Analysis
-
max time kernel
110s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-06-2022 08:16
Static task
static1
Behavioral task
behavioral1
Sample
0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe
Resource
win7-20220414-en
General
-
Target
0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe
-
Size
1.5MB
-
MD5
a3556fe22b3cadaea5bad8d67b63e16a
-
SHA1
d8442ca998329eafbf7419a6126443195948d0ea
-
SHA256
0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4
-
SHA512
0cee4e20c9f57747f0436ca2bd2f7eec43fba27200c7d62c8303e0d248d87566df377568d68dd4ca7640a2f5a03702b7b4f17bd5984933fc926327889072c06c
Malware Config
Extracted
eternity
http://lightnogu5owjjllyo4tj2sfos6fchnmcidlgo6c7e6fz2hgryhfhoyd.onion
-
payload_urls
http://soapbeginshops.com/kingz.exe
http://lightnogu5owjjllyo4tj2sfos6fchnmcidlgo6c7e6fz2hgryhfhoyd.onion/shared/telegram.exe
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 5012 GLTYDMDUST.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings 0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings GLTYDMDUST.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 4164 AcroRd32.exe 4164 AcroRd32.exe 4164 AcroRd32.exe 4164 AcroRd32.exe 4164 AcroRd32.exe 4164 AcroRd32.exe 4164 AcroRd32.exe 4164 AcroRd32.exe 4164 AcroRd32.exe 4164 AcroRd32.exe 4164 AcroRd32.exe 4164 AcroRd32.exe 4164 AcroRd32.exe 4164 AcroRd32.exe 4164 AcroRd32.exe 4164 AcroRd32.exe 4164 AcroRd32.exe 4164 AcroRd32.exe 4164 AcroRd32.exe 4164 AcroRd32.exe 4644 AdobeARM.exe 4644 AdobeARM.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5012 GLTYDMDUST.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4164 AcroRd32.exe 4164 AcroRd32.exe 4164 AcroRd32.exe 4164 AcroRd32.exe 4164 AcroRd32.exe 4644 AdobeARM.exe 4164 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4976 wrote to memory of 4164 4976 0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe 79 PID 4976 wrote to memory of 4164 4976 0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe 79 PID 4976 wrote to memory of 4164 4976 0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe 79 PID 4976 wrote to memory of 5012 4976 0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe 80 PID 4976 wrote to memory of 5012 4976 0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe 80 PID 4976 wrote to memory of 5012 4976 0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe 80 PID 4164 wrote to memory of 3028 4164 AcroRd32.exe 84 PID 4164 wrote to memory of 3028 4164 AcroRd32.exe 84 PID 4164 wrote to memory of 3028 4164 AcroRd32.exe 84 PID 4164 wrote to memory of 2244 4164 AcroRd32.exe 87 PID 4164 wrote to memory of 2244 4164 AcroRd32.exe 87 PID 4164 wrote to memory of 2244 4164 AcroRd32.exe 87 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 3956 3028 RdrCEF.exe 90 PID 3028 wrote to memory of 776 3028 RdrCEF.exe 91 PID 3028 wrote to memory of 776 3028 RdrCEF.exe 91 PID 3028 wrote to memory of 776 3028 RdrCEF.exe 91 PID 3028 wrote to memory of 776 3028 RdrCEF.exe 91 PID 3028 wrote to memory of 776 3028 RdrCEF.exe 91 PID 3028 wrote to memory of 776 3028 RdrCEF.exe 91 PID 3028 wrote to memory of 776 3028 RdrCEF.exe 91 PID 3028 wrote to memory of 776 3028 RdrCEF.exe 91 PID 3028 wrote to memory of 776 3028 RdrCEF.exe 91 PID 3028 wrote to memory of 776 3028 RdrCEF.exe 91 PID 3028 wrote to memory of 776 3028 RdrCEF.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe"C:\Users\Admin\AppData\Local\Temp\0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\GLTYDMDUST.pdf"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=97F60984C29514FD9559AB121D42291F --mojo-platform-channel-handle=1604 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:3956
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5056A0FA6ED5B2ABE99410DC8013B9A9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5056A0FA6ED5B2ABE99410DC8013B9A9 --renderer-client-id=2 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:14⤵PID:776
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D164C7225E280EDE7D97BCB47BC38000 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:1384
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4BFA55FA55E2D5F90E3545AA38D4444E --mojo-platform-channel-handle=1892 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:1600
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C3B4DE4C2C427425EE4EE343DD97E29C --mojo-platform-channel-handle=2420 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:2012
-
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵PID:2244
-
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:33⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4644 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"4⤵PID:4964
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\GLTYDMDUST.exe"C:\Users\Admin\AppData\Local\Temp\GLTYDMDUST.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1920
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4800
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD56b2cc742a70103fb88177699844efe65
SHA1cf293bf98f40f75b3b3067cbc1949527bf80f107
SHA256ca69bdf49dcd67c38d04867609ee4bb0fd48589a4adba56323bb714e1a195947
SHA512f560eabb29d0c63a9d3cf4484e70825c4a1ed231e345d58bb10e59931b419f38ba38d76389eb515055ebea3e7eacdf58caf8d54a1e47a9d779ac4832759a1201
-
Filesize
1.3MB
MD56b2cc742a70103fb88177699844efe65
SHA1cf293bf98f40f75b3b3067cbc1949527bf80f107
SHA256ca69bdf49dcd67c38d04867609ee4bb0fd48589a4adba56323bb714e1a195947
SHA512f560eabb29d0c63a9d3cf4484e70825c4a1ed231e345d58bb10e59931b419f38ba38d76389eb515055ebea3e7eacdf58caf8d54a1e47a9d779ac4832759a1201
-
Filesize
1KB
MD5ca404bea65d84f58838af73b2dc67e02
SHA156ede3a3bf70705b1d42a2ae13f6605057c1e5f6
SHA2564a28c898df5967827c26fd633cd56275159ef4c4c0193e484e8e8f3e9ecc66b9
SHA51210c144317cdb5a368733346eb8440a986a377916f98be0e8232e668a8c5e107e06829adf575751b94d0b0aa37f4cac48dbd7bc64ffe8dcb140fb033c00cec721