Overview

overview

10

Static

static

3

a5e7145dc1...f0.exe

windows7-x64

7

a5e7145dc1...f0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-02-2024 08:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a5e7145dc17d160b41d36dbea524c3f0.exe

  • Size

    871KB

  • MD5

    a5e7145dc17d160b41d36dbea524c3f0

  • SHA1

    2ad6faea0f967df37e404d14a4c1ccca607a924e

  • SHA256

    99dfe0c0529b4122889ac7023330f2749df048d0b11a91e92155d991e189f0d8

  • SHA512

    672a08a7e62b1129cc2997dd77e1709e86281d89d6ab88d12e771120b7a7a15638b9e2e110d3f95cf04e319da31dedbac4727d8b67e2a2343c68d280967d83c9

  • SSDEEP

    24576:GR1wvcupUr/Tbp0g7kpRmxC98+/WQ8mkU:AfupUzTbmzpRtWzmL

Score
10/10
echelonspywarestealer

Malware Config

Signatures

  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    stealerspywareechelon
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a5e7145dc17d160b41d36dbea524c3f0.exe
    "C:\Users\Admin\AppData\Local\Temp\a5e7145dc17d160b41d36dbea524c3f0.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4668
    • C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4008
    • C:\Users\Admin\AppData\Local\Temp\2.exe
      "C:\Users\Admin\AppData\Local\Temp\2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1356
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 1956
        3⤵
        • Program crash
        PID:4296
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1356 -ip 1356
    1⤵
      PID:4588

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1.exe
      Filesize

      1.0MB

      MD5

      dd3c11b27f04d8117c742743aee371fd

      SHA1

      1565d444ad28de48c4bf0ce25b07ef4651092621

      SHA256

      0ccd702f7d3bac8ad10a6690819e875dd7a1ba2a09e66b027f371e93a51bce49

      SHA512

      8ac46760ed0462a0e2765999b265eb6cd196ab1d7d38676d77f3ea5061d1a794d1f5e5f0d253c55bf539838e1a2764265fa16c4712fe91eeaac435a1a0046a5c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\2.exe
      Filesize

      7KB

      MD5

      3947b2cc3f68a712d431b5c2a2c2ee4d

      SHA1

      db0443ba8a6d5839e93bf59f3eed0e69c545df3b

      SHA256

      abfcccc38dd5217e0bc9af26c9902c22450b3ac5ae203142e89164f019419262

      SHA512

      f1d0b3279cffaa2bc121f6ac7b068416ebe3cc5824222e5a73d118e0528c3438d9f1e0d1c698dc9306a1a0eebfd78f29a3df283c6ed68e466d694b9a344d0991

      Download Submit
    • C:\Users\Admin\AppData\Local\VuRuuwTJXFZTVDBT078BFBFF000306D21822155167\67078BFBFF000306D218221551VuRuuwTJXFZTVDBT\Browsers\Passwords\Passwords_Edge.txt
      Filesize

      426B

      MD5

      42fa959509b3ed7c94c0cf3728b03f6d

      SHA1

      661292176640beb0b38dc9e7a462518eb592d27d

      SHA256

      870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

      SHA512

      7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

      Download Submit
    • C:\Users\Admin\AppData\Local\VuRuuwTJXFZTVDBT078BFBFF000306D21822155167\67078BFBFF000306D218221551VuRuuwTJXFZTVDBT\Grabber\DebugWatch.doc
      Filesize

      903KB

      MD5

      32b5c884fe7d9f9bca4a3a9a4e7bd890

      SHA1

      198434163f01c5726342d4eb30d260bab8f74bc9

      SHA256

      2d409cbdeeb841c33f408c7667585fa212fc22cbf0a07483a172ad6f5f416a2c

      SHA512

      512c910191cff5400b43ebba29ced7b53454c12b9b4e613534db6363b62968d417f72dc41205beffae831c9245a5b01a469e5e8fa7a5bbf1d02232ff2da9d057

      Download Submit
    • C:\Users\Admin\AppData\Local\VuRuuwTJXFZTVDBT078BFBFF000306D21822155167\67078BFBFF000306D218221551VuRuuwTJXFZTVDBT\Grabber\ExportTrace.png
      Filesize

      311KB

      MD5

      f3fe675ac3ab3ce71a94d206ac5e1838

      SHA1

      354739b4be62625f7bf9c2f4a5bb9a02b6c7bdca

      SHA256

      9eb1fa01d2989f879ad81fba5fb9b5e315a24f21383e097cae8f2844421a1018

      SHA512

      e5fe07dd8035b6fdcb907ec4af4e332186485a81666f2937c8775694d5f1c6159fd81c826b8ced87576304d7061f07dbde777b2dc4c3f67482de58c325865c4e

      Download Submit
    • C:\Users\Admin\AppData\Local\VuRuuwTJXFZTVDBT078BFBFF000306D21822155167\67078BFBFF000306D218221551VuRuuwTJXFZTVDBT\Grabber\StartRequest.doc
      Filesize

      357KB

      MD5

      8999afa8c0d7ea98ad450cd49c47e24c

      SHA1

      3a34d09164ca5f9ae330df0f8e3c5efe255ca881

      SHA256

      1a1c0e293ee669267edf39424e7e181229408c72794fdaee1d2ce4ad7937db20

      SHA512

      053e1319bd6b707f21b82cf4826b8b6104e26a83be77149a2840f937029c393a50fb0fc12b344d1d775515cdeb98ac5b46b2755064554e663940a0680ff8c4d8

      Download Submit
    • memory/1356-75-0x0000000073BE0000-0x0000000074390000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1356-28-0x00000000049E0000-0x00000000049F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1356-26-0x0000000000050000-0x0000000000058000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1356-27-0x0000000073BE0000-0x0000000074390000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4008-29-0x0000022FE9100000-0x0000022FE9176000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4008-25-0x00007FFA6A900000-0x00007FFA6B3C1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4008-21-0x0000022FE6AC0000-0x0000022FE6BCA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4008-116-0x00007FFA6A900000-0x00007FFA6B3C1000-memory.dmp
      Filesize

      10.8MB

      Download