echelon | 4d02168925f891eba820a3d8050fdf7a3de7ddd9a3aabb529dfa45ae6e540f79

General

Target

4d02168925f891eba820a3d8050fdf7a3de7ddd9a3aabb529dfa45ae6e540f79.exe
Size

649KB
MD5

d87dbaf2295af3f2f55f7ca333b4668f
SHA1

95aa151d52ce3174d4d0e909c8e14e8373e4506a
SHA256

4d02168925f891eba820a3d8050fdf7a3de7ddd9a3aabb529dfa45ae6e540f79
SHA512

992b8d780758003e237e5c4c3b8eb9cd5276f79965d58976ce0b93128a95346927ee122294b8dea2c8f46aea4b7ab46c916099fbf60b15cc4987dec34217d0a3
SSDEEP

12288:jBdlwHRn+WlYV+8T+tkU5bw6g8h+Y409dMCZyH0FVI8QV:jBkVdlYAK23FNZyHf8QV

Score

10^/10

echelon collection discovery evasion spyware stealer

Malware Config

Signatures

Detects Echelon Stealer payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelon.exe	family_echelon
behavioral2/memory/3880-12-0x000001B5BAAF0000-0x000001B5BAB8A000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4d02168925f891eba820a3d8050fdf7a3de7ddd9a3aabb529dfa45ae6e540f79.exeEchelon.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	4d02168925f891eba820a3d8050fdf7a3de7ddd9a3aabb529dfa45ae6e540f79.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Echelon.exe

Executes dropped EXE 1 IoCs

Processes:

Echelon.exe

pid process

3880 Echelon.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3880	Echelon.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Echelon.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Echelon.exe
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Echelon.exe
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Echelon.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 api.ipify.org
10 api.ipify.org
39 ip-api.com
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1308 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Echelon.exe

pid process

3880 Echelon.exe
3880 Echelon.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Echelon.exe

description pid process

Token: SeDebugPrivilege 3880 Echelon.exe

flow	ioc
9	api.ipify.org
10	api.ipify.org
39	ip-api.com

pid	process
1308	sc.exe

pid	process
3880	Echelon.exe
3880	Echelon.exe

description	pid	process
Token: SeDebugPrivilege	3880	Echelon.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4d02168925f891eba820a3d8050fdf7a3de7ddd9a3aabb529dfa45ae6e540f79.exeEchelon.execmd.exe

description	pid	process	target process
PID 2916 wrote to memory of 3880	2916	4d02168925f891eba820a3d8050fdf7a3de7ddd9a3aabb529dfa45ae6e540f79.exe	Echelon.exe
PID 2916 wrote to memory of 3880	2916	4d02168925f891eba820a3d8050fdf7a3de7ddd9a3aabb529dfa45ae6e540f79.exe	Echelon.exe
PID 3880 wrote to memory of 4236	3880	Echelon.exe	cmd.exe
PID 3880 wrote to memory of 4236	3880	Echelon.exe	cmd.exe
PID 4236 wrote to memory of 1308	4236	cmd.exe	sc.exe
PID 4236 wrote to memory of 1308	4236	cmd.exe	sc.exe

outlook_office_path 1 IoCs

Processes:

Echelon.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Echelon.exe

outlook_win_path 1 IoCs

Processes:

Echelon.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Echelon.exe

C:\Users\Admin\AppData\Local\Temp\4d02168925f891eba820a3d8050fdf7a3de7ddd9a3aabb529dfa45ae6e540f79.exe
"C:\Users\Admin\AppData\Local\Temp\4d02168925f891eba820a3d8050fdf7a3de7ddd9a3aabb529dfa45ae6e540f79.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2916

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelon.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelon.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop "MpsSvc"
3⤵
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\system32\sc.exe
sc stop "MpsSvc"
4⤵
- Launches sc.exe
PID:1308

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Echelon.exe
Filesize
592KB

MD5
a6c5e33747f3087b1f1c96d5c800aa99

SHA1
d3e400f79fb0520deca6eaf52ac030eadec98a71

SHA256
818d899f97b141d991937b1d39936ead0a845022ea685c7e83aef1fd55838033

SHA512
5339057ce8126bb5fc1c4a2115b4887533761ed5cb54976ec8b2087abf6a4602012cc939c04876a3cbf10ed270b100ee55b20fdecae51fa6952194ee2900fdb8

Download Submit
memory/3880-12-0x000001B5BAAF0000-0x000001B5BAB8A000-memory.dmp

Filesize
616KB

Download
memory/3880-13-0x00007FF8C2810000-0x00007FF8C32D1000-memory.dmp

Filesize
10.8MB

Download
memory/3880-14-0x000001B5BB1E0000-0x000001B5BB1F0000-memory.dmp

Filesize
64KB

Download
memory/3880-15-0x000001B5D5360000-0x000001B5D53D6000-memory.dmp

Filesize
472KB

Download
memory/3880-39-0x00007FF8C2810000-0x00007FF8C32D1000-memory.dmp

Filesize
10.8MB

Download
memory/3880-48-0x000001B5BB1E0000-0x000001B5BB1F0000-memory.dmp

Filesize
64KB

Download
memory/3880-49-0x00007FF8C2810000-0x00007FF8C32D1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads