Analysis
-
max time kernel
82s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/08/2022, 08:50
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Lazy.232310.17268.21853.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Variant.Lazy.232310.17268.21853.exe
Resource
win10v2004-20220812-en
General
-
Target
SecuriteInfo.com.Variant.Lazy.232310.17268.21853.exe
-
Size
334KB
-
MD5
91d524401a72d27f6968b3fe7e044b7f
-
SHA1
50aa30d5e0d8282b4a0ba26a168f3b98b66403cc
-
SHA256
603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274
-
SHA512
149519c40e291c5889413d828c8805382503697a9f2bf6f715d81ad906a3e35592754a6c17db03552edb8275a0c6d436562d14fec9d53c6720e2207bee18f2be
-
SSDEEP
6144:giCpLEyg6kxcvcj3UGsNdZwPKStZcHgWkaqPd2b+RJuXas3:giCpLELFUGaQKStqHsaqFPTuq
Malware Config
Extracted
eternity
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.Variant.Lazy.232310.17268.21853.exe Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.Variant.Lazy.232310.17268.21853.exe Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.Variant.Lazy.232310.17268.21853.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 SecuriteInfo.com.Variant.Lazy.232310.17268.21853.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier SecuriteInfo.com.Variant.Lazy.232310.17268.21853.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 948 SecuriteInfo.com.Variant.Lazy.232310.17268.21853.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 948 SecuriteInfo.com.Variant.Lazy.232310.17268.21853.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 948 wrote to memory of 1076 948 SecuriteInfo.com.Variant.Lazy.232310.17268.21853.exe 83 PID 948 wrote to memory of 1076 948 SecuriteInfo.com.Variant.Lazy.232310.17268.21853.exe 83 PID 1076 wrote to memory of 2652 1076 cmd.exe 85 PID 1076 wrote to memory of 2652 1076 cmd.exe 85 PID 1076 wrote to memory of 496 1076 cmd.exe 86 PID 1076 wrote to memory of 496 1076 cmd.exe 86 PID 1076 wrote to memory of 4312 1076 cmd.exe 87 PID 1076 wrote to memory of 4312 1076 cmd.exe 87 PID 948 wrote to memory of 2776 948 SecuriteInfo.com.Variant.Lazy.232310.17268.21853.exe 88 PID 948 wrote to memory of 2776 948 SecuriteInfo.com.Variant.Lazy.232310.17268.21853.exe 88 PID 2776 wrote to memory of 100 2776 cmd.exe 90 PID 2776 wrote to memory of 100 2776 cmd.exe 90 PID 2776 wrote to memory of 3456 2776 cmd.exe 91 PID 2776 wrote to memory of 3456 2776 cmd.exe 91 PID 2776 wrote to memory of 560 2776 cmd.exe 92 PID 2776 wrote to memory of 560 2776 cmd.exe 92 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.Variant.Lazy.232310.17268.21853.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.Variant.Lazy.232310.17268.21853.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Lazy.232310.17268.21853.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Lazy.232310.17268.21853.exe"1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:948 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2652
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵PID:496
-
-
C:\Windows\system32\findstr.exefindstr All3⤵PID:4312
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key2⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:100
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile name="65001" key=clear3⤵PID:3456
-
-
C:\Windows\system32\findstr.exefindstr Key3⤵PID:560
-
-