echelon | fe2a40f78f2acb54fb1675bbe256de830d9c78ff813818d7335b98ce8b2bb3e6

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2024 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6512ee54cb87daf804d1d337785c947e.exe
Size

1.5MB
MD5

6512ee54cb87daf804d1d337785c947e
SHA1

6e29351ed23c4b14d731a36c789e08cea5f8eb5e
SHA256

fe2a40f78f2acb54fb1675bbe256de830d9c78ff813818d7335b98ce8b2bb3e6
SHA512

a7725fee1f1a90fe6b0571cf293b028f4128ac5baf62f64cc3b6ba20d7c412437918096c86b005411bb922b42f020c393980965f0ec7c16b000a8e0773da96b7
SSDEEP

24576:+DWHSb4Nc0yPFtkTb67tzzM9DvVIJV1rliDpL9Dh7qd2P69EuKA+R:t846kKzzKVIJ5+pLTpP699Kn

Score

10^/10

echelon discovery spyware stealer vmprotect

Malware Config

Signatures

Detects Echelon Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0005000000022d04-34.dat	family_echelon
behavioral2/memory/2652-35-0x000001BAFF3C0000-0x000001BAFF586000-memory.dmp	family_echelon
behavioral2/files/0x0005000000022d04-33.dat	family_echelon
behavioral2/files/0x0005000000022d04-28.dat	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6512ee54cb87daf804d1d337785c947e.exeUltraHook newe.sfx.exeUltraHook newe.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	6512ee54cb87daf804d1d337785c947e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	UltraHook newe.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	UltraHook newe.exe

Executes dropped EXE 3 IoCs

Processes:

UltraHook newe.sfx.exeUltraHook newe.exeCrypt.exe

pid	Process
4356	UltraHook newe.sfx.exe
3640	UltraHook newe.exe
2652	Crypt.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023218-15.dat	vmprotect
behavioral2/memory/3640-20-0x0000000000B30000-0x0000000000D30000-memory.dmp	vmprotect
behavioral2/files/0x0007000000023218-19.dat	vmprotect
behavioral2/files/0x0007000000023218-18.dat	vmprotect
behavioral2/files/0x0005000000022d04-34.dat	vmprotect
behavioral2/memory/2652-35-0x000001BAFF3C0000-0x000001BAFF586000-memory.dmp	vmprotect
behavioral2/files/0x0005000000022d04-33.dat	vmprotect
behavioral2/files/0x0005000000022d04-28.dat	vmprotect

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Crypt.exe

pid	Process
2652	Crypt.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Crypt.exe

description	pid	Process
Token: SeDebugPrivilege	2652	Crypt.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

6512ee54cb87daf804d1d337785c947e.exeUltraHook newe.sfx.exeUltraHook newe.exe

description	pid	Process	procid_target
PID 2860 wrote to memory of 4356	2860	6512ee54cb87daf804d1d337785c947e.exe	90
PID 2860 wrote to memory of 4356	2860	6512ee54cb87daf804d1d337785c947e.exe	90
PID 2860 wrote to memory of 4356	2860	6512ee54cb87daf804d1d337785c947e.exe	90
PID 4356 wrote to memory of 3640	4356	UltraHook newe.sfx.exe	91
PID 4356 wrote to memory of 3640	4356	UltraHook newe.sfx.exe	91
PID 3640 wrote to memory of 2652	3640	UltraHook newe.exe	92
PID 3640 wrote to memory of 2652	3640	UltraHook newe.exe	92

C:\Users\Admin\AppData\Local\Temp\6512ee54cb87daf804d1d337785c947e.exe
"C:\Users\Admin\AppData\Local\Temp\6512ee54cb87daf804d1d337785c947e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\UltraHook newe.sfx.exe
  "C:\Users\Admin\AppData\Local\Temp\UltraHook newe.sfx.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Users\Admin\AppData\Local\Temp\UltraHook newe.exe
    "C:\Users\Admin\AppData\Local\Temp\UltraHook newe.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Users\Admin\AppData\Local\Temp\Crypt.exe
      "C:\Users\Admin\AppData\Local\Temp\Crypt.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crypt.exe

Filesize
334KB

MD5
4cbb821230d32f767f6c1cb949f1d344

SHA1
70adb916e3b4a76760d8bd48ad375fd28f8e494c

SHA256
41b98c4a24bdf7c78e0b960063ceba41b0be1a4660f2a60f29d51f17fe1fdcb6

SHA512
45bd11261230e6d60f481324be9391169b2282954572c14d59cffee5f3f73f965bd8ffa2176d2b2979e3e41d5fa5d2b00c5210e6dd67544a34bf512ef2670847

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crypt.exe

Filesize
323KB

MD5
171f19203ccc242d472aeb45cc74fdd9

SHA1
9a20bdaa55c11186e5239f09136c932f8b74f021

SHA256
91457babb965c37923de89fbdc2d26b719b9823aeb56f9dc63e9a2b611da5485

SHA512
f22efc315e04820b0b8bfd996e5e07695d067273edec0148fa3b6e451e89dcfd4b9c326a66fd5fd5803ec1bd90ba63869e6269f90940aa1dcc248552b2736aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crypt.exe

