Overview

overview

10

Static

static

(Purchase ...fer.js

windows7_x64

10

(Purchase ...fer.js

windows10-2004_x64

10

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    27-06-2022 08:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    (Purchase Order)file via WeTransfer.js

  • Size

    1.2MB

  • MD5

    3279c93768fd176dfb0c7f471cfa848d

  • SHA1

    87f5e39995bfe638dcf219522402840154ff931a

  • SHA256

    121a8f68757adfa85c29dd26855049451df01724a67946e35915099bbdd494b2

  • SHA512

    f016075eba8419540a071d68f99a01c9c9fda5e73344f4b7662fb60b6a60303d1cee25c90056e5445d3c4ebc5d22ff37af8a7b6badc02563189cd8001f8ae160

Score
10/10
eternityvjw0rmcollectionpersistencespywarestealersuricatatrojanworm

Malware Config

Extracted

Family

eternity

C2

http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion

Signatures

  • Detects Eternity stealer 3 IoCs
    stealer
  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • suricata: ET MALWARE ZHtrap CnC Checkin

    suricata: ET MALWARE ZHtrap CnC Checkin

    suricata
  • suricata: ET MALWARE ZHtrap CnC Response - Connection Successfully Established

    suricata: ET MALWARE ZHtrap CnC Response - Connection Successfully Established

    suricata
  • Blocklisted process makes network request 16 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\(Purchase Order)file via WeTransfer.js"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4948
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ZugdvnxZyL.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:976
    • C:\Users\Admin\AppData\Local\Temp\oyi.exe
      "C:\Users\Admin\AppData\Local\Temp\oyi.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:1996
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2184
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:3408
          • C:\Windows\system32\netsh.exe
            netsh wlan show profile
            4⤵
              PID:2688
            • C:\Windows\system32\findstr.exe
              findstr All
              4⤵
                PID:2712
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3136
              • C:\Windows\system32\chcp.com
                chcp 65001
                4⤵
                  PID:4552
                • C:\Windows\system32\findstr.exe
                  findstr Key
                  4⤵
                    PID:3888
                  • C:\Windows\system32\netsh.exe
                    netsh wlan show profile name="65001" key=clear
                    4⤵
                      PID:1312

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              Defense Evasion

              Modify Registry

              1
              T1112

              Credential Access

              Credentials in Files

              1
              T1081

              Discovery

              Query Registry

              2
              T1012

              System Information Discovery

              3
              T1082

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Email Collection

              1
              T1114

              Exfiltration

              Command and Control

              Web Service

              1
              T1102

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\oyi.exe
                Filesize

                687KB

                MD5

                5ad0ad2fd8fcc503ee6121077d34b24c

                SHA1

                5c7a2ef931536f3fc8fd48fb923ff136ec01ddb9

                SHA256

                3ed47430eb737fe96b7ed9e51380945c358a088ef6e2b734a684fc9dd03c3b31

                SHA512

                3a2ddf86c74e9dcf08868f768afd9e3919ec52c3fc4f5e43d6f1557e29c5bd404ec5ced89f26e52e50d3f041d775201169771c2bece0b03fcf6fac024d580ff2

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\oyi.exe
                Filesize

                687KB

                MD5

                5ad0ad2fd8fcc503ee6121077d34b24c

                SHA1

                5c7a2ef931536f3fc8fd48fb923ff136ec01ddb9

                SHA256

                3ed47430eb737fe96b7ed9e51380945c358a088ef6e2b734a684fc9dd03c3b31

                SHA512

                3a2ddf86c74e9dcf08868f768afd9e3919ec52c3fc4f5e43d6f1557e29c5bd404ec5ced89f26e52e50d3f041d775201169771c2bece0b03fcf6fac024d580ff2

                Download Submit
              • C:\Users\Admin\AppData\Roaming\ZugdvnxZyL.js
                Filesize

                5KB

                MD5

                816bb7e63eed97f1d9900db23d679d03

                SHA1

                98475f63b282c7d6a559e7f03dcece6dcf98a52b

                SHA256

                c09c5176efd020c17d5c3b8e5a406f3cc396b3bcbdc1bf2615283d0a3b65fc70

                SHA512

                7b739060cdcdb4f09a67b0923f2aa69e6209e44ce344828fa296b20b20fcf25104226d08a584be436f00c06504f970fc705743e939c9c9d9da1b2e0ea4c47e02

                Download Submit
              • memory/976-130-0x0000000000000000-mapping.dmp
                Download
              • memory/1312-144-0x0000000000000000-mapping.dmp
                Download
              • memory/1996-135-0x00000197B9960000-0x00000197B9A12000-memory.dmp
                Filesize

                712KB

                Download
              • memory/1996-132-0x0000000000000000-mapping.dmp
                Download
              • memory/1996-136-0x00007FFC6B440000-0x00007FFC6BF01000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/1996-137-0x00000197D5990000-0x00000197D59E0000-memory.dmp
                Filesize

                320KB

                Download
              • memory/1996-147-0x00007FFC6B440000-0x00007FFC6BF01000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/1996-146-0x00007FFC6B440000-0x00007FFC6BF01000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/2184-138-0x0000000000000000-mapping.dmp
                Download
              • memory/2688-140-0x0000000000000000-mapping.dmp
                Download
              • memory/2712-141-0x0000000000000000-mapping.dmp
                Download
              • memory/3136-142-0x0000000000000000-mapping.dmp
                Download
              • memory/3408-139-0x0000000000000000-mapping.dmp
                Download
              • memory/3888-145-0x0000000000000000-mapping.dmp
                Download
              • memory/4552-143-0x0000000000000000-mapping.dmp
                Download