Analysis
-
max time kernel
150s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-06-2022 08:16
Static task
static1
Behavioral task
behavioral1
Sample
0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe
Resource
win7-20220414-en
General
-
Target
0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe
-
Size
1.5MB
-
MD5
a3556fe22b3cadaea5bad8d67b63e16a
-
SHA1
d8442ca998329eafbf7419a6126443195948d0ea
-
SHA256
0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4
-
SHA512
0cee4e20c9f57747f0436ca2bd2f7eec43fba27200c7d62c8303e0d248d87566df377568d68dd4ca7640a2f5a03702b7b4f17bd5984933fc926327889072c06c
Malware Config
Extracted
eternity
http://lightnogu5owjjllyo4tj2sfos6fchnmcidlgo6c7e6fz2hgryhfhoyd.onion
-
payload_urls
http://soapbeginshops.com/kingz.exe
http://lightnogu5owjjllyo4tj2sfos6fchnmcidlgo6c7e6fz2hgryhfhoyd.onion/shared/telegram.exe
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1116 GLTYDMDUST.exe -
Loads dropped DLL 1 IoCs
pid Process 1852 0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1116 GLTYDMDUST.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1484 AcroRd32.exe 1484 AcroRd32.exe 1484 AcroRd32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1852 wrote to memory of 1484 1852 0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe 28 PID 1852 wrote to memory of 1484 1852 0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe 28 PID 1852 wrote to memory of 1484 1852 0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe 28 PID 1852 wrote to memory of 1484 1852 0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe 28 PID 1852 wrote to memory of 1116 1852 0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe 29 PID 1852 wrote to memory of 1116 1852 0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe 29 PID 1852 wrote to memory of 1116 1852 0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe 29 PID 1852 wrote to memory of 1116 1852 0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe"C:\Users\Admin\AppData\Local\Temp\0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\GLTYDMDUST.pdf"2⤵
- Suspicious use of SetWindowsHookEx
PID:1484
-
-
C:\Users\Admin\AppData\Local\Temp\GLTYDMDUST.exe"C:\Users\Admin\AppData\Local\Temp\GLTYDMDUST.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD56b2cc742a70103fb88177699844efe65
SHA1cf293bf98f40f75b3b3067cbc1949527bf80f107
SHA256ca69bdf49dcd67c38d04867609ee4bb0fd48589a4adba56323bb714e1a195947
SHA512f560eabb29d0c63a9d3cf4484e70825c4a1ed231e345d58bb10e59931b419f38ba38d76389eb515055ebea3e7eacdf58caf8d54a1e47a9d779ac4832759a1201
-
Filesize
1.3MB
MD56b2cc742a70103fb88177699844efe65
SHA1cf293bf98f40f75b3b3067cbc1949527bf80f107
SHA256ca69bdf49dcd67c38d04867609ee4bb0fd48589a4adba56323bb714e1a195947
SHA512f560eabb29d0c63a9d3cf4484e70825c4a1ed231e345d58bb10e59931b419f38ba38d76389eb515055ebea3e7eacdf58caf8d54a1e47a9d779ac4832759a1201
-
Filesize
1KB
MD5ca404bea65d84f58838af73b2dc67e02
SHA156ede3a3bf70705b1d42a2ae13f6605057c1e5f6
SHA2564a28c898df5967827c26fd633cd56275159ef4c4c0193e484e8e8f3e9ecc66b9
SHA51210c144317cdb5a368733346eb8440a986a377916f98be0e8232e668a8c5e107e06829adf575751b94d0b0aa37f4cac48dbd7bc64ffe8dcb140fb033c00cec721
-
Filesize
1.3MB
MD56b2cc742a70103fb88177699844efe65
SHA1cf293bf98f40f75b3b3067cbc1949527bf80f107
SHA256ca69bdf49dcd67c38d04867609ee4bb0fd48589a4adba56323bb714e1a195947
SHA512f560eabb29d0c63a9d3cf4484e70825c4a1ed231e345d58bb10e59931b419f38ba38d76389eb515055ebea3e7eacdf58caf8d54a1e47a9d779ac4832759a1201