Analysis
-
max time kernel
111s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2022 06:39
Static task
static1
Behavioral task
behavioral1
Sample
2f8df206ba700503dbebf59e937af0ec.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2f8df206ba700503dbebf59e937af0ec.exe
Resource
win10v2004-20221111-en
General
-
Target
2f8df206ba700503dbebf59e937af0ec.exe
-
Size
1.1MB
-
MD5
2f8df206ba700503dbebf59e937af0ec
-
SHA1
7c36d57af94f2dd16a62c09356b4ef2c63e456fd
-
SHA256
6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7
-
SHA512
6fbb58b3e3046498c64ad659db07ecd28357c54d65d2f1cf00220ce1bbd4fa4693dbe2c0df607a801f5cf6757bd5327735448c3babecb997ec85e88049275a59
-
SSDEEP
24576:+JqzI2HEUvWMJsbHsoO0YTyllU3OWuA5aRn:+JrbG70Y4WFZ8Rn
Malware Config
Extracted
eternity
4BCCzZcSyS7L1229mxLRArhp2HPKwpBmHGDnZKnWFds856vvQcRiDSsLZWH2CjW6xigC3NSGE5Qq2gfixNyMMVc723mjiPs
-
payload_urls
http://193.218.201.246/xmrig.exe
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Executes dropped EXE 3 IoCs
Processes:
ngentask.exengentask.exengentask.exepid process 4008 ngentask.exe 4544 ngentask.exe 4664 ngentask.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2f8df206ba700503dbebf59e937af0ec.exedescription pid process target process PID 4844 set thread context of 1900 4844 2f8df206ba700503dbebf59e937af0ec.exe ngentask.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
2f8df206ba700503dbebf59e937af0ec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB 2f8df206ba700503dbebf59e937af0ec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB\Blob = 5c0000000100000004000000001000000b0000000100000052000000530053004c002e0063006f006d00200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079002000520053004100000009000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b0601050507030862000000010000002000000085666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69140000000100000014000000dd040907a2f57a7d5253129295ee3880250da6591d00000001000000100000000d48ee33d7f1af8f4b002527f82a344a030000000100000014000000b7ab3308d1ea4477ba1480125a6fbda936490cbb2000000001000000e1050000308205dd308203c5a00302010202087b2c9bd316803299300d06092a864886f70d01010b0500307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f7269747920525341301e170d3136303231323137333933395a170d3431303231323137333933395a307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f726974792052534130820222300d06092a864886f70d01010105000382020f003082020a0282020100f90fdda32b7dcbd02afeec6785a6e72e1bba77e1e3f5afa4ecfa4a5d91c457476b18776b76f2fd93e43d0fc2169e0b66c356949e178385ce56eff216fd0062f5220954e865174e41b9e04f4697aa1bc8b86e625e69b15fdb2a027efc6ccaf341d8edd0e8fc3f6148edb003141d100e4b19e0bb4eec8665ff36f35e67020b9d865561fd7a38edfee21900b76fa1506275743ca0fac82592b46e7a22c7f81ea1e3b2dd9131ab2b1d04ffa54a0437e985a4332bfde2d655347c19a44a68c7b2a8d3b7caa19388ebc197bc8cf91dd922842474c7043d6aa92993ccebb85be1fe5f25aa3458c8c123549d1b9811c3389c7e3d866ca50f40867c02f45c024f28cbae719f0f3ac833fe112535eafcbac5603dd97c18d5b2a9d37578037222ca3ac31fef2ce52ea9fa9e2cb65146fdaf03d6ea6068ea8516366b85e91ec0b3ddc424dc802a81416d943ec8e0c98141009e5ebf7fc50898a2182c4240b3f96f38274b4e80f43d8147e0887cea1cceb5755c512e1c2b7f1a7228e700b5d174c6d7e49fad0793b6533535fc37e4c3f65d16be2173de920af8a0636abc96926a3ef8bc65559bdef50d892604fc251aa62569cbc26dca7ce2595f97acebef2ec8bcd71b593c2bccf219c8936b276319cffce926f8ca719b7f93fe3467844e99ebfcb378093370ba66a676ed1b73eb1aa50dc422132094560a4e2c6c4eb1fdcf9c09baa233ed870203010001a3633061301d0603551d0e04160414dd040907a2f57a7d5253129295ee3880250da659300f0603551d130101ff040530030101ff301f0603551d23041830168014dd040907a2f57a7d5253129295ee3880250da659300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201002018119429fb269d1c1e1e7061f19572937124ad6893588e32af1bb37003fc252b7485903d786af4b98ba5973bb51891bb1ea7f9405b91f95599af1e11d05c1da766e3b194070c3239a6ea1bb079d81d9c7044e38addc4f9951f8a38433f0185a547a73d46b2bce52268f77b9cd82c3e0a21c82d33acbfc581993174c17571c5beb1f02345f49d6bfc19639da3bc04c6180b25bb53890fb38050de45ee447fab94786498d3f628dd87d8706574fb0eb913eba70f61a93296ccdebbed634c18bba940f7a0546e2088717518ea7ab43472e02327775cb690ea862540abef330fcb9f82bea220fbf6b52d1ae6c285b1740ffbc86502a4520147dd4922c1bfd8eb6bac7edeec633315b723088fc60f8d415add8ec5b98fe5453f78dbbad21b40b1fe714d3fe081a2ba5eb4ec15e093dd081f7ee155990b21de939e0afbe6a349bd3630fee777b2a07597b52d8188176520f7da90009fc952cc32ca357cf53d0fd82bd7f5266cc906349616ea70591a3279790bb6887f0f52483dbf6cd8a2442ed14eb77258d3891395fe44abf8d78b1b6e9cbc2ca05bd56a00af5f37e1d5fa100b989c86e7268fcef0ec6e8a570b80e34eb2c0a0636190ba556837746ab692db9fa18622b665270eecb69f4260e467c2b5da410bc4d38b611bbcfa1f912bd744075eba29acd9c5e9ef53485aeb80f1285821cdb00655fb273f539070a9041e5727b9 2f8df206ba700503dbebf59e937af0ec.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
2f8df206ba700503dbebf59e937af0ec.exepid process 4844 2f8df206ba700503dbebf59e937af0ec.exe 4844 2f8df206ba700503dbebf59e937af0ec.exe 4844 2f8df206ba700503dbebf59e937af0ec.exe 4844 2f8df206ba700503dbebf59e937af0ec.exe 4844 2f8df206ba700503dbebf59e937af0ec.exe 4844 2f8df206ba700503dbebf59e937af0ec.exe 4844 2f8df206ba700503dbebf59e937af0ec.exe 4844 2f8df206ba700503dbebf59e937af0ec.exe 4844 2f8df206ba700503dbebf59e937af0ec.exe 4844 2f8df206ba700503dbebf59e937af0ec.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
2f8df206ba700503dbebf59e937af0ec.exengentask.execmd.exedescription pid process target process PID 4844 wrote to memory of 1900 4844 2f8df206ba700503dbebf59e937af0ec.exe ngentask.exe PID 4844 wrote to memory of 1900 4844 2f8df206ba700503dbebf59e937af0ec.exe ngentask.exe PID 4844 wrote to memory of 1900 4844 2f8df206ba700503dbebf59e937af0ec.exe ngentask.exe PID 4844 wrote to memory of 1900 4844 2f8df206ba700503dbebf59e937af0ec.exe ngentask.exe PID 4844 wrote to memory of 1900 4844 2f8df206ba700503dbebf59e937af0ec.exe ngentask.exe PID 1900 wrote to memory of 3644 1900 ngentask.exe cmd.exe PID 1900 wrote to memory of 3644 1900 ngentask.exe cmd.exe PID 1900 wrote to memory of 3644 1900 ngentask.exe cmd.exe PID 3644 wrote to memory of 4488 3644 cmd.exe chcp.com PID 3644 wrote to memory of 4488 3644 cmd.exe chcp.com PID 3644 wrote to memory of 4488 3644 cmd.exe chcp.com PID 3644 wrote to memory of 4308 3644 cmd.exe PING.EXE PID 3644 wrote to memory of 4308 3644 cmd.exe PING.EXE PID 3644 wrote to memory of 4308 3644 cmd.exe PING.EXE PID 3644 wrote to memory of 3136 3644 cmd.exe schtasks.exe PID 3644 wrote to memory of 3136 3644 cmd.exe schtasks.exe PID 3644 wrote to memory of 3136 3644 cmd.exe schtasks.exe PID 3644 wrote to memory of 4008 3644 cmd.exe ngentask.exe PID 3644 wrote to memory of 4008 3644 cmd.exe ngentask.exe PID 3644 wrote to memory of 4008 3644 cmd.exe ngentask.