Analysis
-
max time kernel
52s -
max time network
181s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
11-11-2022 22:18
Behavioral task
behavioral1
Sample
9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59.exe
Resource
win10-20220901-en
General
-
Target
9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59.exe
-
Size
334KB
-
MD5
a841724e4e82cecd3a00fac001ca9230
-
SHA1
dd311ab9e15bbf519a0f4c0beaa6e4580f6a7b12
-
SHA256
9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59
-
SHA512
29755bd7da2bfb99902d76f6283c07380a1af1ef4a3580e35466a508ae1c511b93fb5d6bb2cc9ffff8db39d17f3988c7fc1abc5b3b62b99f1dfd12667db2bac9
-
SSDEEP
6144:8Eaii9gfJUZxfNcUgp01S/8kv5d3Zk17RbNcST+:8EaJfO/95xClf3
Malware Config
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59.exe Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59.exe Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59.exepid process 4740 9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59.exedescription pid process Token: SeDebugPrivilege 4740 9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59.execmd.execmd.exedescription pid process target process PID 4740 wrote to memory of 5000 4740 9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59.exe cmd.exe PID 4740 wrote to memory of 5000 4740 9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59.exe cmd.exe PID 5000 wrote to memory of 2420 5000 cmd.exe chcp.com PID 5000 wrote to memory of 2420 5000 cmd.exe chcp.com PID 5000 wrote to memory of 3088 5000 cmd.exe netsh.exe PID 5000 wrote to memory of 3088 5000 cmd.exe netsh.exe PID 5000 wrote to memory of 4560 5000 cmd.exe findstr.exe PID 5000 wrote to memory of 4560 5000 cmd.exe findstr.exe PID 4740 wrote to memory of 1656 4740 9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59.exe cmd.exe PID 4740 wrote to memory of 1656 4740 9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59.exe cmd.exe PID 1656 wrote to memory of 4620 1656 cmd.exe chcp.com PID 1656 wrote to memory of 4620 1656 cmd.exe chcp.com PID 1656 wrote to memory of 4580 1656 cmd.exe netsh.exe PID 1656 wrote to memory of 4580 1656 cmd.exe netsh.exe PID 1656 wrote to memory of 4884 1656 cmd.exe findstr.exe PID 1656 wrote to memory of 4884 1656 cmd.exe findstr.exe -
outlook_office_path 1 IoCs
Processes:
9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59.exe -
outlook_win_path 1 IoCs
Processes:
9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59.exe"C:\Users\Admin\AppData\Local\Temp\9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59.exe"1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵
-
C:\Windows\system32\findstr.exefindstr All3⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\findstr.exefindstr Key3⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile name="65001" key=clear3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1656-126-0x0000000000000000-mapping.dmp
-
memory/2420-123-0x0000000000000000-mapping.dmp
-
memory/3088-124-0x0000000000000000-mapping.dmp
-
memory/4560-125-0x0000000000000000-mapping.dmp
-
memory/4580-128-0x0000000000000000-mapping.dmp
-
memory/4620-127-0x0000000000000000-mapping.dmp
-
memory/4740-120-0x0000024F90F20000-0x0000024F90F7A000-memory.dmpFilesize
360KB
-
memory/4740-122-0x0000024F92C80000-0x0000024F92CD0000-memory.dmpFilesize
320KB
-
memory/4884-129-0x0000000000000000-mapping.dmp
-
memory/5000-121-0x0000000000000000-mapping.dmp