Analysis
-
max time kernel
116s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30-09-2022 21:27
Static task
static1
Behavioral task
behavioral1
Sample
3a07fecfc2d41835f93f3891ce90807895129d27487b40d00b28290753277cda.exe
Resource
win10v2004-20220901-en
General
-
Target
3a07fecfc2d41835f93f3891ce90807895129d27487b40d00b28290753277cda.exe
-
Size
341KB
-
MD5
2009eaf75113479d47800afa0912bc86
-
SHA1
21b702e6c52961658b76c9ae2a0446763b655fe7
-
SHA256
3a07fecfc2d41835f93f3891ce90807895129d27487b40d00b28290753277cda
-
SHA512
457081954a6705f1d3d934c648219f0ea16e3dd2c7af4d843c00dad132491631e6aeb7439693c88060dda9e9143b4f9141dce8aee1a0e65bff97de991ae4017b
-
SSDEEP
6144:ia4VhHCa1jUcLLz60VJarxFGVKbSxps19TUtTvEXcIROt3l2+C0O9:i9VhjnzBbpsQTOOyP0
Malware Config
Extracted
eternity
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Executes dropped EXE 1 IoCs
Processes:
dead.exepid process 3536 dead.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3a07fecfc2d41835f93f3891ce90807895129d27487b40d00b28290753277cda.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 3a07fecfc2d41835f93f3891ce90807895129d27487b40d00b28290753277cda.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
dead.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dead.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dead.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dead.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dead.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 dead.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier dead.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
dead.exepid process 3536 dead.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dead.exedescription pid process Token: SeDebugPrivilege 3536 dead.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
3a07fecfc2d41835f93f3891ce90807895129d27487b40d00b28290753277cda.exedead.execmd.execmd.exedescription pid process target process PID 2808 wrote to memory of 3536 2808 3a07fecfc2d41835f93f3891ce90807895129d27487b40d00b28290753277cda.exe dead.exe PID 2808 wrote to memory of 3536 2808 3a07fecfc2d41835f93f3891ce90807895129d27487b40d00b28290753277cda.exe dead.exe PID 3536 wrote to memory of 3500 3536 dead.exe cmd.exe PID 3536 wrote to memory of 3500 3536 dead.exe cmd.exe PID 3500 wrote to memory of 236 3500 cmd.exe chcp.com PID 3500 wrote to memory of 236 3500 cmd.exe chcp.com PID 3500 wrote to memory of 4008 3500 cmd.exe netsh.exe PID 3500 wrote to memory of 4008 3500 cmd.exe netsh.exe PID 3500 wrote to memory of 4492 3500 cmd.exe findstr.exe PID 3500 wrote to memory of 4492 3500 cmd.exe findstr.exe PID 3536 wrote to memory of 2100 3536 dead.exe cmd.exe PID 3536 wrote to memory of 2100 3536 dead.exe cmd.exe PID 2100 wrote to memory of 4352 2100 cmd.exe chcp.com PID 2100 wrote to memory of 4352 2100 cmd.exe chcp.com PID 2100 wrote to memory of 4196 2100 cmd.exe netsh.exe PID 2100 wrote to memory of 4196 2100 cmd.exe netsh.exe PID 2100 wrote to memory of 3588 2100 cmd.exe findstr.exe PID 2100 wrote to memory of 3588 2100 cmd.exe findstr.exe -
outlook_office_path 1 IoCs
Processes:
dead.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dead.exe -
outlook_win_path 1 IoCs
Processes:
dead.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dead.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a07fecfc2d41835f93f3891ce90807895129d27487b40d00b28290753277cda.exe"C:\Users\Admin\AppData\Local\Temp\3a07fecfc2d41835f93f3891ce90807895129d27487b40d00b28290753277cda.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dead.exe"C:\Users\Admin\AppData\Local\Temp\dead.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\system32\findstr.exefindstr All4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile name="65001" key=clear4⤵
-
C:\Windows\system32\findstr.exefindstr Key4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dead.exeFilesize
334KB
MD52d47c689ac25b293acccdb4334148d17
SHA18f5800cc1529be5cd153e3dd87a93e598dc9e081
SHA2562a926306d0dc0f78f4eb24304be2e680f3af4a766f84c781354f29aa2adc70cd
SHA5121a66302aacf06f62b8481ce729e507cc21cb966d24a351aa45740812f44d5fa5a9516df6b65102a3f597a267983fe8d38b43c641cf931b13189e4fb9ea274ba3
-
C:\Users\Admin\AppData\Local\Temp\dead.exeFilesize
334KB
MD52d47c689ac25b293acccdb4334148d17
SHA18f5800cc1529be5cd153e3dd87a93e598dc9e081
SHA2562a926306d0dc0f78f4eb24304be2e680f3af4a766f84c781354f29aa2adc70cd
SHA5121a66302aacf06f62b8481ce729e507cc21cb966d24a351aa45740812f44d5fa5a9516df6b65102a3f597a267983fe8d38b43c641cf931b13189e4fb9ea274ba3
-
memory/236-141-0x0000000000000000-mapping.dmp
-
memory/2100-144-0x0000000000000000-mapping.dmp
-
memory/2808-132-0x00000000007D0000-0x000000000082C000-memory.dmpFilesize
368KB
-
memory/2808-137-0x00007FFD33890000-0x00007FFD34351000-memory.dmpFilesize
10.8MB
-
memory/3500-139-0x0000000000000000-mapping.dmp
-
memory/3536-136-0x000001FF1F500000-0x000001FF1F55A000-memory.dmpFilesize
360KB
-
memory/3536-140-0x000001FF3AC90000-0x000001FF3ACE0000-memory.dmpFilesize
320KB
-
memory/3536-138-0x00007FFD33890000-0x00007FFD34351000-memory.dmpFilesize
10.8MB
-
memory/3536-133-0x0000000000000000-mapping.dmp
-
memory/3536-148-0x00007FFD33890000-0x00007FFD34351000-memory.dmpFilesize
10.8MB
-
memory/3536-149-0x00007FFD33890000-0x00007FFD34351000-memory.dmpFilesize
10.8MB
-
memory/3588-147-0x0000000000000000-mapping.dmp
-
memory/4008-142-0x0000000000000000-mapping.dmp
-
memory/4196-146-0x0000000000000000-mapping.dmp
-
memory/4352-145-0x0000000000000000-mapping.dmp
-
memory/4492-143-0x0000000000000000-mapping.dmp