Analysis
-
max time kernel
77s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/09/2022, 11:42
Behavioral task
behavioral1
Sample
2d0b8777b66309dda068c81f2cabd2f99d8c7669cc640710bd4af7ef572d347e.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
2d0b8777b66309dda068c81f2cabd2f99d8c7669cc640710bd4af7ef572d347e.exe
Resource
win10v2004-20220812-en
General
-
Target
2d0b8777b66309dda068c81f2cabd2f99d8c7669cc640710bd4af7ef572d347e.exe
-
Size
334KB
-
MD5
80cc69a0eb4729c7cb59ae03b08d751d
-
SHA1
0a61ee90acd956d73124f4c6f092515781f86d58
-
SHA256
2d0b8777b66309dda068c81f2cabd2f99d8c7669cc640710bd4af7ef572d347e
-
SHA512
79852d83db69db496769422932f0e4e52ad2e5ea12f8cfd94ef5654a73673bc1e2108750607c311a2a98f2d721f4c5010bd8203ed529e7391e6f14a67e902e21
-
SSDEEP
6144:bGk97/JQXJ5XrJXt48tbsQSJErbBJ8rbglCjpPAC2h:bGXF9ztr+E5JrY5L
Malware Config
Extracted
eternity
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2d0b8777b66309dda068c81f2cabd2f99d8c7669cc640710bd4af7ef572d347e.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2d0b8777b66309dda068c81f2cabd2f99d8c7669cc640710bd4af7ef572d347e.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2d0b8777b66309dda068c81f2cabd2f99d8c7669cc640710bd4af7ef572d347e.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 2d0b8777b66309dda068c81f2cabd2f99d8c7669cc640710bd4af7ef572d347e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2d0b8777b66309dda068c81f2cabd2f99d8c7669cc640710bd4af7ef572d347e.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3580 2d0b8777b66309dda068c81f2cabd2f99d8c7669cc640710bd4af7ef572d347e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3580 2d0b8777b66309dda068c81f2cabd2f99d8c7669cc640710bd4af7ef572d347e.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3580 wrote to memory of 4228 3580 2d0b8777b66309dda068c81f2cabd2f99d8c7669cc640710bd4af7ef572d347e.exe 84 PID 3580 wrote to memory of 4228 3580 2d0b8777b66309dda068c81f2cabd2f99d8c7669cc640710bd4af7ef572d347e.exe 84 PID 4228 wrote to memory of 4760 4228 cmd.exe 87 PID 4228 wrote to memory of 4760 4228 cmd.exe 87 PID 4228 wrote to memory of 760 4228 cmd.exe 86 PID 4228 wrote to memory of 760 4228 cmd.exe 86 PID 4228 wrote to memory of 4072 4228 cmd.exe 88 PID 4228 wrote to memory of 4072 4228 cmd.exe 88 PID 3580 wrote to memory of 4632 3580 2d0b8777b66309dda068c81f2cabd2f99d8c7669cc640710bd4af7ef572d347e.exe 91 PID 3580 wrote to memory of 4632 3580 2d0b8777b66309dda068c81f2cabd2f99d8c7669cc640710bd4af7ef572d347e.exe 91 PID 4632 wrote to memory of 216 4632 cmd.exe 93 PID 4632 wrote to memory of 216 4632 cmd.exe 93 PID 4632 wrote to memory of 1528 4632 cmd.exe 94 PID 4632 wrote to memory of 1528 4632 cmd.exe 94 PID 4632 wrote to memory of 4256 4632 cmd.exe 95 PID 4632 wrote to memory of 4256 4632 cmd.exe 95 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2d0b8777b66309dda068c81f2cabd2f99d8c7669cc640710bd4af7ef572d347e.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2d0b8777b66309dda068c81f2cabd2f99d8c7669cc640710bd4af7ef572d347e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d0b8777b66309dda068c81f2cabd2f99d8c7669cc640710bd4af7ef572d347e.exe"C:\Users\Admin\AppData\Local\Temp\2d0b8777b66309dda068c81f2cabd2f99d8c7669cc640710bd4af7ef572d347e.exe"1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3580 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵PID:760
-
-
C:\Windows\system32\chcp.comchcp 650013⤵PID:4760
-
-
C:\Windows\system32\findstr.exefindstr All3⤵PID:4072
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key2⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:216
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile name="65001" key=clear3⤵PID:1528
-
-
C:\Windows\system32\findstr.exefindstr Key3⤵PID:4256
-
-