memory of 2208	2336	Decoder.exe	35
PID 2336 wrote to memory of 2208	2336	Decoder.exe	35
PID 117408 wrote to memory of 127224	117408	taskeng.exe	40
PID 117408 wrote to memory of 127224	117408	taskeng.exe	40
PID 117408 wrote to memory of 127224	117408	taskeng.exe	40
PID 127224 wrote to memory of 127492	127224	systems32.exe	42
PID 127224 wrote to memory of 127492	127224	systems32.exe	42
PID 127224 wrote to memory of 127492	127224	systems32.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\91e732fa9ba5234e1978aac4b4a59a0e.exe
"C:\Users\Admin\AppData\Local\Temp\91e732fa9ba5234e1978aac4b4a59a0e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2252
- C:\ProgramData\Decoder.exe
  "C:\ProgramData\Decoder.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2208
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
  2⤵
  PID:2820
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpBCE9.tmp.cmd""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840

C:\Windows\system32\timeout.exe
timeout 4
1⤵
- Delays execution with timeout.exe
PID:2604

C:\Windows\system32\taskeng.exe
taskeng.exe {1DBCDFCE-48E4-427C-A31D-226518DFF097} S-1-5-21-2444714103-3190537498-3629098939-1000:DJLAPDMX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:117408
- C:\systems32_bit\systems32.exe
  \systems32_bit\systems32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:127224
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:127492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Decoder.exe

Filesize
39KB

MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd

Filesize
28B

MD5
217407484aac2673214337def8886072

SHA1
0f8c4c94064ce1f7538c43987feb5bb2d7fec0c6

SHA256
467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797

SHA512
8466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBCE9.tmp.cmd

Filesize
131B

MD5
efb49b13a882cd89c8ceba974ded524a

SHA1
fa0fb0b55d0e38c5290fc12b4b28ab4d0c19843f

SHA256
a49c8f2713e4a1ce3027f2bb2bb0856970b938df182b905e4984884a660fd878

SHA512
a98a540eb771918eb38623db4a6e328192ecfd3e2b02de9cdc42335cec3f23726ff27aedb3a34730cd702d0f4798e063de86d30b0e22c64ca09b259b97f6c6a6

Download Submit
memory/2252-0-0x0000000000C70000-0x0000000000D14000-memory.dmp

Filesize
656KB

Download
memory/2252-1-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2252-2-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/2252-3-0x0000000002470000-0x00000000024E6000-memory.dmp

Filesize
472KB

Download
memory/2252-25-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2336-24-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2336-13-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

Filesize
64KB

Download
memory/2336-30-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2336-31-0x000000001BDC0000-0x000000001BE40000-memory.dmp

Filesize
512KB

Download
memory/127224-35-0x0000000001010000-0x0000000001020000-memory.dmp

Filesize
64KB

Download
memory/127224-36-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/127224-37-0x000000001BBC0000-0x000000001BC40000-memory.dmp

Filesize
512KB

Download
memory/127224-38-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/127224-39-0x000000001BBC0000-0x000000001BC40000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads