Analysis
-
max time kernel
127s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/09/2022, 09:38
Behavioral task
behavioral1
Sample
603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe
Resource
win10v2004-20220812-en
General
-
Target
603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe
-
Size
334KB
-
MD5
91d524401a72d27f6968b3fe7e044b7f
-
SHA1
50aa30d5e0d8282b4a0ba26a168f3b98b66403cc
-
SHA256
603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274
-
SHA512
149519c40e291c5889413d828c8805382503697a9f2bf6f715d81ad906a3e35592754a6c17db03552edb8275a0c6d436562d14fec9d53c6720e2207bee18f2be
-
SSDEEP
6144:giCpLEyg6kxcvcj3UGsNdZwPKStZcHgWkaqPd2b+RJuXas3:giCpLELFUGaQKStqHsaqFPTuq
Malware Config
Extracted
eternity
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 548 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 548 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 548 wrote to memory of 2004 548 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe 84 PID 548 wrote to memory of 2004 548 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe 84 PID 2004 wrote to memory of 3204 2004 cmd.exe 86 PID 2004 wrote to memory of 3204 2004 cmd.exe 86 PID 2004 wrote to memory of 1816 2004 cmd.exe 87 PID 2004 wrote to memory of 1816 2004 cmd.exe 87 PID 2004 wrote to memory of 1460 2004 cmd.exe 88 PID 2004 wrote to memory of 1460 2004 cmd.exe 88 PID 548 wrote to memory of 204 548 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe 89 PID 548 wrote to memory of 204 548 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe 89 PID 204 wrote to memory of 4696 204 cmd.exe 91 PID 204 wrote to memory of 4696 204 cmd.exe 91 PID 204 wrote to memory of 4168 204 cmd.exe 92 PID 204 wrote to memory of 4168 204 cmd.exe 92 PID 204 wrote to memory of 4164 204 cmd.exe 93 PID 204 wrote to memory of 4164 204 cmd.exe 93 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe"C:\Users\Admin\AppData\Local\Temp\603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274.exe"1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:548 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:3204
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵PID:1816
-
-
C:\Windows\system32\findstr.exefindstr All3⤵PID:1460
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key2⤵
- Suspicious use of WriteProcessMemory
PID:204 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:4696
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile name="65001" key=clear3⤵PID:4168
-
-
C:\Windows\system32\findstr.exefindstr Key3⤵PID:4164
-
-