Analysis
-
max time kernel
46s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
31/08/2022, 05:33
Static task
static1
Behavioral task
behavioral1
Sample
9e3c04707820cd4c0c8f50d49963a8c75a21e88d71c9a31f045592028d84e2e4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9e3c04707820cd4c0c8f50d49963a8c75a21e88d71c9a31f045592028d84e2e4.exe
Resource
win10v2004-20220812-en
General
-
Target
9e3c04707820cd4c0c8f50d49963a8c75a21e88d71c9a31f045592028d84e2e4.exe
-
Size
4.0MB
-
MD5
2a97aa3ab5161aae270c5f2053ee0d0e
-
SHA1
f84f6f207d2a2fc825d89612427b67ee77c4648f
-
SHA256
9e3c04707820cd4c0c8f50d49963a8c75a21e88d71c9a31f045592028d84e2e4
-
SHA512
99e7d1a03195f6d2f9d7462505f6c2a9b3d0427abb5969db3082ef253c04c4957747dcbef27abd74ce0696ae83a34418e79718be9097c6132d7bf5aa4d402fe0
-
SSDEEP
98304:FGmcvnfOe9d07l+LOMIPE5QRlKTebwEOTxp/P7:Qmne9al+LOM15MsEG3
Malware Config
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1204 9e3c04707820cd4c0c8f50d49963a8c75a21e88d71c9a31f045592028d84e2e4.exe 1204 9e3c04707820cd4c0c8f50d49963a8c75a21e88d71c9a31f045592028d84e2e4.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1204 set thread context of 956 1204 9e3c04707820cd4c0c8f50d49963a8c75a21e88d71c9a31f045592028d84e2e4.exe 27 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier InstallUtil.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1204 9e3c04707820cd4c0c8f50d49963a8c75a21e88d71c9a31f045592028d84e2e4.exe 1204 9e3c04707820cd4c0c8f50d49963a8c75a21e88d71c9a31f045592028d84e2e4.exe 1204 9e3c04707820cd4c0c8f50d49963a8c75a21e88d71c9a31f045592028d84e2e4.exe 1204 9e3c04707820cd4c0c8f50d49963a8c75a21e88d71c9a31f045592028d84e2e4.exe 1204 9e3c04707820cd4c0c8f50d49963a8c75a21e88d71c9a31f045592028d84e2e4.exe 956 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 956 InstallUtil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1204 9e3c04707820cd4c0c8f50d49963a8c75a21e88d71c9a31f045592028d84e2e4.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1204 wrote to memory of 956 1204 9e3c04707820cd4c0c8f50d49963a8c75a21e88d71c9a31f045592028d84e2e4.exe 27 PID 1204 wrote to memory of 956 1204 9e3c04707820cd4c0c8f50d49963a8c75a21e88d71c9a31f045592028d84e2e4.exe 27 PID 1204 wrote to memory of 956 1204 9e3c04707820cd4c0c8f50d49963a8c75a21e88d71c9a31f045592028d84e2e4.exe 27 PID 1204 wrote to memory of 956 1204 9e3c04707820cd4c0c8f50d49963a8c75a21e88d71c9a31f045592028d84e2e4.exe 27 PID 1204 wrote to memory of 956 1204 9e3c04707820cd4c0c8f50d49963a8c75a21e88d71c9a31f045592028d84e2e4.exe 27 PID 1204 wrote to memory of 956 1204 9e3c04707820cd4c0c8f50d49963a8c75a21e88d71c9a31f045592028d84e2e4.exe 27 PID 1204 wrote to memory of 956 1204 9e3c04707820cd4c0c8f50d49963a8c75a21e88d71c9a31f045592028d84e2e4.exe 27 PID 1204 wrote to memory of 956 1204 9e3c04707820cd4c0c8f50d49963a8c75a21e88d71c9a31f045592028d84e2e4.exe 27 PID 1204 wrote to memory of 956 1204 9e3c04707820cd4c0c8f50d49963a8c75a21e88d71c9a31f045592028d84e2e4.exe 27 PID 956 wrote to memory of 2044 956 InstallUtil.exe 29 PID 956 wrote to memory of 2044 956 InstallUtil.exe 29 PID 956 wrote to memory of 2044 956 InstallUtil.exe 29 PID 956 wrote to memory of 2044 956 InstallUtil.exe 29 PID 2044 wrote to memory of 2012 2044 cmd.exe 31 PID 2044 wrote to memory of 2012 2044 cmd.exe 31 PID 2044 wrote to memory of 2012 2044 cmd.exe 31 PID 2044 wrote to memory of 2012 2044 cmd.exe 31 PID 2044 wrote to memory of 324 2044 cmd.exe 32 PID 2044 wrote to memory of 324 2044 cmd.exe 32 PID 2044 wrote to memory of 324 2044 cmd.exe 32 PID 2044 wrote to memory of 324 2044 cmd.exe 32 PID 2044 wrote to memory of 1220 2044 cmd.exe 33 PID 2044 wrote to memory of 1220 2044 cmd.exe 33 PID 2044 wrote to memory of 1220 2044 cmd.exe 33 PID 2044 wrote to memory of 1220 2044 cmd.exe 33 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e3c04707820cd4c0c8f50d49963a8c75a21e88d71c9a31f045592028d84e2e4.exe"C:\Users\Admin\AppData\Local\Temp\9e3c04707820cd4c0c8f50d49963a8c75a21e88d71c9a31f045592028d84e2e4.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:956 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:2012
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵PID:324
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵PID:1220
-
-
-