Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-06-2022 08:10
Static task
static1
Behavioral task
behavioral1
Sample
(Purchase Order)file via WeTransfer.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
(Purchase Order)file via WeTransfer.js
Resource
win10v2004-20220414-en
General
-
Target
(Purchase Order)file via WeTransfer.js
-
Size
1.2MB
-
MD5
3279c93768fd176dfb0c7f471cfa848d
-
SHA1
87f5e39995bfe638dcf219522402840154ff931a
-
SHA256
121a8f68757adfa85c29dd26855049451df01724a67946e35915099bbdd494b2
-
SHA512
f016075eba8419540a071d68f99a01c9c9fda5e73344f4b7662fb60b6a60303d1cee25c90056e5445d3c4ebc5d22ff37af8a7b6badc02563189cd8001f8ae160
Malware Config
Extracted
eternity
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
Signatures
-
Detects Eternity stealer 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\oyi.exe eternity_stealer C:\Users\Admin\AppData\Local\Temp\oyi.exe eternity_stealer behavioral2/memory/1996-135-0x00000197B9960000-0x00000197B9A12000-memory.dmp eternity_stealer -
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
suricata: ET MALWARE ZHtrap CnC Checkin
suricata: ET MALWARE ZHtrap CnC Checkin
-
suricata: ET MALWARE ZHtrap CnC Response - Connection Successfully Established
suricata: ET MALWARE ZHtrap CnC Response - Connection Successfully Established
-
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exeflow pid process 7 976 wscript.exe 21 976 wscript.exe 27 976 wscript.exe 33 976 wscript.exe 39 976 wscript.exe 43 976 wscript.exe 67 976 wscript.exe 74 976 wscript.exe 75 976 wscript.exe 76 976 wscript.exe 79 976 wscript.exe 80 976 wscript.exe 81 976 wscript.exe 82 976 wscript.exe 83 976 wscript.exe 84 976 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
oyi.exepid process 1996 oyi.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZugdvnxZyL.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZugdvnxZyL.js wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
oyi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 oyi.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 oyi.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 oyi.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\ZugdvnxZyL.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
oyi.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 oyi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier oyi.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
oyi.exepid process 1996 oyi.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
oyi.exedescription pid process Token: SeDebugPrivilege 1996 oyi.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
wscript.exeoyi.execmd.execmd.exedescription pid process target process PID 4948 wrote to memory of 976 4948 wscript.exe wscript.exe PID 4948 wrote to memory of 976 4948 wscript.exe wscript.exe PID 4948 wrote to memory of 1996 4948 wscript.exe oyi.exe PID 4948 wrote to memory of 1996 4948 wscript.exe oyi.exe PID 1996 wrote to memory of 2184 1996 oyi.exe cmd.exe PID 1996 wrote to memory of 2184 1996 oyi.exe cmd.exe PID 2184 wrote to memory of 3408 2184 cmd.exe chcp.com PID 2184 wrote to memory of 3408 2184 cmd.exe chcp.com PID 2184 wrote to memory of 2688 2184 cmd.exe netsh.exe PID 2184 wrote to memory of 2688 2184 cmd.exe netsh.exe PID 2184 wrote to memory of 2712 2184 cmd.exe findstr.exe PID 2184 wrote to memory of 2712 2184 cmd.exe findstr.exe PID 1996 wrote to memory of 3136 1996 oyi.exe cmd.exe PID 1996 wrote to memory of 3136 1996 oyi.exe cmd.exe PID 3136 wrote to memory of 4552 3136 cmd.exe chcp.com PID 3136 wrote to memory of 4552 3136 cmd.exe chcp.com PID 3136 wrote to memory of 1312 3136 cmd.exe netsh.exe PID 3136 wrote to memory of 1312 3136 cmd.exe netsh.exe PID 3136 wrote to memory of 3888 3136 cmd.exe findstr.exe PID 3136 wrote to memory of 3888 3136 cmd.exe findstr.exe -
outlook_office_path 1 IoCs
Processes:
oyi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 oyi.exe -
outlook_win_path 1 IoCs
Processes:
oyi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 oyi.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\(Purchase Order)file via WeTransfer.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ZugdvnxZyL.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\oyi.exe"C:\Users\Admin\AppData\Local\Temp\oyi.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\system32\findstr.exefindstr All4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\findstr.exefindstr Key4⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile name="65001" key=clear4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\oyi.exeFilesize
687KB
MD55ad0ad2fd8fcc503ee6121077d34b24c
SHA15c7a2ef931536f3fc8fd48fb923ff136ec01ddb9
SHA2563ed47430eb737fe96b7ed9e51380945c358a088ef6e2b734a684fc9dd03c3b31
SHA5123a2ddf86c74e9dcf08868f768afd9e3919ec52c3fc4f5e43d6f1557e29c5bd404ec5ced89f26e52e50d3f041d775201169771c2bece0b03fcf6fac024d580ff2
-
C:\Users\Admin\AppData\Local\Temp\oyi.exeFilesize
687KB
MD55ad0ad2fd8fcc503ee6121077d34b24c
SHA15c7a2ef931536f3fc8fd48fb923ff136ec01ddb9
SHA2563ed47430eb737fe96b7ed9e51380945c358a088ef6e2b734a684fc9dd03c3b31
SHA5123a2ddf86c74e9dcf08868f768afd9e3919ec52c3fc4f5e43d6f1557e29c5bd404ec5ced89f26e52e50d3f041d775201169771c2bece0b03fcf6fac024d580ff2
-
C:\Users\Admin\AppData\Roaming\ZugdvnxZyL.jsFilesize
5KB
MD5816bb7e63eed97f1d9900db23d679d03
SHA198475f63b282c7d6a559e7f03dcece6dcf98a52b
SHA256c09c5176efd020c17d5c3b8e5a406f3cc396b3bcbdc1bf2615283d0a3b65fc70
SHA5127b739060cdcdb4f09a67b0923f2aa69e6209e44ce344828fa296b20b20fcf25104226d08a584be436f00c06504f970fc705743e939c9c9d9da1b2e0ea4c47e02
-
memory/976-130-0x0000000000000000-mapping.dmp
-
memory/1312-144-0x0000000000000000-mapping.dmp
-
memory/1996-135-0x00000197B9960000-0x00000197B9A12000-memory.dmpFilesize
712KB
-
memory/1996-132-0x0000000000000000-mapping.dmp
-
memory/1996-136-0x00007FFC6B440000-0x00007FFC6BF01000-memory.dmpFilesize
10.8MB
-
memory/1996-137-0x00000197D5990000-0x00000197D59E0000-memory.dmpFilesize
320KB
-
memory/1996-147-0x00007FFC6B440000-0x00007FFC6BF01000-memory.dmpFilesize
10.8MB
-
memory/1996-146-0x00007FFC6B440000-0x00007FFC6BF01000-memory.dmpFilesize
10.8MB
-
memory/2184-138-0x0000000000000000-mapping.dmp
-
memory/2688-140-0x0000000000000000-mapping.dmp
-
memory/2712-141-0x0000000000000000-mapping.dmp
-
memory/3136-142-0x0000000000000000-mapping.dmp
-
memory/3408-139-0x0000000000000000-mapping.dmp
-
memory/3888-145-0x0000000000000000-mapping.dmp
-
memory/4552-143-0x0000000000000000-mapping.dmp