echelon | 13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313

General

Target

13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe
Size

1.8MB
MD5

033c1ee70bcc0d569f4a8077f0cbfe38
SHA1

34e498158fa012052d4785a8de59159b6a0e4649
SHA256

13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313
SHA512

36fe82804eaf16f9e669abb895b0a2687db98c42da78f805ab053e518c17211a3a4f305c4f8ec296525f2cbd4e76b028a1aed7a4b304e128439a3343228948b2
SSDEEP

24576:v2G/nvxW3WwXdptGjLB46VvbuhZUTd8hhUF54clNf7+6uHAW92zt/sWu2BSMCqD7:vbA3Zz+bKo54clgLH+tkWJ0N8X

Score

10^/10

echelon spyware stealer

Malware Config

Signatures

Detects Echelon Stealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000b000000012244-5.dat	family_echelon
behavioral1/memory/2652-18-0x0000000000970000-0x0000000000ABC000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Executes dropped EXE 2 IoCs

Processes:

Chrome_Upgrader.exeDecoder.exe

pid	Process
2652	Chrome_Upgrader.exe
2572	Decoder.exe

Loads dropped DLL 4 IoCs

Processes:

13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe

pid	Process
1748	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe
1748	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe
1748	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe
1748	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	api.ipify.org
3	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
2480	timeout.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
2640	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Chrome_Upgrader.exe

description	pid	Process
Token: SeDebugPrivilege	2652	Chrome_Upgrader.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exeChrome_Upgrader.execmd.exe

description	pid	Process	procid_target
PID 1748 wrote to memory of 2652	1748	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe	28
PID 1748 wrote to memory of 2652	1748	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe	28
PID 1748 wrote to memory of 2652	1748	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe	28
PID 1748 wrote to memory of 2652	1748	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe	28
PID 1748 wrote to memory of 2640	1748	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe	29
PID 1748 wrote to memory of 2640	1748	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe	29
PID 1748 wrote to memory of 2640	1748	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe	29
PID 1748 wrote to memory of 2640	1748	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe	29
PID 2652 wrote to memory of 2572	2652	Chrome_Upgrader.exe	31
PID 2652 wrote to memory of 2572	2652	Chrome_Upgrader.exe	31
PID 2652 wrote to memory of 2572	2652	Chrome_Upgrader.exe	31
PID 2652 wrote to memory of 2572	2652	Chrome_Upgrader.exe	31
PID 2652 wrote to memory of 2256	2652	Chrome_Upgrader.exe	32
PID 2652 wrote to memory of 2256	2652	Chrome_Upgrader.exe	32
PID 2652 wrote to memory of 2256	2652	Chrome_Upgrader.exe	32
PID 2256 wrote to memory of 2480	2256	cmd.exe	34
PID 2256 wrote to memory of 2480	2256	cmd.exe	34
PID 2256 wrote to memory of 2480	2256	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe
"C:\Users\Admin\AppData\Local\Temp\13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\Chrome_Upgrader.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome_Upgrader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\ProgramData\Decoder.exe
    "C:\ProgramData\Decoder.exe"
    3⤵
    - Executes dropped EXE
    PID:2572
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Windows\system32\timeout.exe
      timeout 4
      4⤵
      Delays execution with timeout.exe
      PID:2480
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Password777.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Decoder.exe

Filesize
270KB

MD5
de81e7651c6e62b4c7195ac2e6befbc0

SHA1
1f2dc517abf4b8a789ac4ef9d8c7d1a7f486fe32

SHA256
eef661cffbde254d5b9dba578e91f35cfc0a5fd4c6f25e959eef04ee948f1d5b

SHA512
3cde05ae78fcd5978cd15bf155f650997489c130cf73539b00c45eb36a5582af11e419efedb3f88cb7caca4691bc1f691b8e4e820276ced697fe82198c4f076b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd

Filesize
85B

MD5
73712247036b6a24d16502c57a3e5679

SHA1
65ca9edadb0773fc34db7dfefe9e6416f1ac17fa

SHA256
8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0

SHA512
548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Password777.txt

Filesize
38KB

MD5
b4b213406d0eebb49d70ff2aa29f8d80

SHA1
99e8ba13fae256c6e78edfcb2f4bab87be0bdcb3

SHA256
671acef36a92efcb11d71ca131f43c3c41e487870771824a359737a612a0df92

SHA512
f85154667d42184351aa937d8ce55b65890b12c0ddca66da946bd4fbcac71304e010de1b9413029f6b98fa9bb2096487e951a2de1cfaffe7fcb109be5fb9774f

Download Submit
\Users\Admin\AppData\Local\Temp\Chrome_Upgrader.exe

Filesize
1.3MB

MD5
49498c84fafd5252dca843e3d77cd4c2

SHA1
b4d5096eaa7de8810c238a3777f364b61aaf9144

SHA256
6b6bf285342ba740f4d2e7d4b42bd788f3bb681022d99a048594432b577623b2

SHA512
efcef3c285378bc3c3e369ff33f1e82b1522a8594bd7ae2563079bd15cf4c6d3e59b0ee9b9c622f8c406f4cea7d0037f5014f8aba97c754ace122a4e175c0832

Download Submit
memory/2572-34-0x0000000073C20000-0x000000007430E000-memory.dmp

Filesize
6.9MB

Download
memory/2572-33-0x0000000000EE0000-0x0000000000F2A000-memory.dmp

Filesize
296KB

Download
memory/2572-35-0x0000000073C20000-0x000000007430E000-memory.dmp

Filesize
6.9MB

Download
memory/2652-18-0x0000000000970000-0x0000000000ABC000-memory.dmp

Filesize
1.3MB

Download
memory/2652-19-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

Filesize
9.9MB

Download
memory/2652-20-0x000000001AAA0000-0x000000001AB20000-memory.dmp

Filesize
512KB

Download
memory/2652-21-0x00000000008D0000-0x0000000000946000-memory.dmp

Filesize
472KB

Download
memory/2652-32-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads