echelon | b7291b4d5bdaaffe9f29598bcf3dd822cee39b18d485d2071ee2ae41b9ccdfb2

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
29-02-2024 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd4a896224f9dcda6f0244bae4ef9abf.exe
Size

581KB
MD5

cd4a896224f9dcda6f0244bae4ef9abf
SHA1

d362ab6e88e94c7a4200206f5d74c68eabc9dd07
SHA256

b7291b4d5bdaaffe9f29598bcf3dd822cee39b18d485d2071ee2ae41b9ccdfb2
SHA512

438f7ccb8b347c4928e1727b0800351b79308ee912272f85e0ec0c49c860216d102a06dd961044117f253cada879773bc9b76fdbf5b975a6af2238559d3a7f0d
SSDEEP

12288:wcQ6CmvZLJLUf9snBS4csPYae6qfzRAA:k6xvhhUF54clNf7RB

Score

10^/10

echelon spyware stealer

Malware Config

Signatures

Detects Echelon Stealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2980-0-0x0000000000DA0000-0x0000000000E38000-memory.dmp	family_echelon
behavioral1/memory/2980-2-0x000000001B0D0000-0x000000001B150000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Detects executables referencing Windows vault credential objects. Observed in infostealers 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2980-0-0x0000000000DA0000-0x0000000000E38000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2980-2-0x000000001B0D0000-0x000000001B150000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many VPN software clients. Observed in infosteslers 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2980-0-0x0000000000DA0000-0x0000000000E38000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_VPN
behavioral1/memory/2980-2-0x000000001B0D0000-0x000000001B150000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_VPN

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2980-0-0x0000000000DA0000-0x0000000000E38000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2980-2-0x000000001B0D0000-0x000000001B150000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2980-0-0x0000000000DA0000-0x0000000000E38000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2980-2-0x000000001B0D0000-0x000000001B150000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables using Telegram Chat Bot 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2980-0-0x0000000000DA0000-0x0000000000E38000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
behavioral1/memory/2980-2-0x000000001B0D0000-0x000000001B150000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 api.ipify.org
3 api.ipify.org
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cd4a896224f9dcda6f0244bae4ef9abf.exe

description pid process

Token: SeDebugPrivilege 2980 cd4a896224f9dcda6f0244bae4ef9abf.exe

flow	ioc
2	api.ipify.org
3	api.ipify.org

description	pid	process
Token: SeDebugPrivilege	2980	cd4a896224f9dcda6f0244bae4ef9abf.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cd4a896224f9dcda6f0244bae4ef9abf.exe

description	pid	process	target process
PID 2980 wrote to memory of 2664	2980	cd4a896224f9dcda6f0244bae4ef9abf.exe	WerFault.exe
PID 2980 wrote to memory of 2664	2980	cd4a896224f9dcda6f0244bae4ef9abf.exe	WerFault.exe
PID 2980 wrote to memory of 2664	2980	cd4a896224f9dcda6f0244bae4ef9abf.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\cd4a896224f9dcda6f0244bae4ef9abf.exe
"C:\Users\Admin\AppData\Local\Temp\cd4a896224f9dcda6f0244bae4ef9abf.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2980 -s 1176
2⤵
PID:2664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2980-0-0x0000000000DA0000-0x0000000000E38000-memory.dmp

Filesize
608KB

Download
memory/2980-1-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

Filesize
9.9MB

Download
memory/2980-2-0x000000001B0D0000-0x000000001B150000-memory.dmp

Filesize
512KB

Download
memory/2980-3-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

Filesize
9.9MB

Download