eternity | 2c16c82871b06b7daf9e808b1a4b82acf95caa41dfbba2ca69ea5026cd446d4b

General

Target

2c16c82871b06b7daf9e808b1a4b82acf95caa41dfbba2ca69ea5026cd446d4b.exe
Size

4.8MB
MD5

a4aedc1d40075e21485309d70e5d44ab
SHA1

9e51b2231a97b7dfdb9535adc1af1cce3a39addd
SHA256

2c16c82871b06b7daf9e808b1a4b82acf95caa41dfbba2ca69ea5026cd446d4b
SHA512

24ada2b15ab73a44b222be5ffa0c5c9f841c368d9ae9f70984c03d0df98d12167e20299cfbe88ae337e9c416a97f19ab2ab2108ca83b55b3d24ddb75d20ecd24

Score

10^/10

eternity worm

Malware Config

Extracted

Family

eternity

C2

http://lightnogu5owjjllyo4tj2sfos6fchnmcidlgo6c7e6fz2hgryhfhoyd.onion

Attributes

payload_urls
http://soapbeginshops.com/kingz.exe

http://lightnogu5owjjllyo4tj2sfos6fchnmcidlgo6c7e6fz2hgryhfhoyd.onion/shared/telegram.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

ntWjnFYe.exetmpAA25.tmp.exeBUFZSQPCOH.exe

pid process

1412 ntWjnFYe.exe
4392 tmpAA25.tmp.exe
1320 BUFZSQPCOH.exe

pid	process
1412	ntWjnFYe.exe
4392	tmpAA25.tmp.exe
1320	BUFZSQPCOH.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2c16c82871b06b7daf9e808b1a4b82acf95caa41dfbba2ca69ea5026cd446d4b.exentWjnFYe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	2c16c82871b06b7daf9e808b1a4b82acf95caa41dfbba2ca69ea5026cd446d4b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	ntWjnFYe.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

tmpAA25.tmp.exe

description pid process target process

PID 4392 set thread context of 4700 4392 tmpAA25.tmp.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3456 4392 WerFault.exe tmpAA25.tmp.exe

description	pid	process	target process
PID 4392 set thread context of 4700	4392	tmpAA25.tmp.exe	AppLaunch.exe

pid	pid_target	process	target process
3456	4392	WerFault.exe	tmpAA25.tmp.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 2 IoCs

Processes:

ntWjnFYe.exeBUFZSQPCOH.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	ntWjnFYe.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	BUFZSQPCOH.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

AcroRd32.exeAdobeARM.exe

pid	process
1468	AcroRd32.exe
1468	AcroRd32.exe
1468	AcroRd32.exe
1468	AcroRd32.exe
1468	AcroRd32.exe
1468	AcroRd32.exe
1468	AcroRd32.exe
1468	AcroRd32.exe
1468	AcroRd32.exe
1468	AcroRd32.exe
1468	AcroRd32.exe
1468	AcroRd32.exe
1468	AcroRd32.exe
1468	AcroRd32.exe
1468	AcroRd32.exe
1468	AcroRd32.exe
1468	AcroRd32.exe
1468	AcroRd32.exe
1468	AcroRd32.exe
1468	AcroRd32.exe
4372	AdobeARM.exe
4372	AdobeARM.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

BUFZSQPCOH.exe

description pid process

Token: SeDebugPrivilege 1320 BUFZSQPCOH.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

