echelon | 13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313

General

Target

13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe
Size

1.8MB
MD5

033c1ee70bcc0d569f4a8077f0cbfe38
SHA1

34e498158fa012052d4785a8de59159b6a0e4649
SHA256

13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313
SHA512

36fe82804eaf16f9e669abb895b0a2687db98c42da78f805ab053e518c17211a3a4f305c4f8ec296525f2cbd4e76b028a1aed7a4b304e128439a3343228948b2
SSDEEP

24576:v2G/nvxW3WwXdptGjLB46VvbuhZUTd8hhUF54clNf7+6uHAW92zt/sWu2BSMCqD7:vbA3Zz+bKo54clgLH+tkWJ0N8X

Score

10^/10

echelon spyware stealer

Malware Config

Signatures

Detects Echelon Stealer payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Chrome_Upgrader.exe	family_echelon
behavioral1/memory/2652-18-0x0000000000970000-0x0000000000ABC000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Executes dropped EXE 2 IoCs

Processes:

Chrome_Upgrader.exeDecoder.exe

pid process

2652 Chrome_Upgrader.exe
2572 Decoder.exe

pid	process
2652	Chrome_Upgrader.exe
2572	Decoder.exe

Loads dropped DLL 4 IoCs

Processes:

13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe

pid	process
1748	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe
1748	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe
1748	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe
1748	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 api.ipify.org
3 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2480 timeout.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2640 NOTEPAD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Chrome_Upgrader.exe

description pid process

Token: SeDebugPrivilege 2652 Chrome_Upgrader.exe

flow	ioc
2	api.ipify.org
3	api.ipify.org

pid	process
2480	timeout.exe

pid	process
2640	NOTEPAD.EXE

description	pid	process
Token: SeDebugPrivilege	2652	Chrome_Upgrader.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exeChrome_Upgrader.execmd.exe

description	pid	process	target process
PID 1748 wrote to memory of 2652	1748	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe	Chrome_Upgrader.exe
PID 1748 wrote to memory of 2652	1748	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe	Chrome_Upgrader.exe
PID 1748 wrote to memory of 2652	1748	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe	Chrome_Upgrader.exe
PID 1748 wrote to memory of 2652	1748	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe	Chrome_Upgrader.exe
PID 1748 wrote to memory of 2640	1748	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe	NOTEPAD.EXE
PID 1748 wrote to memory of 2640	1748	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe	NOTEPAD.EXE
PID 1748 wrote to memory of 2640	1748	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe	NOTEPAD.EXE
PID 1748 wrote to memory of 2640	1748	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe	NOTEPAD.EXE
PID 2652 wrote to memory of 2572	2652	Chrome_Upgrader.exe	Decoder.exe
PID 2652 wrote to memory of 2572	2652	Chrome_Upgrader.exe	Decoder.exe
PID 2652 wrote to memory of 2572	2652	Chrome_Upgrader.exe	Decoder.exe
PID 2652 wrote to memory of 2572	2652	Chrome_Upgrader.exe	Decoder.exe
PID 2652 wrote to memory of 2256	2652	Chrome_Upgrader.exe	cmd.exe
PID 2652 wrote to memory of 2256	2652	Chrome_Upgrader.exe	cmd.exe
PID 2652 wrote to memory of 2256	2652	Chrome_Upgrader.exe	cmd.exe
PID 2256 wrote to memory of 2480	2256	cmd.exe	timeout.exe
PID 2256 wrote to memory of 2480	2256	cmd.exe	timeout.exe
PID 2256 wrote to memory of 2480	2256	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe
"C:\Users\Admin\AppData\Local\Temp\13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\Chrome_Upgrader.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome_Upgrader.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652

C:\ProgramData\Decoder.exe
"C:\ProgramData\Decoder.exe"
3⤵
- Executes dropped EXE
PID:2572

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
3⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\system32\timeout.exe
timeout 4
4⤵
- Delays execution with timeout.exe
PID:2480

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Password777.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:2640

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Decoder.exe
Filesize
270KB

MD5
de81e7651c6e62b4c7195ac2e6befbc0

SHA1
1f2dc517abf4b8a789ac4ef9d8c7d1a7f486fe32

SHA256
eef661cffbde254d5b9dba578e91f35cfc0a5fd4c6f25e959eef04ee948f1d5b

SHA512
3cde05ae78fcd5978cd15bf155f650997489c130cf73539b00c45eb36a5582af11e419efedb3f88cb7caca4691bc1f691b8e4e820276ced697fe82198c4f076b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd
Filesize
85B

MD5
73712247036b6a24d16502c57a3e5679

SHA1
65ca9edadb0773fc34db7dfefe9e6416f1ac17fa

SHA256
8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0

SHA512
548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Password777.txt
Filesize
38KB

MD5
b4b213406d0eebb49d70ff2aa29f8d80

SHA1
99e8ba13fae256c6e78edfcb2f4bab87be0bdcb3

SHA256
671acef36a92efcb11d71ca131f43c3c41e487870771824a359737a612a0df92

SHA512
f85154667d42184351aa937d8ce55b65890b12c0ddca66da946bd4fbcac71304e010de1b9413029f6b98fa9bb2096487e951a2de1cfaffe7fcb109be5fb9774f

Download Submit
\Users\Admin\AppData\Local\Temp\Chrome_Upgrader.exe
Filesize
1.3MB

MD5
49498c84fafd5252dca843e3d77cd4c2

SHA1
b4d5096eaa7de8810c238a3777f364b61aaf9144

SHA256
6b6bf285342ba740f4d2e7d4b42bd788f3bb681022d99a048594432b577623b2

SHA512
efcef3c285378bc3c3e369ff33f1e82b1522a8594bd7ae2563079bd15cf4c6d3e59b0ee9b9c622f8c406f4cea7d0037f5014f8aba97c754ace122a4e175c0832

Download Submit
memory/2572-34-0x0000000073C20000-0x000000007430E000-memory.dmp

Filesize
6.9MB

Download
memory/2572-33-0x0000000000EE0000-0x0000000000F2A000-memory.dmp

Filesize
296KB

Download
memory/2572-35-0x0000000073C20000-0x000000007430E000-memory.dmp

Filesize
6.9MB

Download
memory/2652-18-0x0000000000970000-0x0000000000ABC000-memory.dmp

Filesize
1.3MB

Download
memory/2652-19-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

Filesize
9.9MB

Download
memory/2652-20-0x000000001AAA0000-0x000000001AB20000-memory.dmp

Filesize
512KB

Download
memory/2652-21-0x00000000008D0000-0x0000000000946000-memory.dmp

Filesize
472KB

Download
memory/2652-32-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads