Analysis
-
max time kernel
301s -
max time network
494s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26/08/2022, 09:47
Behavioral task
behavioral1
Sample
3cc8da5947ed5754c9e72a762d6f36893d7c11f398abc82e3be71b581d4b5cab.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3cc8da5947ed5754c9e72a762d6f36893d7c11f398abc82e3be71b581d4b5cab.exe
Resource
win10v2004-20220812-en
General
-
Target
3cc8da5947ed5754c9e72a762d6f36893d7c11f398abc82e3be71b581d4b5cab.exe
-
Size
335KB
-
MD5
71496b5e5efc6d81e89321f258a1d7f8
-
SHA1
bfbd28ec240f3d80d7521e1b3bd41f109d3fb385
-
SHA256
3cc8da5947ed5754c9e72a762d6f36893d7c11f398abc82e3be71b581d4b5cab
-
SHA512
9c1fff2f4691c547d91afec65a401512755bf371485427e377f79e14234c4bf91951c914f91f6d08f1c75d2af2df7aab4dfa7af171d7cc1d51c193b9993207a1
-
SSDEEP
6144:Z6+FwyIBybJrmRsuRomJ91J4YIA1emaX+RJ9fhqpbcUazMXo:Z6+FwyIBybJrmRsuRomJ91J4Yr1eMz9w
Malware Config
Extracted
eternity
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 3cc8da5947ed5754c9e72a762d6f36893d7c11f398abc82e3be71b581d4b5cab.exe Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 3cc8da5947ed5754c9e72a762d6f36893d7c11f398abc82e3be71b581d4b5cab.exe Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 3cc8da5947ed5754c9e72a762d6f36893d7c11f398abc82e3be71b581d4b5cab.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 3cc8da5947ed5754c9e72a762d6f36893d7c11f398abc82e3be71b581d4b5cab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 3cc8da5947ed5754c9e72a762d6f36893d7c11f398abc82e3be71b581d4b5cab.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 5068 3cc8da5947ed5754c9e72a762d6f36893d7c11f398abc82e3be71b581d4b5cab.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5068 3cc8da5947ed5754c9e72a762d6f36893d7c11f398abc82e3be71b581d4b5cab.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 5068 wrote to memory of 1624 5068 3cc8da5947ed5754c9e72a762d6f36893d7c11f398abc82e3be71b581d4b5cab.exe 81 PID 5068 wrote to memory of 1624 5068 3cc8da5947ed5754c9e72a762d6f36893d7c11f398abc82e3be71b581d4b5cab.exe 81 PID 1624 wrote to memory of 3004 1624 cmd.exe 83 PID 1624 wrote to memory of 3004 1624 cmd.exe 83 PID 1624 wrote to memory of 3460 1624 cmd.exe 84 PID 1624 wrote to memory of 3460 1624 cmd.exe 84 PID 1624 wrote to memory of 4980 1624 cmd.exe 85 PID 1624 wrote to memory of 4980 1624 cmd.exe 85 PID 5068 wrote to memory of 1312 5068 3cc8da5947ed5754c9e72a762d6f36893d7c11f398abc82e3be71b581d4b5cab.exe 87 PID 5068 wrote to memory of 1312 5068 3cc8da5947ed5754c9e72a762d6f36893d7c11f398abc82e3be71b581d4b5cab.exe 87 PID 1312 wrote to memory of 1300 1312 cmd.exe 89 PID 1312 wrote to memory of 1300 1312 cmd.exe 89 PID 1312 wrote to memory of 1528 1312 cmd.exe 90 PID 1312 wrote to memory of 1528 1312 cmd.exe 90 PID 1312 wrote to memory of 1276 1312 cmd.exe 91 PID 1312 wrote to memory of 1276 1312 cmd.exe 91 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 3cc8da5947ed5754c9e72a762d6f36893d7c11f398abc82e3be71b581d4b5cab.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 3cc8da5947ed5754c9e72a762d6f36893d7c11f398abc82e3be71b581d4b5cab.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cc8da5947ed5754c9e72a762d6f36893d7c11f398abc82e3be71b581d4b5cab.exe"C:\Users\Admin\AppData\Local\Temp\3cc8da5947ed5754c9e72a762d6f36893d7c11f398abc82e3be71b581d4b5cab.exe"1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:5068 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:3004
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵PID:3460
-
-
C:\Windows\system32\findstr.exefindstr All3⤵PID:4980
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key2⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:1300
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile name="65001" key=clear3⤵PID:1528
-
-
C:\Windows\system32\findstr.exefindstr Key3⤵PID:1276
-
-