AcroRd32.exeAdobeARM.exe

pid process

1468 AcroRd32.exe
1468 AcroRd32.exe
1468 AcroRd32.exe
1468 AcroRd32.exe
1468 AcroRd32.exe
4372 AdobeARM.exe
1468 AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	1320	BUFZSQPCOH.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2c16c82871b06b7daf9e808b1a4b82acf95caa41dfbba2ca69ea5026cd446d4b.exentWjnFYe.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 5104 wrote to memory of 1412	5104	2c16c82871b06b7daf9e808b1a4b82acf95caa41dfbba2ca69ea5026cd446d4b.exe	ntWjnFYe.exe
PID 5104 wrote to memory of 1412	5104	2c16c82871b06b7daf9e808b1a4b82acf95caa41dfbba2ca69ea5026cd446d4b.exe	ntWjnFYe.exe
PID 5104 wrote to memory of 1412	5104	2c16c82871b06b7daf9e808b1a4b82acf95caa41dfbba2ca69ea5026cd446d4b.exe	ntWjnFYe.exe
PID 1412 wrote to memory of 1468	1412	ntWjnFYe.exe	AcroRd32.exe
PID 1412 wrote to memory of 1468	1412	ntWjnFYe.exe	AcroRd32.exe
PID 1412 wrote to memory of 1468	1412	ntWjnFYe.exe	AcroRd32.exe
PID 5104 wrote to memory of 4392	5104	2c16c82871b06b7daf9e808b1a4b82acf95caa41dfbba2ca69ea5026cd446d4b.exe	tmpAA25.tmp.exe
PID 5104 wrote to memory of 4392	5104	2c16c82871b06b7daf9e808b1a4b82acf95caa41dfbba2ca69ea5026cd446d4b.exe	tmpAA25.tmp.exe
PID 5104 wrote to memory of 4392	5104	2c16c82871b06b7daf9e808b1a4b82acf95caa41dfbba2ca69ea5026cd446d4b.exe	tmpAA25.tmp.exe
PID 1412 wrote to memory of 1320	1412	ntWjnFYe.exe	BUFZSQPCOH.exe
PID 1412 wrote to memory of 1320	1412	ntWjnFYe.exe	BUFZSQPCOH.exe
PID 1412 wrote to memory of 1320	1412	ntWjnFYe.exe	BUFZSQPCOH.exe
PID 1468 wrote to memory of 1072	1468	AcroRd32.exe	RdrCEF.exe
PID 1468 wrote to memory of 1072	1468	AcroRd32.exe	RdrCEF.exe
PID 1468 wrote to memory of 1072	1468	AcroRd32.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 1708	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 444	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 444	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 444	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 444	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 444	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 444	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 444	1072	RdrCEF.exe	RdrCEF.exe
PID 1072 wrote to memory of 444	1072	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\2c16c82871b06b7daf9e808b1a4b82acf95caa41dfbba2ca69ea5026cd446d4b.exe
"C:\Users\Admin\AppData\Local\Temp\2c16c82871b06b7daf9e808b1a4b82acf95caa41dfbba2ca69ea5026cd446d4b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\ntWjnFYe.exe
  "C:\Users\Admin\AppData\Local\Temp\ntWjnFYe.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\BUFZSQPCOH.pdf"
    3⤵
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1072
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F98573E234ECB60C6DB25452B058E927 --mojo-platform-channel-handle=1704 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:1708
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3BE89862C9501445739166A49EAB52D9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3BE89862C9501445739166A49EAB52D9 --renderer-client-id=2 --mojo-platform-channel-handle=1812 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:444
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3197049001D981B636AA1D6C6F73C8E6 --mojo-platform-channel-handle=2272 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:4888
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C3525F18F40FB9B3D693FA90FD7A4C43 --mojo-platform-channel-handle=1924 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:5076
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=79B4BE1B5C673D93414037FD7E598722 --mojo-platform-channel-handle=1692 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:3552
  - - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
      "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4372
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
        5⤵
        
        PID:2212
- - C:\Users\Admin\AppData\Local\Temp\BUFZSQPCOH.exe
    "C:\Users\Admin\AppData\Local\Temp\BUFZSQPCOH.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:1320
- C:\Users\Admin\AppData\Local\Temp\tmpAA25.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpAA25.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4392
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 252
    3⤵
    - Program crash
    PID:3456

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4392 -ip 4392
1⤵
PID:840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BUFZSQPCOH.exe

Filesize
1.3MB

MD5
a5cb23b8b71b2eec6cf53c89a166d1ca

SHA1
954152dabcfebfd04143c97eb814ffdcf9f622da

SHA256
22d656a93589f45df7c71039fe808541105dc6927bca733933b67fa4843863f3

SHA512
6281739cce2da2ddafcc2167d9f56067ee2650411d17fb30765afec33bf052e7ddc3bca62fd7328e694a0f7c0c1f316ecdade1e07f15296a185b972acc81b030

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUFZSQPCOH.exe

Filesize
1.3MB

MD5
a5cb23b8b71b2eec6cf53c89a166d1ca

SHA1
954152dabcfebfd04143c97eb814ffdcf9f622da

SHA256
22d656a93589f45df7c71039fe808541105dc6927bca733933b67fa4843863f3

SHA512
6281739cce2da2ddafcc2167d9f56067ee2650411d17fb30765afec33bf052e7ddc3bca62fd7328e694a0f7c0c1f316ecdade1e07f15296a185b972acc81b030

