echelon | 13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-03-2024 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe
Size

1.8MB
MD5

033c1ee70bcc0d569f4a8077f0cbfe38
SHA1

34e498158fa012052d4785a8de59159b6a0e4649
SHA256

13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313
SHA512

36fe82804eaf16f9e669abb895b0a2687db98c42da78f805ab053e518c17211a3a4f305c4f8ec296525f2cbd4e76b028a1aed7a4b304e128439a3343228948b2
SSDEEP

24576:v2G/nvxW3WwXdptGjLB46VvbuhZUTd8hhUF54clNf7+6uHAW92zt/sWu2BSMCqD7:vbA3Zz+bKo54clgLH+tkWJ0N8X

Score

10^/10

echelon spyware stealer

Malware Config

Signatures

Detects Echelon Stealer payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Chrome_Upgrader.exe	family_echelon
C:\Users\Admin\AppData\Local\Temp\Chrome_Upgrader.exe	family_echelon
C:\Users\Admin\AppData\Local\Temp\Chrome_Upgrader.exe	family_echelon
behavioral2/memory/3084-15-0x0000000000BD0000-0x0000000000D1C000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exeChrome_Upgrader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	Chrome_Upgrader.exe

Executes dropped EXE 2 IoCs

Processes:

Chrome_Upgrader.exeDecoder.exe

pid process

3084 Chrome_Upgrader.exe
3332 Decoder.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 api.ipify.org
20 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1288 timeout.exe

pid	process
3084	Chrome_Upgrader.exe
3332	Decoder.exe

flow	ioc
19	api.ipify.org
20	api.ipify.org

pid	process
1288	timeout.exe

Modifies registry class 1 IoCs

Processes:

13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4920 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Chrome_Upgrader.exe

pid process

3084 Chrome_Upgrader.exe
3084 Chrome_Upgrader.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Chrome_Upgrader.exe

description pid process

Token: SeDebugPrivilege 3084 Chrome_Upgrader.exe

pid	process
4920	NOTEPAD.EXE

pid	process
3084	Chrome_Upgrader.exe
3084	Chrome_Upgrader.exe

description	pid	process
Token: SeDebugPrivilege	3084	Chrome_Upgrader.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exeChrome_Upgrader.execmd.exe

description	pid	process	target process
PID 2820 wrote to memory of 3084	2820	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe	Chrome_Upgrader.exe
PID 2820 wrote to memory of 3084	2820	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe	Chrome_Upgrader.exe
PID 2820 wrote to memory of 4920	2820	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe	NOTEPAD.EXE
PID 2820 wrote to memory of 4920	2820	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe	NOTEPAD.EXE
PID 2820 wrote to memory of 4920	2820	13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe	NOTEPAD.EXE
PID 3084 wrote to memory of 3332	3084	Chrome_Upgrader.exe	Decoder.exe
PID 3084 wrote to memory of 3332	3084	Chrome_Upgrader.exe	Decoder.exe
PID 3084 wrote to memory of 3332	3084	Chrome_Upgrader.exe	Decoder.exe
PID 3084 wrote to memory of 4092	3084	Chrome_Upgrader.exe	cmd.exe
PID 3084 wrote to memory of 4092	3084	Chrome_Upgrader.exe	cmd.exe
PID 4092 wrote to memory of 1288	4092	cmd.exe	timeout.exe
PID 4092 wrote to memory of 1288	4092	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe
"C:\Users\Admin\AppData\Local\Temp\13ef7e3685c4a648b92825ff7bde600e7c2efa2aff0699c8f4cbd06b5225f313.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\Chrome_Upgrader.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome_Upgrader.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\ProgramData\Decoder.exe
    "C:\ProgramData\Decoder.exe"
    3⤵
    - Executes dropped EXE
    PID:3332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4092
  - - C:\Windows\system32\timeout.exe
      timeout 4
      4⤵
      Delays execution with timeout.exe
      PID:1288
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Password777.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Decoder.exe

Filesize
270KB

MD5
de81e7651c6e62b4c7195ac2e6befbc0

SHA1
1f2dc517abf4b8a789ac4ef9d8c7d1a7f486fe32

SHA256
eef661cffbde254d5b9dba578e91f35cfc0a5fd4c6f25e959eef04ee948f1d5b

SHA512
3cde05ae78fcd5978cd15bf155f650997489c130cf73539b00c45eb36a5582af11e419efedb3f88cb7caca4691bc1f691b8e4e820276ced697fe82198c4f076b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd

Filesize
85B

MD5
73712247036b6a24d16502c57a3e5679

SHA1
65ca9edadb0773fc34db7dfefe9e6416f1ac17fa

SHA256
8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0

SHA512
548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome_Upgrader.exe

Filesize
576KB

MD5
20866f28d555856a5e0cc579382117db

SHA1
7db29883fc8c695f31a9b702d66323b8d727582f

SHA256
711ca20c427b005c242ebe892d69553b77dca5335a8ed26fc05103f053839b27

SHA512
8b7cf5dd1e43292d0208853faf5c5aef36306cabda0eb4be422e9010ea6641001b6fc0454db2361467d6131036144791451ff101911817574c0830a8d0e77298

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome_Upgrader.exe

Filesize
182KB

MD5
f24789823e4187265942cc4eb428428f

SHA1
9e42114cefaca3a9729fd44ed0eedaeb707e6921

SHA256
2889c81ac8410182a54c81a7f06834295ffe09f4481b7ab0bb16c9a3340bdb8a

SHA512
21d10b3ca9aefe378a2decdfe42bf583918594b9f0d7d2c4d9b11243c41126bd1e0c20e074f019a60a9477a693b7ca277ad19f90460361cb1e2ed894a7b43645

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome_Upgrader.exe

Filesize
1.3MB

MD5
49498c84fafd5252dca843e3d77cd4c2

SHA1
b4d5096eaa7de8810c238a3777f364b61aaf9144

SHA256
6b6bf285342ba740f4d2e7d4b42bd788f3bb681022d99a048594432b577623b2

SHA512
efcef3c285378bc3c3e369ff33f1e82b1522a8594bd7ae2563079bd15cf4c6d3e59b0ee9b9c622f8c406f4cea7d0037f5014f8aba97c754ace122a4e175c0832

Download Submit
C:\Users\Admin\AppData\Local\Temp\Password777.txt

Filesize
38KB

MD5
b4b213406d0eebb49d70ff2aa29f8d80

SHA1
99e8ba13fae256c6e78edfcb2f4bab87be0bdcb3

SHA256
671acef36a92efcb11d71ca131f43c3c41e487870771824a359737a612a0df92

SHA512
f85154667d42184351aa937d8ce55b65890b12c0ddca66da946bd4fbcac71304e010de1b9413029f6b98fa9bb2096487e951a2de1cfaffe7fcb109be5fb9774f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yRyTFJRRyVXu078BFBFF000306D288B0459653\53078BFBFF000306D288B04596yRyTFJRRyVXu\Browsers\Passwords\Passwords_Edge.txt

Filesize
426B

MD5
42fa959509b3ed7c94c0cf3728b03f6d

SHA1
661292176640beb0b38dc9e7a462518eb592d27d

SHA256
870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

SHA512
7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

Download Submit
C:\Users\Admin\AppData\Local\Temp\yRyTFJRRyVXu078BFBFF000306D288B0459653\53078BFBFF000306D288B04596yRyTFJRRyVXu\Grabber\CompressMount.txt

Filesize
483KB

MD5
b3472df77edfa1d1887b3d82246db374

SHA1
e66f0a45aa804c10a3227f7e1a4b931d80dda2d3

SHA256
37c9ebf4e12a6d6003ecedd13e77edcbd1d10691ebf3624ac83c19a8d44be141

SHA512
d1de7337a3ff662719384d104b4e051a1229582b2279dc2915a1bdcc8a74d9e87bd1efecceea5d0fc9118e07137847ad8d678bbc7f24263f419fd6c5754bbac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yRyTFJRRyVXu078BFBFF000306D288B0459653\53078BFBFF000306D288B04596yRyTFJRRyVXu\Grabber\FindExport.cfg

Filesize
827KB

MD5
dc8b8bf6ca6c4f8929502871d6729980

SHA1
f21397bf52dadeeda3d61dacf363eb30cabc78ac

SHA256
714385cba6db0ab6030ca2b049d7748792eab55f063903abb3a67e75cb535015

SHA512
2f9c76fa220501021246945b094153dc48ffdc4f4fe7d4db28092d6d29bba0df953d929ba18b516f2bc67f28c9b41aae1bf4635a669ecb05c01b2c04d9e85168

Download Submit
memory/3084-19-0x000000001B930000-0x000000001B9A6000-memory.dmp

Filesize
472KB

Download
memory/3084-18-0x000000001B9B0000-0x000000001B9C0000-memory.dmp

Filesize
64KB

Download
memory/3084-89-0x00007FFDFB3B0000-0x00007FFDFBE71000-memory.dmp

Filesize
10.8MB

Download
memory/3084-16-0x00007FFDFB3B0000-0x00007FFDFBE71000-memory.dmp

Filesize
10.8MB

Download
memory/3084-15-0x0000000000BD0000-0x0000000000D1C000-memory.dmp

Filesize
1.3MB

Download
memory/3084-115-0x00007FFDFB3B0000-0x00007FFDFBE71000-memory.dmp

Filesize
10.8MB

Download
memory/3332-116-0x0000000072750000-0x0000000072F00000-memory.dmp

Filesize
7.7MB

Download
memory/3332-117-0x00000000009C0000-0x0000000000A0A000-memory.dmp

Filesize
296KB

Download
memory/3332-119-0x0000000072750000-0x0000000072F00000-memory.dmp

Filesize
7.7MB

Download