echelon | f29c642e2962616de5f5a909c391bbe4292902a11ffa774203b03e8711c84c48 | Triage

Analysis

max time kernel
149s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2023 19:28

Sharing

Report Analysis Logs

General

Target

f281eed68163245661609f462a0c6266.exe
Size

674KB
MD5

f281eed68163245661609f462a0c6266
SHA1

11bc8632b1f40116589fd3b13be379bcac75e045
SHA256

f29c642e2962616de5f5a909c391bbe4292902a11ffa774203b03e8711c84c48
SHA512

66494ee26ed66746ee51c31254245f5746ae9a0170fc255e851ad66320680219b022c66518e2ff3d2d470dd2f9cba4237b9f2bc018da514ade6ec6dba6bdfbb6
SSDEEP

12288:mofpljJgZSsAjAuYcVWfs6MDMVqfBdcmDBujHhVP:7JwcAuv0fKMVqJdc3hVP

Score

10^/10

echelon collection discovery spyware stealer

Malware Config

Signatures

Detects Echelon Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1852-0-0x000001B47C300000-0x000001B47C3AE000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

Email Collection

Processes:

f281eed68163245661609f462a0c6266.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f281eed68163245661609f462a0c6266.exe
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f281eed68163245661609f462a0c6266.exe
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f281eed68163245661609f462a0c6266.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

50 api.ipify.org
52 api.ipify.org
60 ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

Processes:

f281eed68163245661609f462a0c6266.exe

pid	process
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f281eed68163245661609f462a0c6266.exe

pid	process
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe
1852	f281eed68163245661609f462a0c6266.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f281eed68163245661609f462a0c6266.exe

description pid process

Token: SeDebugPrivilege 1852 f281eed68163245661609f462a0c6266.exe

outlook_office_path 1 IoCs

Processes:

f281eed68163245661609f462a0c6266.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f281eed68163245661609f462a0c6266.exe

outlook_win_path 1 IoCs

Processes:

f281eed68163245661609f462a0c6266.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f281eed68163245661609f462a0c6266.exe

C:\Users\Admin\AppData\Local\Temp\f281eed68163245661609f462a0c6266.exe
"C:\Users\Admin\AppData\Local\Temp\f281eed68163245661609f462a0c6266.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ZLHw078BFBFF000306D22ED8715E26\26078BFBFF000306D22ED8715EZLHw\Browsers\Passwords\Passwords_Edge.txt
Filesize
426B

MD5
42fa959509b3ed7c94c0cf3728b03f6d

SHA1
661292176640beb0b38dc9e7a462518eb592d27d

SHA256
870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

SHA512
7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

Download Submit
C:\Users\Admin\AppData\Roaming\ZLHw078BFBFF000306D22ED8715E26\26078BFBFF000306D22ED8715EZLHw\Files\DismountGroup.txt
Filesize
523KB

MD5
7ee26575da148b8d0d783a4b6d4aa61d

SHA1
3131defbbf38de7b48f8836a75862434ea674a4a

SHA256
bf588fb9a4fd54fb595083d47f2950362b3ef3b40650101f299c68f6ccb50e8f

SHA512
f71053bd9430bdd0d9e18b77b8a4a517da23977037dd3ef486c7aca9bb1ffd24421eb72808dd4ac5f6bb108100732e90b4865f4a7ac183ee1350ddbdd44fd751

