Overview

overview

10

Static

static

01084efc7d...b6.exe

windows7_x64

10

01084efc7d...b6.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    42s
  • max time network
    65s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    17-05-2022 11:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe

  • Size

    1.6MB

  • MD5

    51f680c87f810a25cb8d9f4a217156b6

  • SHA1

    a9cd1c857692aa49dfa9fc93cde2204002326d31

  • SHA256

    01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6

  • SHA512

    f7a723641bb65eb4763784da1c2c36d9b0ae07cc7241eb9ef816e20308cfbd1ee77780503768d5784f90a1bc387c09271ccf98fbee0bc8fec2ac9c5b20563c7d

Score
10/10
eternityspywarestealersuricata

Malware Config

Signatures

  • Detects Eternity stealer 1 IoCs
    stealer
  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • suricata: ET MALWARE Observed Win32/Eternity Stealer Domain (eternitypr .net in TLS SNI)

    suricata: ET MALWARE Observed Win32/Eternity Stealer Domain (eternitypr .net in TLS SNI)

    suricata
  • suricata: ET MALWARE Observed Win32/Eternity Stealer Domain (eterprx .net in TLS SNI)

    suricata: ET MALWARE Observed Win32/Eternity Stealer Domain (eterprx .net in TLS SNI)

    suricata
  • suricata: ET MALWARE Win32/Eternity Stealer Activity (POST)

    suricata: ET MALWARE Win32/Eternity Stealer Activity (POST)

    suricata
  • suricata: ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eternitypr .net)

    suricata: ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eternitypr .net)

    suricata
  • suricata: ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eterprx .net)

    suricata: ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eterprx .net)

    suricata
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe
    "C:\Users\Admin\AppData\Local\Temp\01084efc7da9b5f5aaa6e109ac5ea39756687c9334df85f757c89149d30a79b6.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Users\Admin\AppData\Local\Temp\3vo1xfbv.ca4\SmotaProxy_v1.1.exe
      "C:\Users\Admin\AppData\Local\Temp\3vo1xfbv.ca4\SmotaProxy_v1.1.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      PID:2044
    • C:\Users\Admin\AppData\Local\Temp\dcd.exe
      "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
      2⤵
      • Executes dropped EXE
      PID:268
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1668 -s 1888
      2⤵
      • Program crash
      PID:568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3vo1xfbv.ca4\SmotaProxy_v1.1.exe
    Filesize

    367KB

    MD5

    c305f6bfc6eb098e6831479181e01dc4

    SHA1

    74afedfd0f083d237a6a22470515adf8b50c089d

    SHA256

    40fc3e9e4e2b3f191e11de34dd6b135b7ef0da85b35b206a90f12fed240d71e7

    SHA512

    64634d629816ab39f9c08daea3da296e6fcee4b24210f70e05aa44586b19ce445758bb43e470567fc7d691c0dd202b1804e8524fe7a27ec62cca1fd0f91baf19

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\dcd.exe
    Filesize

    227KB

    MD5

    b5ac46e446cead89892628f30a253a06

    SHA1

    f4ad1044a7f77a1b02155c3a355a1bb4177076ca

    SHA256

    def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

    SHA512

    bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

    Download Submit
  • \Users\Admin\AppData\Local\Temp\3vo1xfbv.ca4\SmotaProxy_v1.1.exe
    Filesize

    367KB

    MD5

    c305f6bfc6eb098e6831479181e01dc4

    SHA1

    74afedfd0f083d237a6a22470515adf8b50c089d

    SHA256

    40fc3e9e4e2b3f191e11de34dd6b135b7ef0da85b35b206a90f12fed240d71e7

    SHA512

    64634d629816ab39f9c08daea3da296e6fcee4b24210f70e05aa44586b19ce445758bb43e470567fc7d691c0dd202b1804e8524fe7a27ec62cca1fd0f91baf19

    Download Submit
  • memory/268-60-0x0000000000000000-mapping.dmp
    Download
  • memory/568-62-0x0000000000000000-mapping.dmp
    Download
  • memory/1668-54-0x0000000000A80000-0x0000000000C1C000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1668-55-0x000000001AD30000-0x000000001ADCA000-memory.dmp
    Filesize

    616KB

    Download
  • memory/1668-56-0x000000001B166000-0x000000001B185000-memory.dmp
    Filesize

    124KB

    Download
  • memory/2044-58-0x0000000000000000-mapping.dmp
    Download