echelon | 67e68d1933e87f680f063203e7e243c33deba2dfdbcd2bb08e9205d3fff26fb8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2222-main/myporno.exe
Size

871KB
MD5

a5e7145dc17d160b41d36dbea524c3f0
SHA1

2ad6faea0f967df37e404d14a4c1ccca607a924e
SHA256

99dfe0c0529b4122889ac7023330f2749df048d0b11a91e92155d991e189f0d8
SHA512

672a08a7e62b1129cc2997dd77e1709e86281d89d6ab88d12e771120b7a7a15638b9e2e110d3f95cf04e319da31dedbac4727d8b67e2a2343c68d280967d83c9
SSDEEP

24576:GR1wvcupUr/Tbp0g7kpRmxC98+/WQ8mkU:AfupUzTbmzpRtWzmL

Score

10^/10

echelon spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

myporno.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation myporno.exe
Executes dropped EXE 2 IoCs

Processes:

1.exe2.exe

pid process

2584 1.exe
3388 2.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

20 discord.com
21 discord.com
37 discord.com
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 wtfismyip.com
9 api.ipify.org
10 wtfismyip.com
11 api.ipify.org
25 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3008 3388 WerFault.exe 2.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

1.exe2.exe

pid process

2584 1.exe
2584 1.exe
3388 2.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2.exe1.exe

description pid process

Token: SeDebugPrivilege 3388 2.exe
Token: SeDebugPrivilege 2584 1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	myporno.exe

pid	process
2584	1.exe
3388	2.exe

flow	ioc
20	discord.com
21	discord.com
37	discord.com

flow	ioc
8	wtfismyip.com
9	api.ipify.org
10	wtfismyip.com
11	api.ipify.org
25	ip-api.com

pid	pid_target	process	target process
3008	3388	WerFault.exe	2.exe

pid	process
2584	1.exe
2584	1.exe
3388	2.exe

description	pid	process
Token: SeDebugPrivilege	3388	2.exe
Token: SeDebugPrivilege	2584	1.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

myporno.exe

description	pid	process	target process
PID 2016 wrote to memory of 2584	2016	myporno.exe	1.exe
PID 2016 wrote to memory of 2584	2016	myporno.exe	1.exe
PID 2016 wrote to memory of 3388	2016	myporno.exe	2.exe
PID 2016 wrote to memory of 3388	2016	myporno.exe	2.exe
PID 2016 wrote to memory of 3388	2016	myporno.exe	2.exe

C:\Users\Admin\AppData\Local\Temp\2222-main\myporno.exe
"C:\Users\Admin\AppData\Local\Temp\2222-main\myporno.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 1972
    3⤵
    - Program crash
    PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3388 -ip 3388
1⤵
PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
1.0MB

MD5
dd3c11b27f04d8117c742743aee371fd

SHA1
1565d444ad28de48c4bf0ce25b07ef4651092621

SHA256
0ccd702f7d3bac8ad10a6690819e875dd7a1ba2a09e66b027f371e93a51bce49

SHA512
8ac46760ed0462a0e2765999b265eb6cd196ab1d7d38676d77f3ea5061d1a794d1f5e5f0d253c55bf539838e1a2764265fa16c4712fe91eeaac435a1a0046a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
7KB

MD5
3947b2cc3f68a712d431b5c2a2c2ee4d

SHA1
db0443ba8a6d5839e93bf59f3eed0e69c545df3b

SHA256
abfcccc38dd5217e0bc9af26c9902c22450b3ac5ae203142e89164f019419262

SHA512
f1d0b3279cffaa2bc121f6ac7b068416ebe3cc5824222e5a73d118e0528c3438d9f1e0d1c698dc9306a1a0eebfd78f29a3df283c6ed68e466d694b9a344d0991

Download Submit
C:\Users\Admin\AppData\Roaming\BRHyLyHX078BFBFF000306D266EA2EA938\38078BFBFF000306D266EA2EA9BRHyLyHX\Browsers\Passwords\Passwords_Edge.txt