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUFZSQPCOH.pdf

Filesize
1KB

MD5
def355b17d73c1495713c5488fce7339

SHA1
beca340e4f9d7795a83636020fcf688da88fa808

SHA256
471a7b08733f8b9e8ab162fe426b75361169906d3dd7564b28b19e4dba14f328

SHA512
e95418c8c9f1a763d004e2572ef9d4379878fdd9d222e4605d7a77ed6d86cc764b68b358a7dfa8ed82749b24ed97fcc81139694a031e9b85032af6cc1f973f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntWjnFYe.exe

Filesize
1.4MB

MD5
c368c9abbbaba9da3a8722b44c2deca5

SHA1
3b86f7afa8180b00b4f7e14f3fff1494065f62e9

SHA256
ecb3a885ffaf3e9974bb58aef94c44e736cd0673dcb0268dc85877a846b5c599

SHA512
dfbbd9edba4f462820dd592eda49c1d1b843f5e106721a17e45cdf704084bf7d8e9e756daf72e4b79510fbfb12bf2300028d51581aeb71dddc997c842d14ca00

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntWjnFYe.exe

Filesize
1.4MB

MD5
c368c9abbbaba9da3a8722b44c2deca5

SHA1
3b86f7afa8180b00b4f7e14f3fff1494065f62e9

SHA256
ecb3a885ffaf3e9974bb58aef94c44e736cd0673dcb0268dc85877a846b5c599

SHA512
dfbbd9edba4f462820dd592eda49c1d1b843f5e106721a17e45cdf704084bf7d8e9e756daf72e4b79510fbfb12bf2300028d51581aeb71dddc997c842d14ca00

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAA25.tmp.exe

Filesize
3.4MB

MD5
e79ffcc3a1d0bfa117f04fda77b2bfec

SHA1
83aba440c3173f418c790b87c076503c16cd5c13

SHA256
9f97fdeaa2c81fac2afb2a94616144c0773b5bec316ebc114c8d134eccd84cdc

SHA512
31620de499863235bdfd50800d09af59b3c1e38be8c0674e3bde5b97881bd69c0760a002dc8e108ceec4e408c0d756a38a7f70735d25f3e9bb3fc2bd7ad44344

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAA25.tmp.exe

Filesize
3.4MB

MD5
e79ffcc3a1d0bfa117f04fda77b2bfec

SHA1
83aba440c3173f418c790b87c076503c16cd5c13

SHA256
9f97fdeaa2c81fac2afb2a94616144c0773b5bec316ebc114c8d134eccd84cdc

SHA512
31620de499863235bdfd50800d09af59b3c1e38be8c0674e3bde5b97881bd69c0760a002dc8e108ceec4e408c0d756a38a7f70735d25f3e9bb3fc2bd7ad44344

Download Submit
memory/444-150-0x0000000000000000-mapping.dmp

Download
memory/1072-145-0x0000000000000000-mapping.dmp

Download
memory/1320-163-0x0000000006AD0000-0x0000000006B20000-memory.dmp

Filesize
320KB

Download
memory/1320-164-0x0000000007EF0000-0x0000000007F82000-memory.dmp

Filesize
584KB

Download
memory/1320-139-0x0000000000000000-mapping.dmp

Download
memory/1320-142-0x0000000000960000-0x0000000000ABA000-memory.dmp

Filesize
1.4MB

Download
memory/1320-144-0x00000000059B0000-0x0000000005F54000-memory.dmp

Filesize
5.6MB

Download
memory/1412-134-0x0000000000F10000-0x0000000001076000-memory.dmp

Filesize
1.4MB

Download
memory/1412-131-0x0000000000000000-mapping.dmp

Download
memory/1468-135-0x0000000000000000-mapping.dmp

Download
memory/1708-147-0x0000000000000000-mapping.dmp

Download
memory/2212-166-0x0000000000000000-mapping.dmp

Download
memory/3552-161-0x0000000000000000-mapping.dmp

Download
memory/4372-165-0x0000000000000000-mapping.dmp

Download
memory/4392-136-0x0000000000000000-mapping.dmp

Download
memory/4392-173-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/4700-167-0x0000000000000000-mapping.dmp

Download
memory/4700-168-0x0000000000700000-0x000000000085A000-memory.dmp

Filesize
1.4MB

Download
memory/4888-155-0x0000000000000000-mapping.dmp

Download
memory/5076-158-0x0000000000000000-mapping.dmp

Download
memory/5104-130-0x0000000000140000-0x0000000000610000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads