echelon | 1c5975dd72f461fbc184364d27f711642fc693552bb0422477f60020e1139ea9

Analysis

max time kernel
8s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

706fc7ab5c6b9ef616acfd3add700e44.exe
Size

886KB
MD5

706fc7ab5c6b9ef616acfd3add700e44
SHA1

d4cfb9750c6e4a7a44be3710bc94fa0fbb53ccf4
SHA256

1c5975dd72f461fbc184364d27f711642fc693552bb0422477f60020e1139ea9
SHA512

32b6d7947fee7ad02de23bcbf97a8d838934c700bab3cec525fa45e340564a665b00f5212faeec056cdbbd592bc7f6bf2053c6d24bd8be35c134aed82d623012
SSDEEP

24576:2ryfpDG1m7JGVrFoh8I7UFHxW9ugDH3VH/SVTiZsCfonnV:vff7gVrFG8ZHUH/KGG

Score

10^/10

echelon persistence spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Executes dropped EXE 1 IoCs

Processes:

RADMIR~1.EXE

pid process

4024 RADMIR~1.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4024	RADMIR~1.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

706fc7ab5c6b9ef616acfd3add700e44.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	706fc7ab5c6b9ef616acfd3add700e44.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 api.ipify.org
15 api.ipify.org
17 ip-api.com
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RADMIR~1.EXE

description pid process

Token: SeDebugPrivilege 4024 RADMIR~1.EXE

flow	ioc
14	api.ipify.org
15	api.ipify.org
17	ip-api.com

description	pid	process
Token: SeDebugPrivilege	4024	RADMIR~1.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

706fc7ab5c6b9ef616acfd3add700e44.exe

description	pid	process	target process
PID 2584 wrote to memory of 4024	2584	706fc7ab5c6b9ef616acfd3add700e44.exe	RADMIR~1.EXE
PID 2584 wrote to memory of 4024	2584	706fc7ab5c6b9ef616acfd3add700e44.exe	RADMIR~1.EXE

C:\Users\Admin\AppData\Local\Temp\706fc7ab5c6b9ef616acfd3add700e44.exe
"C:\Users\Admin\AppData\Local\Temp\706fc7ab5c6b9ef616acfd3add700e44.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2584

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RADMIR~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RADMIR~1.EXE
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RADMIR~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RADMIR~1.EXE
2⤵
PID:2268

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RADMIR~1.EXE.log
Filesize
2KB

MD5
0c50d29c85d4179fee7edbde146f6de8

SHA1
6eec082fc835082d07e96444bc6ef1d905a7782d

SHA256
f842c5e9b8a6bd86dcd465ded40d253100a96d7bf00a906338ff615f8058f24e

SHA512
798b916d2525805181bd33385c8ddf5dcb9cd338d6f65a5d19335fa8ec4dad4961a217d2669f768e97e9d8aec70fa2b5626096296e46b99b18a037d8e7f81f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RADMIR~1.EXE
Filesize
51KB

MD5
fd008bce97b0bcc2937aeec5a9c7b6ff

SHA1
23400b713b0850492332b77491a6a0dec2e54104

SHA256
346609a1795913088911697619159834dfad3176a36d2364db33810f50751f1a

SHA512
e89f234c130b297283a5195954004ca63c7dee92527d27333130a9416ca6020703c692449b87edf439ef8f655b8fb550317de4ed243c5a604424d8855092c4e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RADMIR~1.EXE
Filesize
5KB

MD5
f8434d75cace14bab2ec030d7f80bf49

SHA1
7356eb1a5c3a836a33f405e6142cc38626e10fd7

SHA256
d01cf29991a50ce93dd53f281afaa6c806f20761315aaf73b214ad4a459f9744

SHA512
874f3b5d05109935201ac173dd737947037503c3be5bc1c97095559079091a83bee1f64fb2a0ca93d3785bd79f60eec830d14c4eac81d632553c11f160c475a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RADMIR~1.EXE
Filesize
21KB

MD5
c6241ac7f5cb6bec080c1fb528710a21

SHA1
7474f924934d9426849f19044c33b118b0e7c3d3

SHA256
62a461ec75cdc7a1491b7e984ab6ad26db689548c9cdc552c390c23a8a1ecc13

SHA512
ac37686965503679f697940e606a62bb6c310005b8f9f430a1817b4409cbbb05e2941fba81f2236c7834e480ca5ee3c7304300982ba2aba333a099f03aa01fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D22603F023.tmp
Filesize
92KB

MD5
d63e3a8d4109b7212d419e17141dd862

SHA1
c9637da0763277477e60128ae2cd26fb314fa80a

SHA256
0cdd05fd9d9515c99e713a0cdf201fae20cd5db884c08a292ce16471725c521f

SHA512
dfee6ccabfe03415bea0d817ac0c393e98b54a0dfff102f0eee21c8e85d903e11a073aa97b7a3e8b95d88d5f86afd4c9782e7618e3119727da1e01d4895315e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D22603F023.tmp
Filesize
126KB