Filesize
422KB

MD5
382d187d2cbbdf37a4032bf80cc97a47

SHA1
640c5a58560b2cafd9b813de5e20d9be77954fd0

SHA256
c61b403de33d5d9f57faa1a13450eb205688406004315c59aac25677aa1e7357

SHA512
9c5deb526c46b15bd944b085d9f3e8fdb6415ca5df101f6242c4ceea150ebe2c71867ce33ff5c248e823cc1f02b0282571bae91b075d0a115eab62dfb7eb3c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UltraHook newe.exe

Filesize
581KB

MD5
4b96c037ba3272a9299a794fbbfaad68

SHA1
056bb237b9a6890c008fb251676733a46f9aeee6

SHA256
cf83d1e1d14f913fa871bacd4b76a61b72b4cd6600183fa961c4021818f4ac35

SHA512
eab32a90a2b185c0715f5aecad6cd4e66f7ddfb4ee530275f39aecf1344afe782aa8130883a1a42003be038c3b35eb1a6a604ffecbfb1bd1a06ef5eeafb1fb1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UltraHook newe.exe

Filesize
534KB

MD5
3b814ad62b88fff000d007357c65f015

SHA1
45fa085374ff146b3e3461d4d7712b7e24464934

SHA256
2c81e4a2dd90c11dc78c765656a2d256d9a76d1cf75f55336d65b5cf88faa5f7

SHA512
7b77a704e995e68e6f3180bb6efd483fc42bfe7aa639097c31062dc866a18a0483006f8411ad380988874415acd448ff7dc92bfcf93ba0f2fe569bc4649cb529

Download Submit
C:\Users\Admin\AppData\Local\Temp\UltraHook newe.exe

Filesize
462KB

MD5
f9513df82be4d920436d703edd435246

SHA1
ae7e730ba783eb7de776d5936d0cb706a339b110

SHA256
0d702a6941da11dc3e48db09f1ddc84fcae169cb8986a36f427009f8080e6b72

SHA512
80e1bd6c3272fd0e8123e387daf6ec184b8105698bd4da8ed56736c79dfdc21b8103c4c3a1aa8dfe6fc94fa5bb702b12fbf43d85a68367ad29335b761a827825

Download Submit
C:\Users\Admin\AppData\Local\Temp\UltraHook newe.sfx.exe

Filesize
85KB

MD5
63cb634d14a2318018fa3f186bbfa692

SHA1
9081829a9ea67579ea567e05ecabfa2d82f24b2c

SHA256
b315a7f9863bb4bfe58714d90e2de236f471ff96af7ff18df36a225e1da73731

SHA512
8a08dadea1b5debe29c5b108c98c74a3d0a447641062989649252319df28802d3332b0bf67691cd0b30c4641408f5a16bebbdd9928bfb52d0370ef9cbaaec792

Download Submit
C:\Users\Admin\AppData\Local\Temp\UltraHook newe.sfx.exe

Filesize
494KB

MD5
233882319f664d7812b91b7a77e7d520

SHA1
8c1ca48f4a6169796940967cb6963fa151620246

SHA256
ad3a783913c416a3939d73881f2b1493580960994efb9bf97168d4cd21a6f9c2

SHA512
39247542254c3f61343c036c27bf1f8717768dcbcf06966faa670b1f1c1c4f93d26c8a692d83d13295c7d34fc6387923d5a35f0f26bd1b1791bb3ded392d7597

Download Submit
C:\Users\Admin\AppData\Local\Temp\UltraHook newe.sfx.exe

Filesize
119KB

MD5
e486b603767b039dcebfd10b14884a18

SHA1
0793e2ba0f6976be513fbe41a5498347e84c7fb2

SHA256
589186b09ff62fb832351882cb90f56a2eb678803046d99a7580566ddd500e6f

SHA512
e1269f9c5b0b07f1acd4c758a7d889ad1c0c1ee6a2d8cda82aa7e13f1e8e8fa025e145e484b20e646077120730a3d34bd520e49161e98bad78ce4c47ef551539

Download Submit
memory/2652-67-0x00007FFA64190000-0x00007FFA64C51000-memory.dmp

Filesize
10.8MB

Download
memory/2652-40-0x000001BA9A230000-0x000001BA9A2A6000-memory.dmp

Filesize
472KB

Download
memory/2652-37-0x00007FFA64190000-0x00007FFA64C51000-memory.dmp

Filesize
10.8MB

Download
memory/2652-35-0x000001BAFF3C0000-0x000001BAFF586000-memory.dmp

Filesize
1.8MB

Download
memory/2652-39-0x000001BA819F0000-0x000001BA81A00000-memory.dmp

Filesize
64KB

Download
memory/3640-20-0x0000000000B30000-0x0000000000D30000-memory.dmp

Filesize
2.0MB

Download
memory/3640-38-0x00007FFA64190000-0x00007FFA64C51000-memory.dmp

Filesize
10.8MB

Download
memory/3640-22-0x00000000014C0000-0x00000000014C1000-memory.dmp

Filesize
4KB

Download
memory/3640-23-0x000000001BB00000-0x000000001BB10000-memory.dmp

Filesize
64KB

Download
memory/3640-21-0x00007FFA64190000-0x00007FFA64C51000-memory.dmp

Filesize
10.8MB

Download