Analysis
-
max time kernel
70s -
max time network
143s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
08/09/2022, 22:16
Static task
static1
Behavioral task
behavioral1
Sample
8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe
Resource
win10-20220812-en
General
-
Target
8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe
-
Size
2.7MB
-
MD5
51e3a7f01dc6d68c33d184520cf578dc
-
SHA1
e081194ec46e6d0806265ecb56fd7eefde49f5b4
-
SHA256
8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d
-
SHA512
5585b28b66b9ed968e0f88fbe8b42fdd6430c9cb302a1927f8fc4f458e50983928d6ca47bb7dade1c73a592248913c714b0edf718234bbb9a224e2c386f2b4c8
-
SSDEEP
49152:BelBeMQvuPKQn1Q18QVwTG3+U7R2lUBk/LejWF2jFyr7btf7iHVQJp5JJKkVc:ABeMIub1QY6ZWgsL0FjMbl7iKJpxVc
Malware Config
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4820 set thread context of 4000 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 70 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 InstallUtil.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier InstallUtil.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2312 PING.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 4000 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe Token: SeDebugPrivilege 4000 InstallUtil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 4820 wrote to memory of 4896 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 68 PID 4820 wrote to memory of 4896 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 68 PID 4820 wrote to memory of 4896 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 68 PID 4820 wrote to memory of 4896 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 68 PID 4820 wrote to memory of 4896 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 68 PID 4820 wrote to memory of 4896 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 68 PID 4820 wrote to memory of 4896 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 68 PID 4820 wrote to memory of 4896 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 68 PID 4820 wrote to memory of 4292 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 69 PID 4820 wrote to memory of 4292 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 69 PID 4820 wrote to memory of 4292 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 69 PID 4820 wrote to memory of 4292 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 69 PID 4820 wrote to memory of 4292 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 69 PID 4820 wrote to memory of 4292 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 69 PID 4820 wrote to memory of 4292 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 69 PID 4820 wrote to memory of 4292 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 69 PID 4820 wrote to memory of 4000 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 70 PID 4820 wrote to memory of 4000 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 70 PID 4820 wrote to memory of 4000 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 70 PID 4820 wrote to memory of 4000 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 70 PID 4820 wrote to memory of 4000 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 70 PID 4820 wrote to memory of 4000 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 70 PID 4820 wrote to memory of 4000 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 70 PID 4820 wrote to memory of 4000 4820 8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe 70 PID 4000 wrote to memory of 1196 4000 InstallUtil.exe 73 PID 4000 wrote to memory of 1196 4000 InstallUtil.exe 73 PID 4000 wrote to memory of 1196 4000 InstallUtil.exe 73 PID 1196 wrote to memory of 1664 1196 cmd.exe 75 PID 1196 wrote to memory of 1664 1196 cmd.exe 75 PID 1196 wrote to memory of 1664 1196 cmd.exe 75 PID 1196 wrote to memory of 1916 1196 cmd.exe 76 PID 1196 wrote to memory of 1916 1196 cmd.exe 76 PID 1196 wrote to memory of 1916 1196 cmd.exe 76 PID 1196 wrote to memory of 2116 1196 cmd.exe 77 PID 1196 wrote to memory of 2116 1196 cmd.exe 77 PID 1196 wrote to memory of 2116 1196 cmd.exe 77 PID 4000 wrote to memory of 2900 4000 InstallUtil.exe 78 PID 4000 wrote to memory of 2900 4000 InstallUtil.exe 78 PID 4000 wrote to memory of 2900 4000 InstallUtil.exe 78 PID 2900 wrote to memory of 3420 2900 cmd.exe 80 PID 2900 wrote to memory of 3420 2900 cmd.exe 80 PID 2900 wrote to memory of 3420 2900 cmd.exe 80 PID 2900 wrote to memory of 4092 2900 cmd.exe 81 PID 2900 wrote to memory of 4092 2900 cmd.exe 81 PID 2900 wrote to memory of 4092 2900 cmd.exe 81 PID 2900 wrote to memory of 3128 2900 cmd.exe 82 PID 2900 wrote to memory of 3128 2900 cmd.exe 82 PID 2900 wrote to memory of 3128 2900 cmd.exe 82 PID 4000 wrote to memory of 5048 4000 InstallUtil.exe 83 PID 4000 wrote to memory of 5048 4000 InstallUtil.exe 83 PID 4000 wrote to memory of 5048 4000 InstallUtil.exe 83 PID 5048 wrote to memory of 2692 5048 cmd.exe 85 PID 5048 wrote to memory of 2692 5048 cmd.exe 85 PID 5048 wrote to memory of 2692 5048 cmd.exe 85 PID 5048 wrote to memory of 2312 5048 cmd.exe 86 PID 5048 wrote to memory of 2312 5048 cmd.exe 86 PID 5048 wrote to memory of 2312 5048 cmd.exe 86 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe"C:\Users\Admin\AppData\Local\Temp\8ba6a24338e06b435fe5e63200785bf86d3b3cd809599b6a41e6bd1a6eafab4d.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵PID:4896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵PID:4292
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4000 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:1664
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵PID:1916
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵PID:2116
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key3⤵
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:3420
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile name="65001" key=clear4⤵PID:4092
-
-
C:\Windows\SysWOW64\findstr.exefindstr Key4⤵PID:3128
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:2692
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
PID:2312
-
-
-