Overview

overview

10

Static

static

3

6e8643be66...62.exe

windows7-x64

10

6e8643be66...62.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-01-2024 01:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6e8643be663b6295645bf7c28323f00b1552e9d398116c780933095507624a62.exe

  • Size

    1.5MB

  • MD5

    782bcf992d63bdefa2d4fa9506db01b3

  • SHA1

    59a586ab6eb222c94cc4d4cefacac8cdc078a3b5

  • SHA256

    6e8643be663b6295645bf7c28323f00b1552e9d398116c780933095507624a62

  • SHA512

    6af38824f318d3dfda4774c6fdfdf952396c4cbb976bb16e2bf7b3a8287af5922695e2952f38e3641aa5d289bc06945716503927c9f11b58ddccae98086add7b

  • SSDEEP

    24576:jBkVdlYAK71WmEjLaofPl87xCDV3fu/2s+zIfcJ8AV3z8vTjV4BzKInuKW:FsvK1m/aofK7xCZLs+sf0YLHKW

Score
10/10
echeloncollectiondiscoveryevasionspywarestealer

Malware Config

Signatures

  • Detects Echelon Stealer payload 4 IoCs
  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    stealerspywareechelon
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6e8643be663b6295645bf7c28323f00b1552e9d398116c780933095507624a62.exe
    "C:\Users\Admin\AppData\Local\Temp\6e8643be663b6295645bf7c28323f00b1552e9d398116c780933095507624a62.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1020
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Efc.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Efc.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3732
      • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Ef.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Ef.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1100
        • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Ec.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Ec.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2388
          • C:\Users\Admin\AppData\Local\Temp\RarSFX3\Echelo.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Echelo.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4152
            • C:\Users\Admin\AppData\Local\Temp\RarSFX4\Echelon.sfx.exe
              "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Echelon.sfx.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:336
              • C:\Users\Admin\AppData\Local\Temp\RarSFX5\Echelon.exe
                "C:\Users\Admin\AppData\Local\Temp\RarSFX5\Echelon.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Accesses Microsoft Outlook profiles
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • outlook_office_path
                • outlook_win_path
                PID:2396
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c sc stop "MpsSvc"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2892
  • C:\Windows\system32\sc.exe
    sc stop "MpsSvc"
    1⤵
    • Launches sc.exe
    PID:3228

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Efc.exe
    Filesize

    1.3MB

    MD5

    e0b4616fb674c5f364deb34f7bc28898

    SHA1

    0519d146228a11a19e529d18d5c559ecdbbce089

    SHA256

    cd0ea348e6708459fa683303551f16a85e5b16fd024392889ff0b92d15e74ba4

    SHA512

    e6815572b62d34e366248a1a00657de35f8dc932bb9512f0d1f35ac789fb100fd7ef13066a825fd0f9de9a784b221e4556347564fa8986956b86a2d3fabc39e5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Efc.exe
    Filesize

    663KB

    MD5

    a41ad346ff4822ab42a2d19eac6b8134

    SHA1

    157a6a2be70c502e9afd8b7496c2fa41bd58fb3f

    SHA256

    20ff40e82d63eeb64495683478a9ba75765e42a6b9ffcc928ea799d54fecd336

    SHA512

    a6bedcb47f1939f94983c57449e04eb8273b4d2815e7322b610d5205412107f1cb06148ede61dbb823dbde2756aa94025377bfb9fc05d6730174e37f4729b5c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Efc.exe
    Filesize

    80KB

    MD5

    7df7b80b9946d5b2f319cf5e091ec748

    SHA1

    b5a893955140a6b343f75263612be33b148cc692

    SHA256

    a030adaaf08087c0956c7639e62cb60b7797a50375fa535823c4bb8eb2b07fee

    SHA512

    01540818568b55ae25eee272cab6d94ac4c7ac739eb8721cb8f3091dde21dc65ddb72e87ddadbb192a596138118da8fdaa3ec4442dbd558edc31253661ab6b52

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Ef.exe
    Filesize

    1.0MB

    MD5

    4629884fadc432290f8ef4acf83388f4

    SHA1

    31c16a7d525b3352d41389301b88ef92cf6442ac

    SHA256

    61ec4e1153eff7c695546e80b0836d5f5bca33dbf792920c70b1e7d74de610fa

    SHA512

    114c492784b55d6a523c36e7610fbbf20fa7675489bb8e0f1c9030aa3561e0efaba5d1d1bd37aa32490cb67afb95e3fb053f439370bf9c72ba56e249f3f93af5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Ef.exe
    Filesize

    1.1MB

    MD5

    a8bfff627878db51c4dfa23ffa275cda

    SHA1

    1cad5285bf4f71febcdddb1bfc511bf7658cc2da

    SHA256

    5a16c599c341bf4d94b83ad4985dd8fee0bbe2f16b2ece6a73f277becd4c4737

    SHA512

    6066e9ed9c3d3b7adbd56aebce7c7fe5158035f1700962052725d656960833dc2ba5cdaa013826b78225c550febd1e8cc06d3944da8364d2957da54c7100a0f0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Ec.exe
    Filesize