Filesize
292B

MD5
ae9fee87cd34e9026867a460c0afd595

SHA1
d5015017ca1463c434c7f438decfe4a26378d4f1

SHA256
2217079fde440a3e8f14398828561c86f9f4f80e6781dd7eef3be8bf0e36caa0

SHA512
9b59342c7ac9fc3f9818e2475a78f6827ba62da76f1312dbb4c28f7b23769785e79d61f1f494998194d714d69c6b62de07a3084542f15d51ca0259392280ff2d

Download Submit
C:\Users\Admin\AppData\Roaming\BRHyLyHX078BFBFF000306D266EA2EA938\38078BFBFF000306D266EA2EA9BRHyLyHX\Browsers\Passwords\Passwords_Edge.txt

Filesize
426B

MD5
42fa959509b3ed7c94c0cf3728b03f6d

SHA1
661292176640beb0b38dc9e7a462518eb592d27d

SHA256
870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

SHA512
7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

Download Submit
C:\Users\Admin\AppData\Roaming\BRHyLyHX078BFBFF000306D266EA2EA938\38078BFBFF000306D266EA2EA9BRHyLyHX\Grabber\OptimizeMeasure.png

Filesize
1.1MB

MD5
29d44ae25f763ee37677f4dfe23ad055

SHA1
a846f95870f660bdebbb2e3b940fcf9aeb0c8874

SHA256
83f1a5ef64b7af80a903563bc7314890beb10555d62943490c93395c0e60962b

SHA512
c1148d4d6c9c5c4beac7759e97534670b77741ac5294457a4fd415957a5a61014e035028ceb16cdc960fcf5b7db7a94abfd48937a7a6a82eede70776cac6810f

Download Submit
C:\Users\Admin\AppData\Roaming\BRHyLyHX078BFBFF000306D266EA2EA938\38078BFBFF000306D266EA2EA9BRHyLyHX\Grabber\SyncBackup.jpg

Filesize
448KB

MD5
d3104fc5f153880e58d379732ea2d9dc

SHA1
1fd4ed06efc2bd51b43954a9cd92c473724e6293

SHA256
74583d4bb2d0843bbb974e1360145a6ff7d695d480b75bcc7bed79e939028b8f

SHA512
6257268d9aaed21b91f13ce1e5c20cf0bd0cb1c1b1946efb2fa3439bcf7e974ae2cf2cfb5eac0655816536534f2be9c3e5973f1cd36d942fb21005be9da9a8b4

Download Submit
C:\Users\Admin\AppData\Roaming\BRHyLyHX078BFBFF000306D266EA2EA938\38078BFBFF000306D266EA2EA9BRHyLyHX\Grabber\UninstallOptimize.txt

Filesize
626KB

MD5
3c9ca95aed2a18c4ca454b59da376013

SHA1
ddd0225655bb91832b417f408de89a2f608f68a7

SHA256
d6dffc590ac2242114441db1b5b415889f1b085f14719a296c342fdf92f87b67

SHA512
0935f7f978341ebe8d32ebc450c1fe3f67859d6b060c0294676a327d44cecb8f04ecbfe4401e6242630da818ab314bd50849df836a1aee2dee458b59984e7f70

Download Submit
memory/2584-30-0x00000255EA090000-0x00000255EA106000-memory.dmp

Filesize
472KB

Download
memory/2584-29-0x00000255E7FF0000-0x00000255E8000000-memory.dmp

Filesize
64KB

Download
memory/2584-25-0x00007FFCA5FF0000-0x00007FFCA6AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2584-24-0x00000255E7B10000-0x00000255E7C1A000-memory.dmp

Filesize
1.0MB

Download
memory/2584-106-0x00007FFCA5FF0000-0x00007FFCA6AB1000-memory.dmp

Filesize
10.8MB

Download
memory/2584-107-0x00000255E7FF0000-0x00000255E8000000-memory.dmp

Filesize
64KB

Download
memory/2584-119-0x00007FFCA5FF0000-0x00007FFCA6AB1000-memory.dmp

Filesize
10.8MB

Download
memory/3388-28-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/3388-78-0x00000000753D0000-0x0000000075B80000-memory.dmp

Filesize
7.7MB

Download
memory/3388-27-0x00000000753D0000-0x0000000075B80000-memory.dmp

Filesize
7.7MB

Download
memory/3388-26-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download