Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
20-01-2024 01:02
General
-
Target
94dc9a9b077ffd5bf20b93c9eb4c488fce76b610e5308b2dd0d18b04f66df27d.exe
-
Size
995KB
-
MD5
87e97a6eae614b6337a6d4e51d08a88e
-
SHA1
7b5381794f91ab6c352e03bd534c818deb5f1d53
-
SHA256
94dc9a9b077ffd5bf20b93c9eb4c488fce76b610e5308b2dd0d18b04f66df27d
-
SHA512
ed25acd29946a3d41e09d1e46376293cb5e8c2833bf7ec886dec5c45fdba966393ed33895dfb99364fbba6bb98dfdef4b6406d52427a09f06b6373e368b029d0
-
SSDEEP
24576:jBkVdlYAK0qnvXMGYsHM/Hv5WPDRFN2Hs:FsvOvXMb0D7N2M
Malware Config
Signatures
-
Detects Echelon Stealer payload 4 IoCs
-
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\94dc9a9b077ffd5bf20b93c9eb4c488fce76b610e5308b2dd0d18b04f66df27d.exe"C:\Users\Admin\AppData\Local\Temp\94dc9a9b077ffd5bf20b93c9eb4c488fce76b610e5308b2dd0d18b04f66df27d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelo.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelo.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.sfx.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.sfx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Echelon.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Echelon.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop "MpsSvc"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop "MpsSvc"1⤵
- Launches sc.exe
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelo.exeFilesize
297KB
MD5d3309191069a8450034c4423942da9c0
SHA12873b5f3e290ef11cca1b46aa19ad99ec90e24ba
SHA256574a5aafa98eca477995e51bc1260c3acb4da7becbefe10ea7aef7cdb7d7de59
SHA5126da2f1be036a35e4c68acba5ad9330af44769d8fe4fb0c12cafc525ee166961af4819033b7341ebae2769ef3b2ea81eb7bd5c53baf9f6043008f5bea495b7fe8
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelo.exeFilesize
142KB
MD52653a79ea8b05765244a27073c2d2e77
SHA18cd2bd39157f102f2a485de9c6ddb36ac9901ada
SHA256c39d4c5cdb794dd3f36fa7e63ab6b55c0aecb4cfa1378821e5bd887a6a553e2c
SHA5128b73892be7e8b6d0d29a4d63aa36ac85e89dbe0e13451d708362b1b32121780fc23159b74792c204536064d64c6d1b23af08898a96448ef08e239dca272c3566
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelo.exeFilesize
49KB
MD5c8bba4d5e0cd3f3865394f399b77077e
SHA1d0a974a2eafef93377baadbd989463127800b42b
SHA256738d8d2a540586878f81c7b24e82e2f41edde8bf1a0573f2077c7a362f82a9dc
SHA5124142169a5e20dd60afab4182136072e3dbc5158aa874214a8d51e27e0dabb0a5ce6b871ca52984797763885d05457682dc29e9b244f2eac466d573ef74a1b1d2
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.sfx.exeFilesize
583KB
MD5bb2847eb97f3cfcd9ad90440b39faaf7
SHA1c895b360d6e0095e66febe2e9b4e4bc0ac993a07
SHA256fdcb8a7f8949ebe037f6cb8cb307427ec10da380303ade6daadc7db7c166d244
SHA5122a6e3f4ee22d558b73add32e4b0a77dbc1e3866e6335455bdafea1dd9bb903b452aa6687882d81a0f4b34dc30afc3e319f8aa4d481523493bb92c3387c3b6588
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Echelon.sfx.exeFilesize
649KB
MD5d87dbaf2295af3f2f55f7ca333b4668f
SHA195aa151d52ce3174d4d0e909c8e14e8373e4506a
SHA2564d02168925f891eba820a3d8050fdf7a3de7ddd9a3aabb529dfa45ae6e540f79
SHA512992b8d780758003e237e5c4c3b8eb9cd5276f79965d58976ce0b93128a95346927ee122294b8dea2c8f46aea4b7ab46c916099fbf60b15cc4987dec34217d0a3
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Echelon.exeFilesize
371KB
MD520d46db4b65f63ae3201318dd3afa640
SHA1385e3c79236a747dfd41ae65f5b7d5721b30840f
SHA256b89a38362edbca622b14bd58f588e2168865a47a66c064d4f1062ef9887cf644
SHA5123815638de7fed3e9d5432f09e8ecd925fc0576f63a715d6ca7c17993f31b9cb81a9f6c2be9d112bc5e274fb730086f62d23ed125216cd1918dd467b9b8afeda2
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Echelon.exeFilesize
490KB
MD5853d3a2c2aa008b2721eec4d98348a8d
SHA1b6c42c4dbc13250573bd65057d412c5ff7d07b54
SHA2565c0dc12ab37d39f583fb7c3eabcacb5c78381bc40e7dd88d9ab5db04033b98df
SHA512084ac6dd898e4c0b78ca70f2c917e03bdef51174d519b6b28bf90ffed580907733a75f2dffeed8c845b90259b5d158b6f818e94f4be1af29b3d97e0c5434e643
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Echelon.exeFilesize
329KB
MD594b8630741eaf13e80aa93ff39a1ef04
SHA1d1427cf71987a25400265cd1fa6bf78c6c7c2967
SHA256b205870444d00f2faea0ad36760be3fad657dd12c72be4ff5f1164afd148ea5c
SHA5124233d827c1e16ce3da9cadd0afab55f8bc564241cf7141a067683418cce10c0aceb339cf1070dcf2a4416df7eb353f9d0c8fc8c7654a4954e92b3433703ab6ac
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/532-94-0x0000020F58640000-0x0000020F58641000-memory.dmpFilesize
4KB
-
memory/532-62-0x0000020F50240000-0x0000020F50250000-memory.dmpFilesize
64KB
-
memory/532-96-0x0000020F58670000-0x0000020F58671000-memory.dmpFilesize
4KB
-
memory/532-78-0x0000020F50340000-0x0000020F50350000-memory.dmpFilesize
64KB
-
memory/532-97-0x0000020F58670000-0x0000020F58671000-memory.dmpFilesize
4KB
-
memory/532-98-0x0000020F58780000-0x0000020F58781000-memory.dmpFilesize
4KB
-
memory/2116-32-0x00000201CCA80000-0x00000201CCA90000-memory.dmpFilesize
64KB
-
memory/2116-33-0x00000201E7CF0000-0x00000201E7D66000-memory.dmpFilesize
472KB
-
memory/2116-60-0x00007FFE4B090000-0x00007FFE4BB51000-memory.dmpFilesize
10.8MB
-
memory/2116-31-0x00007FFE4B090000-0x00007FFE4BB51000-memory.dmpFilesize
10.8MB
-
memory/2116-30-0x00000201CC600000-0x00000201CC69A000-memory.dmpFilesize
616KB