    677KB

    MD5

    00831e7e67cfb64aa22a4be1df1dfb42

    SHA1

    7b0f1dafbd0c3bf76379f3bc3b0e9f59e0816531

    SHA256

    94f75c99b526439fd95889c74f00029c7b9dc70bb51f7067e4a45d5ab504e854

    SHA512

    dfb4ead30613ab284272a00433bdca633c4445910744851d8ce6fc8f55fb85f3fa78005a3b77839af9c60af48bfeb57be9737520684908059a8891ca30f1be60

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Ec.exe
    Filesize

    995KB

    MD5

    87e97a6eae614b6337a6d4e51d08a88e

    SHA1

    7b5381794f91ab6c352e03bd534c818deb5f1d53

    SHA256

    94dc9a9b077ffd5bf20b93c9eb4c488fce76b610e5308b2dd0d18b04f66df27d

    SHA512

    ed25acd29946a3d41e09d1e46376293cb5e8c2833bf7ec886dec5c45fdba966393ed33895dfb99364fbba6bb98dfdef4b6406d52427a09f06b6373e368b029d0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX3\Echelo.exe
    Filesize

    344KB

    MD5

    4fcb40cd13d69c615fe5ae89f63b3775

    SHA1

    f33b8b269b002b3145109f139791fe8d132b3e01

    SHA256

    5cbd16677cb2051734a2f5c953eecff1e05944e53cb6be09c7019ee29879c06a

    SHA512

    fbfd4e1fd86415a166dcac178820990749c0a75f18735e64ed91f5c7bf142fb9ac83d56146ead3bf55ef597b4c5c6ff56fc34b789a2654c0284f35c6fd04baee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX3\Echelo.exe
    Filesize

    506KB

    MD5

    9243ca4be6ac7b13faed6184cbc13b34

    SHA1

    13857af56ef81cb49a0f90531bce1875101eb6f2

    SHA256

    3346242a7cd02b54dcbf2cb3aae58ee104ecaced79efad4f4bd51510ed544862

    SHA512

    25e4f388806ec60f2d81ab23958dd5b5a761d69b493d6b3653e2f744752922ac9aa32d2f635824a10e8938616fdf081ca15ad428d1a1d2511807e4f22efd5b9a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX4\Echelon.sfx.exe
    Filesize

    188KB

    MD5

    a101b6c812e8ca524d84bd504d46e550

    SHA1

    6d73c6d9277b17189bccce8b493ac8e967c24831

    SHA256

    59ac56f66cf627a2fe506a199e54fd135e89988edfe8b3f5457ae164b146238a

    SHA512

    0e4568e89ff94822ec021a412616e7c35d82c7f4724ad8d63b981c2b14513f1a3e5bf60d8e28b517669f90956807b624b79e53c3ac9fc6ef5591e2ce894139a5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX4\Echelon.sfx.exe
    Filesize

    167KB

    MD5

    bbd1e484c1a7d9e8c02739491d0a1bcd

    SHA1

    e50c3890dc7d19cd7268d45d08c00d5b82a3fbbc

    SHA256

    097ed0507b52f533264223c1378cc02f55f4e324db4b1f7ef98efc1c59101e13

    SHA512

    b2030306430ed4619ccdf46a954d63eac4a1de0fa4830d1293457e09fc9f5c9373fe59ebd94742db77decf137035b163f27b66006cd7ea746acfdf07139da14d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX5\Echelon.exe
    Filesize

    201KB

    MD5

    d17454a86f8611ae9a4ccf58d4ce2476

    SHA1

    e6acf52e6342d10f4c2c3937f6ab1af7ef4c9234

    SHA256

    2eae404feed4a2a2858f821e41586024a768f19d0bc03dab3334feb4d11ec3d1

    SHA512

    9536876c3694a0f1bd47914df3e5c69e6a00b5a338b287e793b7f0fb0f74573469ce3036f5b05ad8764057c5080751022f8f52d24a0ad0a328d5ceeac8628483

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX5\Echelon.exe
    Filesize

    61KB

    MD5

    5cad6864850db22e2c130195e627b7ee

    SHA1

    8bc39966e99739f9cdb086cbefb59bb59c968bb1

    SHA256

    9b918f415349a62e3aacb1669fb1e8521ab6e72ffc8f917aee4ad7c8aa66bc03

    SHA512

    1849830013afa2771903dc3b185efd09d99e9b6ce66bb363f87218a5e95ad34dbd35859ea3997cb1508e0a8f86cdf0b8ec1dd8c349b59fa200ae2eedea52d0ec

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX5\Echelon.exe
    Filesize

    133KB

    MD5

    2dfa469d11ff4cda8517acfa25ae0c9b

    SHA1

    4c6d54059a00d0d472177ac7d6d8fadd8fd7a1de

    SHA256

    a17d4cdd76ecdbac11868d6fa0e50ec754892fb99702c65f2b9c6a550d30fadf

    SHA512

    19bbe04d48d88abd308195930d400a668fbc3f0da790d4e3c83dd0ca4308d4057c37cb83029e049299ef1523c412b2d25965e83a2597ea182404ecb44ef0c05a

    Download Submit

  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • memory/2396-57-0x000001D323970000-0x000001D323A0A000-memory.dmp

    Filesize

    616KB

    Download

  • memory/2396-58-0x00007FFDF7240000-0x00007FFDF7D01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2396-59-0x000001D3257C0000-0x000001D3257D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2396-60-0x000001D33E220000-0x000001D33E296000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2396-91-0x00007FFDF7240000-0x00007FFDF7D01000-memory.dmp

    Filesize

    10.8MB

    Download