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f8df206ba700503dbebf59e937af0ec.exe"C:\Users\Admin\AppData\Local\Temp\2f8df206ba700503dbebf59e937af0ec.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe"C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exeC:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exeC:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ngentask.exe.logFilesize
321B
MD5baf5d1398fdb79e947b60fe51e45397f
SHA149e7b8389f47b93509d621b8030b75e96bb577af
SHA25610c8c7b5fa58f8c6b69f44e92a4e2af111b59fcf4f21a07e04b19e14876ccdf8
SHA512b2c9ef5581d5eae7c17ae260fe9f52344ed737fa851cb44d1cea58a32359d0ac5d0ca3099c970209bd30a0d4af6e504101f21b7054cf5eca91c0831cf12fb413
-
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exeFilesize
85KB
MD5c6ce045ca7809169a017f73d45c21462
SHA17d2504133d8235e91c2e98355c4f223cdf500d4d
SHA25641019bd2dff58eca53a25ffce26e487af0b693c3d305e67a0d4e8f8cd60c6ef6
SHA512cb42d614f4e543be090e2d09f0f6c28ecd346b8ea2ca06ba10389a735a23792bd4d4ec189f94c8dcdc0b35707b36ba0df811c18b7608f8a2cc2b8d429242b205
-
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exeFilesize
85KB
MD5c6ce045ca7809169a017f73d45c21462
SHA17d2504133d8235e91c2e98355c4f223cdf500d4d
SHA25641019bd2dff58eca53a25ffce26e487af0b693c3d305e67a0d4e8f8cd60c6ef6
SHA512cb42d614f4e543be090e2d09f0f6c28ecd346b8ea2ca06ba10389a735a23792bd4d4ec189f94c8dcdc0b35707b36ba0df811c18b7608f8a2cc2b8d429242b205
-
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exeFilesize
85KB
MD5c6ce045ca7809169a017f73d45c21462
SHA17d2504133d8235e91c2e98355c4f223cdf500d4d
SHA25641019bd2dff58eca53a25ffce26e487af0b693c3d305e67a0d4e8f8cd60c6ef6
SHA512cb42d614f4e543be090e2d09f0f6c28ecd346b8ea2ca06ba10389a735a23792bd4d4ec189f94c8dcdc0b35707b36ba0df811c18b7608f8a2cc2b8d429242b205
-
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exeFilesize
85KB
MD5c6ce045ca7809169a017f73d45c21462
SHA17d2504133d8235e91c2e98355c4f223cdf500d4d
SHA25641019bd2dff58eca53a25ffce26e487af0b693c3d305e67a0d4e8f8cd60c6ef6
SHA512cb42d614f4e543be090e2d09f0f6c28ecd346b8ea2ca06ba10389a735a23792bd4d4ec189f94c8dcdc0b35707b36ba0df811c18b7608f8a2cc2b8d429242b205
-
memory/1900-135-0x0000000000000000-mapping.dmp
-
memory/1900-136-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1900-138-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1900-139-0x00000000057E0000-0x0000000005D84000-memory.dmpFilesize
5.6MB
-
memory/3136-144-0x0000000000000000-mapping.dmp
-
memory/3644-140-0x0000000000000000-mapping.dmp
-
memory/4008-145-0x0000000000000000-mapping.dmp
-
memory/4008-149-0x0000000000820000-0x0000000000838000-memory.dmpFilesize
96KB
-
memory/4308-142-0x0000000000000000-mapping.dmp
-
memory/4488-141-0x0000000000000000-mapping.dmp
-
memory/4844-132-0x0000000002456000-0x00000000028C2000-memory.dmpFilesize
4.4MB
-
memory/4844-143-0x0000000002283000-0x0000000002361000-memory.dmpFilesize
888KB
-
memory/4844-134-0x000000000FBF0000-0x000000000FC59000-memory.dmpFilesize
420KB
-
memory/4844-133-0x0000000002283000-0x0000000002361000-memory.dmpFilesize
888KB