Analysis
-
max time kernel
54s -
max time network
142s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
29/08/2022, 13:45
Static task
static1
Behavioral task
behavioral1
Sample
979b749a9c4e8d2b7ffae33df7b8bf28f82fb1fbc6840566e548399b86e2caf6.exe
Resource
win10-20220812-en
General
-
Target
979b749a9c4e8d2b7ffae33df7b8bf28f82fb1fbc6840566e548399b86e2caf6.exe
-
Size
930KB
-
MD5
39e53edf45a715e6633966b9cf79a698
-
SHA1
4af4d12118dcbfe21fca68fac0d5de925d107bec
-
SHA256
979b749a9c4e8d2b7ffae33df7b8bf28f82fb1fbc6840566e548399b86e2caf6
-
SHA512
0d438e1a77d39c09010148d0e428aa688175547193ec97b78b59eef467d94a38c3ddffd0acff48adea39d230917323e3a3a01cc15968e9b350f0cf207c1169f9
-
SSDEEP
24576:ms9stXwB1kWsT0Y5MM0BQwpggFOmH1Ix:OwMv0M0BhgsTVI
Malware Config
Extracted
eternity
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 979b749a9c4e8d2b7ffae33df7b8bf28f82fb1fbc6840566e548399b86e2caf6.exe Key opened \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 979b749a9c4e8d2b7ffae33df7b8bf28f82fb1fbc6840566e548399b86e2caf6.exe Key opened \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 979b749a9c4e8d2b7ffae33df7b8bf28f82fb1fbc6840566e548399b86e2caf6.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 979b749a9c4e8d2b7ffae33df7b8bf28f82fb1fbc6840566e548399b86e2caf6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 979b749a9c4e8d2b7ffae33df7b8bf28f82fb1fbc6840566e548399b86e2caf6.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3068 979b749a9c4e8d2b7ffae33df7b8bf28f82fb1fbc6840566e548399b86e2caf6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3068 979b749a9c4e8d2b7ffae33df7b8bf28f82fb1fbc6840566e548399b86e2caf6.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3068 wrote to memory of 1072 3068 979b749a9c4e8d2b7ffae33df7b8bf28f82fb1fbc6840566e548399b86e2caf6.exe 67 PID 3068 wrote to memory of 1072 3068 979b749a9c4e8d2b7ffae33df7b8bf28f82fb1fbc6840566e548399b86e2caf6.exe 67 PID 3068 wrote to memory of 1072 3068 979b749a9c4e8d2b7ffae33df7b8bf28f82fb1fbc6840566e548399b86e2caf6.exe 67 PID 1072 wrote to memory of 4940 1072 cmd.exe 69 PID 1072 wrote to memory of 4940 1072 cmd.exe 69 PID 1072 wrote to memory of 4940 1072 cmd.exe 69 PID 1072 wrote to memory of 3580 1072 cmd.exe 70 PID 1072 wrote to memory of 3580 1072 cmd.exe 70 PID 1072 wrote to memory of 3580 1072 cmd.exe 70 PID 1072 wrote to memory of 4520 1072 cmd.exe 71 PID 1072 wrote to memory of 4520 1072 cmd.exe 71 PID 1072 wrote to memory of 4520 1072 cmd.exe 71 PID 3068 wrote to memory of 1236 3068 979b749a9c4e8d2b7ffae33df7b8bf28f82fb1fbc6840566e548399b86e2caf6.exe 72 PID 3068 wrote to memory of 1236 3068 979b749a9c4e8d2b7ffae33df7b8bf28f82fb1fbc6840566e548399b86e2caf6.exe 72 PID 3068 wrote to memory of 1236 3068 979b749a9c4e8d2b7ffae33df7b8bf28f82fb1fbc6840566e548399b86e2caf6.exe 72 PID 1236 wrote to memory of 1096 1236 cmd.exe 74 PID 1236 wrote to memory of 1096 1236 cmd.exe 74 PID 1236 wrote to memory of 1096 1236 cmd.exe 74 PID 1236 wrote to memory of 2052 1236 cmd.exe 75 PID 1236 wrote to memory of 2052 1236 cmd.exe 75 PID 1236 wrote to memory of 2052 1236 cmd.exe 75 PID 1236 wrote to memory of 4528 1236 cmd.exe 76 PID 1236 wrote to memory of 4528 1236 cmd.exe 76 PID 1236 wrote to memory of 4528 1236 cmd.exe 76 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 979b749a9c4e8d2b7ffae33df7b8bf28f82fb1fbc6840566e548399b86e2caf6.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 979b749a9c4e8d2b7ffae33df7b8bf28f82fb1fbc6840566e548399b86e2caf6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\979b749a9c4e8d2b7ffae33df7b8bf28f82fb1fbc6840566e548399b86e2caf6.exe"C:\Users\Admin\AppData\Local\Temp\979b749a9c4e8d2b7ffae33df7b8bf28f82fb1fbc6840566e548399b86e2caf6.exe"1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3068 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:4940
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵PID:3580
-
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵PID:4520
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key2⤵
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:1096
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile name="65001" key=clear3⤵PID:2052
-
-
C:\Windows\SysWOW64\findstr.exefindstr Key3⤵PID:4528
-
-