Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
18-01-2024 01:10
Static task
static1
Behavioral task
behavioral1
Sample
95861518ef095e5ffd16260e0a5ba1b2917fa9efaeaac75e7f5a20816a4fe35a.exe
Resource
win7-20231215-en
General
-
Target
95861518ef095e5ffd16260e0a5ba1b2917fa9efaeaac75e7f5a20816a4fe35a.exe
-
Size
1000KB
-
MD5
f71a4c25dbdc3fd5ee21b0ab15328cc5
-
SHA1
78eb0c54ce0127a93fc6007baeee980ff0562b45
-
SHA256
95861518ef095e5ffd16260e0a5ba1b2917fa9efaeaac75e7f5a20816a4fe35a
-
SHA512
61bc151952cacfdc99af9cbe450625aa2e23e498dea7b8327571a55e20a27060992b1cd7beb9bff71ded2edffc4fe73764c83220790d53a8af6274052a06eed0
-
SSDEEP
24576:qxLsMs8WdUS8KMcXK0QVQoU/TXJBdSnIernu:usldslc9Ci/TXp
Malware Config
Signatures
-
Detects Echelon Stealer payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelon.exe family_echelon behavioral2/memory/4404-23-0x000001CEF3180000-0x000001CEF321A000-memory.dmp family_echelon -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
95861518ef095e5ffd16260e0a5ba1b2917fa9efaeaac75e7f5a20816a4fe35a.exeEchelon.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 95861518ef095e5ffd16260e0a5ba1b2917fa9efaeaac75e7f5a20816a4fe35a.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation Echelon.exe -
Executes dropped EXE 1 IoCs
Processes:
Echelon.exepid process 4404 Echelon.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Echelon.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Echelon.exe Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Echelon.exe Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Echelon.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 92 ip-api.com 14 api.ipify.org 15 api.ipify.org -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 628 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Echelon.exepid process 4404 Echelon.exe 4404 Echelon.exe 4404 Echelon.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Echelon.exesvchost.exedescription pid process Token: SeDebugPrivilege 4404 Echelon.exe Token: SeManageVolumePrivilege 4896 svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
95861518ef095e5ffd16260e0a5ba1b2917fa9efaeaac75e7f5a20816a4fe35a.exeEchelon.execmd.exedescription pid process target process PID 4348 wrote to memory of 4404 4348 95861518ef095e5ffd16260e0a5ba1b2917fa9efaeaac75e7f5a20816a4fe35a.exe Echelon.exe PID 4348 wrote to memory of 4404 4348 95861518ef095e5ffd16260e0a5ba1b2917fa9efaeaac75e7f5a20816a4fe35a.exe Echelon.exe PID 4348 wrote to memory of 4404 4348 95861518ef095e5ffd16260e0a5ba1b2917fa9efaeaac75e7f5a20816a4fe35a.exe Echelon.exe PID 4404 wrote to memory of 4264 4404 Echelon.exe cmd.exe PID 4404 wrote to memory of 4264 4404 Echelon.exe cmd.exe PID 4264 wrote to memory of 628 4264 cmd.exe sc.exe PID 4264 wrote to memory of 628 4264 cmd.exe sc.exe -
outlook_office_path 1 IoCs
Processes:
Echelon.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Echelon.exe -
outlook_win_path 1 IoCs
Processes:
Echelon.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Echelon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\95861518ef095e5ffd16260e0a5ba1b2917fa9efaeaac75e7f5a20816a4fe35a.exe"C:\Users\Admin\AppData\Local\Temp\95861518ef095e5ffd16260e0a5ba1b2917fa9efaeaac75e7f5a20816a4fe35a.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelon.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelon.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop "MpsSvc"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop "MpsSvc"4⤵
- Launches sc.exe
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DotNetZip.dllFilesize
448KB
MD560caabbd43235889d64f230617c0e24e
SHA1f5f922bd3c69591663187d40ad732c73a5bda290
SHA2564d7851bb977d7bd1d7503e994bc4c4083faa2751f41624237309157b1b88681d
SHA512fedccb31b488ec1b7b28e8614a3eb53eb130c176837f687395e61a0f3f522d742d46ece1f6852ca45e831abe21728e08dadf010d828a49fbfdc9840b42cc975c
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelon.exeFilesize
592KB
MD552c389a5c951fa6b0c5636ece3b9a4cc
SHA17ea98e6dc3113e1bb7a89a4b8c3f29f770163b68
SHA2568b7240910326218e895b469398b4e98443ba8aba78e17270659050fb7562f930
SHA5126bdbd1dfd21f7db0682972502e632fa006843db79c46265e8199c75f69458ecf6506c3c5b8424d465d004483897056739e2edb73b821205b48a0d7fb6b48f38d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelon.exe.configFilesize
216B
MD5ed6192054a346a72d8bd4352895f25f9
SHA12de8e2859eb7451eb23d408cf9fa45f37a4e2d0e
SHA256707f233f9e814e64d7655a78275e60bb44c35646292fa5b41ee936e1763c9f77
SHA5127fe3851b67da2cd748c5e194e7b0c8252c65516ac710d950e5d6ac3aefe7051a5a01e034d6714f1dba077046ec211d234eb9f19e05c80d292b24e0f84dd6ce0f
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelon.pdbFilesize
465KB
MD57eb1ff59d8695aafd0ce4d16db69b3c5
SHA1b9be9d9046571261e90f837a3dbeed8b55810740
SHA256f137fdf94917ca89993d845de108300fece885c8a27ce856feff355fedf21651
SHA5125a619f0effae27f2b2320d908a950e2c72a93e2a1991ac727d7f0a08f7399c2e44f8c3f6a19a0e649d24f9b091583aa9773393756a1cf8cb9d5c5ef46ffdb5e3
-
memory/4404-25-0x000001CEF5810000-0x000001CEF5820000-memory.dmpFilesize
64KB
-
memory/4404-27-0x000001CEF5CB0000-0x000001CEF5D26000-memory.dmpFilesize
472KB
-
memory/4404-24-0x00007FFDB2470000-0x00007FFDB2F31000-memory.dmpFilesize
10.8MB
-
memory/4404-28-0x000001CEF5850000-0x000001CEF5A47000-memory.dmpFilesize
2.0MB
-
memory/4404-23-0x000001CEF3180000-0x000001CEF321A000-memory.dmpFilesize
616KB
-
memory/4404-61-0x00007FFDB2470000-0x00007FFDB2F31000-memory.dmpFilesize
10.8MB
-
memory/4896-64-0x000001BF16750000-0x000001BF16760000-memory.dmpFilesize
64KB
-
memory/4896-80-0x000001BF16850000-0x000001BF16860000-memory.dmpFilesize
64KB
-
memory/4896-96-0x000001BF1EBC0000-0x000001BF1EBC1000-memory.dmpFilesize
4KB
-
memory/4896-98-0x000001BF1EBF0000-0x000001BF1EBF1000-memory.dmpFilesize
4KB
-
memory/4896-99-0x000001BF1EBF0000-0x000001BF1EBF1000-memory.dmpFilesize
4KB
-
memory/4896-100-0x000001BF1ED00000-0x000001BF1ED01000-memory.dmpFilesize
4KB