echelon | e29d997a018fcaed3a5d6296b72d9845c899a5211aeeafad8762869c906447b8

General

Target

91e732fa9ba5234e1978aac4b4a59a0e.exe
Size

631KB
MD5

91e732fa9ba5234e1978aac4b4a59a0e
SHA1

fb87bfff59f2ccddd3830a70b2d581532be3f3aa
SHA256

e29d997a018fcaed3a5d6296b72d9845c899a5211aeeafad8762869c906447b8
SHA512

76fe05dcf0dea26a5210dd92c1ae3c357f43f5c170642e99a50d3c7b412d25d1518a958960e25230fb6c055100159f29c080fb354f2cbe93a805ba419fb01976
SSDEEP

12288:q+khQMwkEo9EtZLJLUf9snBS4csPYae6qfzAAA:q+khQMlEthhUF54clNf7AB

Score

10^/10

echelon spyware stealer

Malware Config

Signatures

Detects Echelon Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1160-0-0x0000000000DA0000-0x0000000000E44000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

systems32.exe91e732fa9ba5234e1978aac4b4a59a0e.exeDecoder.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	systems32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	91e732fa9ba5234e1978aac4b4a59a0e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	Decoder.exe

Drops startup file 2 IoCs

Processes:

Decoder.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe

Executes dropped EXE 2 IoCs

Processes:

Decoder.exesystems32.exe

pid process

4460 Decoder.exe
139892 systems32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4340 schtasks.exe
140744 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2372 timeout.exe
4472 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Decoder.exesystems32.exe

pid process

4460 Decoder.exe
139892 systems32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Decoder.exesystems32.exe

description pid process

Token: SeDebugPrivilege 4460 Decoder.exe
Token: SeDebugPrivilege 139892 systems32.exe

pid	process
4460	Decoder.exe
139892	systems32.exe

pid	process
4340	schtasks.exe
140744	schtasks.exe

pid	process
2372	timeout.exe
4472	timeout.exe

pid	process
4460	Decoder.exe
139892	systems32.exe

description	pid	process
Token: SeDebugPrivilege	4460	Decoder.exe
Token: SeDebugPrivilege	139892	systems32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

91e732fa9ba5234e1978aac4b4a59a0e.execmd.execmd.exeDecoder.exesystems32.exe

description	pid	process	target process
PID 1160 wrote to memory of 4460	1160	91e732fa9ba5234e1978aac4b4a59a0e.exe	Decoder.exe
PID 1160 wrote to memory of 4460	1160	91e732fa9ba5234e1978aac4b4a59a0e.exe	Decoder.exe
PID 1160 wrote to memory of 812	1160	91e732fa9ba5234e1978aac4b4a59a0e.exe	cmd.exe
PID 1160 wrote to memory of 812	1160	91e732fa9ba5234e1978aac4b4a59a0e.exe	cmd.exe
PID 1160 wrote to memory of 1492	1160	91e732fa9ba5234e1978aac4b4a59a0e.exe	cmd.exe
PID 1160 wrote to memory of 1492	1160	91e732fa9ba5234e1978aac4b4a59a0e.exe	cmd.exe
PID 812 wrote to memory of 2372	812	cmd.exe	timeout.exe
PID 812 wrote to memory of 2372	812	cmd.exe	timeout.exe
PID 1492 wrote to memory of 4472	1492	cmd.exe	timeout.exe
PID 1492 wrote to memory of 4472	1492	cmd.exe	timeout.exe
PID 4460 wrote to memory of 4340	4460	Decoder.exe	schtasks.exe
PID 4460 wrote to memory of 4340	4460	Decoder.exe	schtasks.exe
PID 139892 wrote to memory of 140744	139892	systems32.exe	schtasks.exe
PID 139892 wrote to memory of 140744	139892	systems32.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\91e732fa9ba5234e1978aac4b4a59a0e.exe
"C:\Users\Admin\AppData\Local\Temp\91e732fa9ba5234e1978aac4b4a59a0e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\system32\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3FB8.tmp.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\system32\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:4472

C:\ProgramData\Decoder.exe
"C:\ProgramData\Decoder.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
3⤵
- Creates scheduled task(s)
PID:4340

C:\systems32_bit\systems32.exe
\systems32_bit\systems32.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:139892

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
2⤵
- Creates scheduled task(s)
PID:140744

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Decoder.exe
Filesize
39KB

MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd
Filesize
28B

MD5
217407484aac2673214337def8886072

SHA1
0f8c4c94064ce1f7538c43987feb5bb2d7fec0c6

SHA256
467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797

SHA512
8466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3FB8.tmp.cmd
Filesize
131B

MD5
d47baabc4989941406d659c22b2b1f6f

SHA1
a284493ff498867a018dd9e0783cbfa4d11da024

SHA256
653a994285471c8fcbf2f80ef67ee002f3c40999a1f4158d85feb04cc381d0cd

SHA512
26fc8a506ba6185c5ac92222d609edd626e2acf0bf00fc3391435f6f33f49350de9a504cb009a6d2442dd022a3308ffef83f69907084d19564e77aa75d36688a

Download Submit
memory/1160-23-0x00007FFA828F0000-0x00007FFA833B1000-memory.dmp

Filesize
10.8MB

Download
memory/1160-0-0x0000000000DA0000-0x0000000000E44000-memory.dmp

Filesize
656KB

Download
memory/1160-3-0x000000001BB70000-0x000000001BB80000-memory.dmp

Filesize
64KB

Download
memory/1160-1-0x00007FFA828F0000-0x00007FFA833B1000-memory.dmp

Filesize
10.8MB

Download
memory/1160-2-0x0000000002FE0000-0x0000000003056000-memory.dmp

Filesize
472KB

Download
memory/4460-29-0x000000001B590000-0x000000001B5A0000-memory.dmp

Filesize
64KB

Download
memory/4460-24-0x00007FFA828F0000-0x00007FFA833B1000-memory.dmp

Filesize
10.8MB

Download
memory/4460-25-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/4460-33-0x00007FFA828F0000-0x00007FFA833B1000-memory.dmp

Filesize
10.8MB

Download
memory/4460-34-0x000000001B590000-0x000000001B5A0000-memory.dmp

Filesize
64KB

Download
memory/139892-37-0x00007FFA828F0000-0x00007FFA833B1000-memory.dmp

Filesize
10.8MB

Download
memory/139892-38-0x000000001BAF0000-0x000000001BB00000-memory.dmp

Filesize
64KB

Download
memory/139892-39-0x00007FFA828F0000-0x00007FFA833B1000-memory.dmp

Filesize
10.8MB

Download
memory/139892-40-0x000000001BAF0000-0x000000001BB00000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads