Analysis
-
max time kernel
77s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/08/2022, 06:00
Behavioral task
behavioral1
Sample
603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe
Resource
win10v2004-20220812-en
General
-
Target
603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe
-
Size
334KB
-
MD5
91d524401a72d27f6968b3fe7e044b7f
-
SHA1
50aa30d5e0d8282b4a0ba26a168f3b98b66403cc
-
SHA256
603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274
-
SHA512
149519c40e291c5889413d828c8805382503697a9f2bf6f715d81ad906a3e35592754a6c17db03552edb8275a0c6d436562d14fec9d53c6720e2207bee18f2be
-
SSDEEP
6144:giCpLEyg6kxcvcj3UGsNdZwPKStZcHgWkaqPd2b+RJuXas3:giCpLELFUGaQKStqHsaqFPTuq
Malware Config
Extracted
eternity
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3568 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3568 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3568 wrote to memory of 4888 3568 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe 82 PID 3568 wrote to memory of 4888 3568 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe 82 PID 4888 wrote to memory of 1272 4888 cmd.exe 84 PID 4888 wrote to memory of 1272 4888 cmd.exe 84 PID 4888 wrote to memory of 4376 4888 cmd.exe 85 PID 4888 wrote to memory of 4376 4888 cmd.exe 85 PID 4888 wrote to memory of 1068 4888 cmd.exe 86 PID 4888 wrote to memory of 1068 4888 cmd.exe 86 PID 3568 wrote to memory of 1352 3568 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe 87 PID 3568 wrote to memory of 1352 3568 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe 87 PID 1352 wrote to memory of 3224 1352 cmd.exe 89 PID 1352 wrote to memory of 3224 1352 cmd.exe 89 PID 1352 wrote to memory of 4436 1352 cmd.exe 90 PID 1352 wrote to memory of 4436 1352 cmd.exe 90 PID 1352 wrote to memory of 4592 1352 cmd.exe 91 PID 1352 wrote to memory of 4592 1352 cmd.exe 91 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe"C:\Users\Admin\AppData\Local\Temp\603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe"1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3568 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:1272
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵PID:4376
-
-
C:\Windows\system32\findstr.exefindstr All3⤵PID:1068
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key2⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:3224
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile name="65001" key=clear3⤵PID:4436
-
-
C:\Windows\system32\findstr.exefindstr Key3⤵PID:4592
-
-