MD5
49df30ecd67c59659bb3000f83bf332e

SHA1
a3b6b3abef524e09c195fad73c82d06268734ac4

SHA256
fac1ea6b03c0589930a81d5649613e98be227c8e766a411113caaa7044bf6765

SHA512
10ae930dd4fb8d87595f2c8d74dbada1c98e204330dd6019e6c323b59220118e3fde6115cfc240abbb6e34580b5121c329340eea8f75681acbde5325992c4799

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D22603F023.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\wPZLTFFLTFBNVVZuN078BFBFF000306D22603F02370\70078BFBFF000306D22603F023wPZLTFFLTFBNVVZuN\Screenshot.Jpeg
Filesize
82KB

MD5
a0e060277ac825638d1fa1a0805b93bb

SHA1
c641a663ac09d71479dbe89f8d69284da6e3f1ee

SHA256
016f542aade1911a4b22d3b84a075233c80733c5ed8da53515c93ba8edf76de6

SHA512
5e53df42b1865a1510d213b36b0788799005f79fa6f7bf1e67471342691c0e45cb5eca987b2f7c84b98ecbef280ae7ffe9fc99382687a9aafa026f598fc6b0a1

Download Submit
C:\Users\Admin\AppData\Roaming\L078BFBFF000306D22603F02316\16078BFBFF000306D22603F023L\Browsers\Passwords\Passwords_Edge.txt
Filesize
426B

MD5
42fa959509b3ed7c94c0cf3728b03f6d

SHA1
661292176640beb0b38dc9e7a462518eb592d27d

SHA256
870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

SHA512
7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

Download Submit
C:\Users\Admin\AppData\Roaming\L078BFBFF000306D22603F02316\16078BFBFF000306D22603F023L\Grabber\MeasureFormat.doc
Filesize
57KB

MD5
f5ac5b869a3d0d633c1b4d8062551c0f

SHA1
e4b7976029b70086517fc3954018d6c191db8883

SHA256
44067d566a47209713d5624e7c0eb678d9ab2316bce35d50f4412b66056a8eeb

SHA512
62ec271327ec72acb55611f9946fe92d7e35a1478043bb71e5b670d61ae1063d70052befe81af8278798c664b8f872d7e2e946dba388ed05bed5ab09911b23bc

Download Submit
C:\Users\Admin\AppData\Roaming\L078BFBFF000306D22603F02316\16078BFBFF000306D22603F023L\Grabber\PublishLock.txt
Filesize
99KB

MD5
6bbc6746eee216ef7469ae5569e090dd

SHA1
d121535c2dfb9432affbfdca5a7a6a40f60c6ce3

SHA256
395d3b50d67ea9dc78a484d24d7b779a0288125e1cf5ba9413025851387e71e9

SHA512
cc19a51347a7161a95815fdce2bc90f65d858a27fb8e41f18dbea696d319ddcb4ef055145b42e0a38b1e214ab361f4e02d3ceb5f47f77796b65b1b407073c831

Download Submit
C:\Users\Admin\AppData\Roaming\L078BFBFF000306D22603F02316\16078BFBFF000306D22603F023L\Grabber\PushCopy.doc
Filesize
111KB

MD5
34ae07ec57972a67394ccf9680d181a9

SHA1
ae62d33de9bb32d9e5ef2f0373ffe903c4c2ac15

SHA256
b915d25d40a9b57cac628fb8b43115825659ef2f97b9e235356336884136c302

SHA512
61ac7e61225035957fcf074016ab099544dc7ce1b2e38759eae0c46a444fdbd89b0a02425fe3ad4aa0e802a257e0e8da006cc928824a1a32a6a319eaedd4998a

Download Submit
C:\Users\Admin\AppData\Roaming\L078BFBFF000306D22603F02316\16078BFBFF000306D22603F023L\Grabber\RevokeUse.jpg
Filesize
143KB

MD5
1753e83228991f49ff1c0f96c2121f98

SHA1
58b13e250a4db7a6c8adea7b85893b2384a37d35

SHA256
052770cb591f9da845ad9dfa73186329b987a760048f7fbf93e693f51147ba17

SHA512
a00bab660600db4953ea3c39aa0111039c1224cf841255a9fb720ffd9298273dc4ca9d76751ed1c89f746a2ffc6ef38cbab650ebd49ada53bb633010bc394d88

Download Submit
memory/2268-195-0x00007FF8F6390000-0x00007FF8F6E51000-memory.dmp

Filesize
10.8MB

Download
memory/2268-104-0x0000021816E00000-0x0000021816E10000-memory.dmp

Filesize
64KB

Download
memory/2268-103-0x00007FF8F6390000-0x00007FF8F6E51000-memory.dmp

Filesize
10.8MB

Download
memory/4024-6-0x00007FF8F6320000-0x00007FF8F6DE1000-memory.dmp

Filesize
10.8MB

Download
memory/4024-100-0x00007FF8F6320000-0x00007FF8F6DE1000-memory.dmp

Filesize
10.8MB

Download
memory/4024-7-0x000001B7BB6C0000-0x000001B7BB736000-memory.dmp

Filesize
472KB

Download
memory/4024-8-0x000001B7BB590000-0x000001B7BB5A0000-memory.dmp

Filesize
64KB

Download
memory/4024-5-0x000001B7A0FA0000-0x000001B7A10AA000-memory.dmp

Filesize
1.0MB

Download