Download Submit
memory/1852-66-0x000001B47EAF0000-0x000001B47EB00000-memory.dmp

Filesize
64KB

Download
memory/1852-107-0x000001B47F580000-0x000001B47F680000-memory.dmp

Filesize
1024KB

Download
memory/1852-4-0x000001B47EAF0000-0x000001B47EB00000-memory.dmp

Filesize
64KB

Download
memory/1852-5-0x000001B47EAF0000-0x000001B47EB00000-memory.dmp

Filesize
64KB

Download
memory/1852-6-0x000001B47E2C0000-0x000001B47E2D4000-memory.dmp

Filesize
80KB

Download
memory/1852-7-0x000001B47E2D0000-0x000001B47E2DE000-memory.dmp

Filesize
56KB

Download
memory/1852-0-0x000001B47C300000-0x000001B47C3AE000-memory.dmp

Filesize
696KB

Download
memory/1852-10-0x000001B47EAF0000-0x000001B47EB00000-memory.dmp

Filesize
64KB

Download
memory/1852-2-0x000001B47EAF0000-0x000001B47EB00000-memory.dmp

Filesize
64KB

Download
memory/1852-31-0x00007FFBE71E0000-0x00007FFBE7CA1000-memory.dmp

Filesize
10.8MB

Download
memory/1852-32-0x000001B47F580000-0x000001B47F680000-memory.dmp

Filesize
1024KB

Download
memory/1852-35-0x000001B47F580000-0x000001B47F680000-memory.dmp

Filesize
1024KB

Download
memory/1852-36-0x000001B47EAF0000-0x000001B47EB00000-memory.dmp

Filesize
64KB

Download
memory/1852-37-0x000001B47F580000-0x000001B47F680000-memory.dmp

Filesize
1024KB

Download
memory/1852-41-0x000001B47EAF0000-0x000001B47EB00000-memory.dmp

Filesize
64KB

Download
memory/1852-42-0x000001B47EAF0000-0x000001B47EB00000-memory.dmp

Filesize
64KB

Download
memory/1852-50-0x000001B47EAF0000-0x000001B47EB00000-memory.dmp

Filesize
64KB

Download
memory/1852-1-0x00007FFBE71E0000-0x00007FFBE7CA1000-memory.dmp

Filesize
10.8MB

Download
memory/1852-8-0x000001B47EAF0000-0x000001B47EB00000-memory.dmp

Filesize
64KB

Download
memory/1852-3-0x000001B47C810000-0x000001B47C854000-memory.dmp

Filesize
272KB

Download
memory/1852-65-0x000001B47EAF0000-0x000001B47EB00000-memory.dmp

Filesize
64KB

Download
memory/1852-94-0x000001B418630000-0x000001B41864E000-memory.dmp

Filesize
120KB

Download
memory/1852-95-0x000001B418650000-0x000001B4186E0000-memory.dmp

Filesize
576KB

Download
memory/1852-96-0x000001B47F580000-0x000001B47F680000-memory.dmp

Filesize
1024KB

Download
memory/1852-97-0x000001B47EA40000-0x000001B47EA62000-memory.dmp

Filesize
136KB

Download
memory/1852-98-0x000001B47F580000-0x000001B47F680000-memory.dmp

Filesize
1024KB

Download
memory/1852-99-0x000001B47F580000-0x000001B47F680000-memory.dmp

Filesize
1024KB

Download
memory/1852-100-0x000001B47EAF0000-0x000001B47EB00000-memory.dmp

Filesize
64KB

Download
memory/1852-101-0x000001B47F580000-0x000001B47F680000-memory.dmp

Filesize
1024KB

Download
memory/1852-102-0x000001B47EAF0000-0x000001B47EB00000-memory.dmp

Filesize
64KB

Download
memory/1852-103-0x000001B47F580000-0x000001B47F680000-memory.dmp

Filesize
1024KB

Download
memory/1852-104-0x000001B47F580000-0x000001B47F680000-memory.dmp

Filesize
1024KB

Download
memory/1852-105-0x000001B47F580000-0x000001B47F680000-memory.dmp

Filesize
1024KB

Download
memory/1852-106-0x000001B47F580000-0x000001B47F680000-memory.dmp

Filesize
1024KB

Download
memory/1852-69-0x000001B47F580000-0x000001B47F680000-memory.dmp

Filesize
1024KB

Download
memory/1852-108-0x000001B47EAF0000-0x000001B47EB00000-memory.dmp

Filesize
64KB

Download
memory/1852-109-0x000001B47F580000-0x000001B47F680000-memory.dmp

Filesize
1024KB

Download
memory/1852-110-0x000001B47EAF0000-0x000001B47EB00000-memory.dmp

Filesize
64KB

Download
memory/1852-111-0x000001B47F580000-0x000001B47F680000-memory.dmp

Filesize
1024KB

Download
memory/1852-125-0x00007FFBE71E0000-0x00007FFBE7CA1000-memory.dmp

Filesize
10.8MB

Download