Analysis
-
max time kernel
150s -
max time network
176s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
08/09/2022, 22:16
Static task
static1
Behavioral task
behavioral1
Sample
cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe
Resource
win10-20220812-en
General
-
Target
cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe
-
Size
2.2MB
-
MD5
b2ea50bd71262b396ff357dba4cd7e11
-
SHA1
7a4e027ea10d6a1e9ab3fe54d0c7f8ac85e735b8
-
SHA256
cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a
-
SHA512
844d190834a467339e6134f273b2e21d56b192a178e905a3de6c30798ea834b9aaaf064bef0e6b53419fe25fbdb72ac6b1c5619a6e3617e95b4038377ea8a5a6
-
SSDEEP
24576:klfzzUFAK8FuRSqEytpJ5oGrHhnlbbHFECMNNPtf/YCrGI74FNlofwms4qpy/:k9zUDeubE8pPo4HhlbqpNbYgAc
Malware Config
Extracted
eternity
-
payload_urls
http://178.20.44.214/edgedownload.exe
http://178.20.44.214/a.exe
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3828 set thread context of 4196 3828 cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe 69 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 3828 cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe 3828 cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe 3828 cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe 3828 cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe 3828 cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3828 cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe Token: SeDebugPrivilege 4196 InstallUtil.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3828 wrote to memory of 4192 3828 cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe 68 PID 3828 wrote to memory of 4192 3828 cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe 68 PID 3828 wrote to memory of 4192 3828 cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe 68 PID 3828 wrote to memory of 4192 3828 cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe 68 PID 3828 wrote to memory of 4192 3828 cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe 68 PID 3828 wrote to memory of 4192 3828 cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe 68 PID 3828 wrote to memory of 4192 3828 cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe 68 PID 3828 wrote to memory of 4192 3828 cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe 68 PID 3828 wrote to memory of 4196 3828 cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe 69 PID 3828 wrote to memory of 4196 3828 cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe 69 PID 3828 wrote to memory of 4196 3828 cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe 69 PID 3828 wrote to memory of 4196 3828 cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe 69 PID 3828 wrote to memory of 4196 3828 cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe 69 PID 3828 wrote to memory of 4196 3828 cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe 69 PID 3828 wrote to memory of 4196 3828 cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe 69 PID 3828 wrote to memory of 4196 3828 cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe 69
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe"C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵PID:4192
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4196
-