Analysis
-
max time kernel
25s -
max time network
28s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2022 23:22
Behavioral task
behavioral1
Sample
Worm (1).exe
Resource
win10v2004-20220812-en
General
-
Target
Worm (1).exe
-
Size
1.3MB
-
MD5
4a9ffb6962544b4dd55ce6ff568810b7
-
SHA1
a04a58215250d0bbe79fd946e6f5a73e8be27133
-
SHA256
8102f6139e928e1e844e7625f41bfa2b65f6ba05e95c43f1ecb329d72a91592b
-
SHA512
5b7e84b8a49200960a5312a373ef6245c2d997b5e3b9a761cb15a83ffe2edf9dc860c1bcd7ebb9eb7cd774c6f1364d505016446f713acfdfb682bb01c148053b
-
SSDEEP
24576:mckH+O5MMsj/8oJ0HOgwzMIdEyaXC772Q9NXw2/wPOjdGxY:mBHZ5MMpoJOp+MIVai7Tq24GjdGS
Malware Config
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
-
payload_urls
https://raroford3242.xyz/myupdate.exe
https://raroford3242.xyz/Sklmsstregens.vbs, https://raroford3242.xyz/remcexecrypt.exe, https://raroford3242.xyz/redlcryp.exe, https://raroford3242.xyz/racoocry.exe
https://raroford3242.xyz/myupdate.exe
https://raroford3242.xyz/myupdate.exe
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
remcexecrypt.exepid process 5112 remcexecrypt.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Worm (1).exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Worm (1).exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
Worm (1).exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings Worm (1).exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Worm (1).exedescription pid process Token: SeDebugPrivilege 3904 Worm (1).exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Worm (1).exedescription pid process target process PID 3904 wrote to memory of 4980 3904 Worm (1).exe WScript.exe PID 3904 wrote to memory of 4980 3904 Worm (1).exe WScript.exe PID 3904 wrote to memory of 4980 3904 Worm (1).exe WScript.exe PID 3904 wrote to memory of 5112 3904 Worm (1).exe remcexecrypt.exe PID 3904 wrote to memory of 5112 3904 Worm (1).exe remcexecrypt.exe PID 3904 wrote to memory of 5112 3904 Worm (1).exe remcexecrypt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Worm (1).exe"C:\Users\Admin\AppData\Local\Temp\Worm (1).exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Sklmsstregens.vbs"2⤵
-
C:\Users\Admin\AppData\Local\Temp\remcexecrypt.exe"C:\Users\Admin\AppData\Local\Temp\remcexecrypt.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\redlcryp.exe"C:\Users\Admin\AppData\Local\Temp\redlcryp.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\racoocry.exe"C:\Users\Admin\AppData\Local\Temp\racoocry.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Sklmsstregens.vbsFilesize
939KB
MD5162aacbbce61a373c09f874f5b093227
SHA1341f33fb5dd79976b53a49dafc3cbcc3d509240d
SHA2564d1c7c5b60c2dc51f6d7d3b57546e9862c42831c6c150256a5048a7597cb7d97
SHA512755db0c2391990a74e6dc73429f96b17d6b8ffc2bd2e1ca903c843f03de77df788b21c87aed9ad932e1e65f705afea58fd14ddcf1e53b4b47d5d9b889a68c86e
-
C:\Users\Admin\AppData\Local\Temp\redlcryp.exeFilesize
472KB
MD54f784fd650c865f8363b7f314c20f4be
SHA1b1f016318068a4c59960254ca7560cfba550cd5c
SHA25674ae0102c4050421d0c81c0e96627b39f2004e2456845a43cdf6280c06f4ee64
SHA512c5abcd28932273def39c57210ef266b7a83898d9c02e3597c9d5a62e193acdafd0efce983c8ace838982110451276c63a3267d9569e08f6855da3d75b2acaec0
-
C:\Users\Admin\AppData\Local\Temp\redlcryp.exeFilesize
472KB
MD54f784fd650c865f8363b7f314c20f4be
SHA1b1f016318068a4c59960254ca7560cfba550cd5c
SHA25674ae0102c4050421d0c81c0e96627b39f2004e2456845a43cdf6280c06f4ee64
SHA512c5abcd28932273def39c57210ef266b7a83898d9c02e3597c9d5a62e193acdafd0efce983c8ace838982110451276c63a3267d9569e08f6855da3d75b2acaec0
-
C:\Users\Admin\AppData\Local\Temp\remcexecrypt.exeFilesize
578KB
MD548262644cae3de40096fe55766e34c61
SHA1e577f7353f432f90f79f21bbc1fc1530815d1533
SHA2566f6eb43adad7c1719aa85c3970b26b3d58e103ea4a830e7461be68fe22ee467b
SHA512ab3e8baa47e81a2ed18b7d4af72ee539cf708db588a0d6186c5790681caa783d8cf9d4a18d4208c575efd5fa8115bc9fbf3414efebb8df205b33cb10d3ca1a17
-
C:\Users\Admin\AppData\Local\Temp\remcexecrypt.exeFilesize
578KB
MD548262644cae3de40096fe55766e34c61
SHA1e577f7353f432f90f79f21bbc1fc1530815d1533
SHA2566f6eb43adad7c1719aa85c3970b26b3d58e103ea4a830e7461be68fe22ee467b
SHA512ab3e8baa47e81a2ed18b7d4af72ee539cf708db588a0d6186c5790681caa783d8cf9d4a18d4208c575efd5fa8115bc9fbf3414efebb8df205b33cb10d3ca1a17
-
memory/636-139-0x0000000000000000-mapping.dmp
-
memory/3904-132-0x0000000000580000-0x00000000006D2000-memory.dmpFilesize
1.3MB
-
memory/3904-133-0x0000000005590000-0x0000000005B34000-memory.dmpFilesize
5.6MB
-
memory/4980-134-0x0000000000000000-mapping.dmp
-
memory/5112-136-0x0000000000000000-mapping.dmp