Analysis
-
max time kernel
110s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2022 06:46
Static task
static1
Behavioral task
behavioral1
Sample
6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exe
Resource
win10v2004-20221111-en
General
-
Target
6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exe
-
Size
1.1MB
-
MD5
2f8df206ba700503dbebf59e937af0ec
-
SHA1
7c36d57af94f2dd16a62c09356b4ef2c63e456fd
-
SHA256
6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7
-
SHA512
6fbb58b3e3046498c64ad659db07ecd28357c54d65d2f1cf00220ce1bbd4fa4693dbe2c0df607a801f5cf6757bd5327735448c3babecb997ec85e88049275a59
-
SSDEEP
24576:+JqzI2HEUvWMJsbHsoO0YTyllU3OWuA5aRn:+JrbG70Y4WFZ8Rn
Malware Config
Extracted
eternity
4BCCzZcSyS7L1229mxLRArhp2HPKwpBmHGDnZKnWFds856vvQcRiDSsLZWH2CjW6xigC3NSGE5Qq2gfixNyMMVc723mjiPs
-
payload_urls
http://193.218.201.246/xmrig.exe
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Executes dropped EXE 3 IoCs
Processes:
ngentask.exengentask.exengentask.exepid process 3812 ngentask.exe 4052 ngentask.exe 1968 ngentask.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exedescription pid process target process PID 2704 set thread context of 2984 2704 6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exe ngentask.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB 6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB\Blob = 5c0000000100000004000000001000000b0000000100000052000000530053004c002e0063006f006d00200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079002000520053004100000009000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b0601050507030862000000010000002000000085666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69140000000100000014000000dd040907a2f57a7d5253129295ee3880250da6591d00000001000000100000000d48ee33d7f1af8f4b002527f82a344a030000000100000014000000b7ab3308d1ea4477ba1480125a6fbda936490cbb2000000001000000e1050000308205dd308203c5a00302010202087b2c9bd316803299300d06092a864886f70d01010b0500307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f7269747920525341301e170d3136303231323137333933395a170d3431303231323137333933395a307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f726974792052534130820222300d06092a864886f70d01010105000382020f003082020a0282020100f90fdda32b7dcbd02afeec6785a6e72e1bba77e1e3f5afa4ecfa4a5d91c457476b18776b76f2fd93e43d0fc2169e0b66c356949e178385ce56eff216fd0062f5220954e865174e41b9e04f4697aa1bc8b86e625e69b15fdb2a027efc6ccaf341d8edd0e8fc3f6148edb003141d100e4b19e0bb4eec8665ff36f35e67020b9d865561fd7a38edfee21900b76fa1506275743ca0fac82592b46e7a22c7f81ea1e3b2dd9131ab2b1d04ffa54a0437e985a4332bfde2d655347c19a44a68c7b2a8d3b7caa19388ebc197bc8cf91dd922842474c7043d6aa92993ccebb85be1fe5f25aa3458c8c123549d1b9811c3389c7e3d866ca50f40867c02f45c024f28cbae719f0f3ac833fe112535eafcbac5603dd97c18d5b2a9d37578037222ca3ac31fef2ce52ea9fa9e2cb65146fdaf03d6ea6068ea8516366b85e91ec0b3ddc424dc802a81416d943ec8e0c98141009e5ebf7fc50898a2182c4240b3f96f38274b4e80f43d8147e0887cea1cceb5755c512e1c2b7f1a7228e700b5d174c6d7e49fad0793b6533535fc37e4c3f65d16be2173de920af8a0636abc96926a3ef8bc65559bdef50d892604fc251aa62569cbc26dca7ce2595f97acebef2ec8bcd71b593c2bccf219c8936b276319cffce926f8ca719b7f93fe3467844e99ebfcb378093370ba66a676ed1b73eb1aa50dc422132094560a4e2c6c4eb1fdcf9c09baa233ed870203010001a3633061301d0603551d0e04160414dd040907a2f57a7d5253129295ee3880250da659300f0603551d130101ff040530030101ff301f0603551d23041830168014dd040907a2f57a7d5253129295ee3880250da659300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201002018119429fb269d1c1e1e7061f19572937124ad6893588e32af1bb37003fc252b7485903d786af4b98ba5973bb51891bb1ea7f9405b91f95599af1e11d05c1da766e3b194070c3239a6ea1bb079d81d9c7044e38addc4f9951f8a38433f0185a547a73d46b2bce52268f77b9cd82c3e0a21c82d33acbfc581993174c17571c5beb1f02345f49d6bfc19639da3bc04c6180b25bb53890fb38050de45ee447fab94786498d3f628dd87d8706574fb0eb913eba70f61a93296ccdebbed634c18bba940f7a0546e2088717518ea7ab43472e02327775cb690ea862540abef330fcb9f82bea220fbf6b52d1ae6c285b1740ffbc86502a4520147dd4922c1bfd8eb6bac7edeec633315b723088fc60f8d415add8ec5b98fe5453f78dbbad21b40b1fe714d3fe081a2ba5eb4ec15e093dd081f7ee155990b21de939e0afbe6a349bd3630fee777b2a07597b52d8188176520f7da90009fc952cc32ca357cf53d0fd82bd7f5266cc906349616ea70591a3279790bb6887f0f52483dbf6cd8a2442ed14eb77258d3891395fe44abf8d78b1b6e9cbc2ca05bd56a00af5f37e1d5fa100b989c86e7268fcef0ec6e8a570b80e34eb2c0a0636190ba556837746ab692db9fa18622b665270eecb69f4260e467c2b5da410bc4d38b611bbcfa1f912bd744075eba29acd9c5e9ef53485aeb80f1285821cdb00655fb273f539070a9041e5727b9 6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exepid process 2704 6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exe 2704 6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exe 2704 6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exe 2704 6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exe 2704 6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exe 2704 6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exe 2704 6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exe 2704 6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exe 2704 6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exe 2704 6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exengentask.execmd.exedescription pid process target process PID 2704 wrote to memory of 2984 2704 6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exe ngentask.exe PID 2704 wrote to memory of 2984 2704 6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exe ngentask.exe PID 2704 wrote to memory of 2984 2704 6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exe ngentask.exe PID 2704 wrote to memory of 2984 2704 6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exe ngentask.exe PID 2704 wrote to memory of 2984 2704 6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exe ngentask.exe PID 2984 wrote to memory of 2368 2984 ngentask.exe cmd.exe PID 2984 wrote to memory of 2368 2984 ngentask.exe cmd.exe PID 2984 wrote to memory of 2368 2984 ngentask.exe cmd.exe PID 2368 wrote to memory of 1176 2368 cmd.exe chcp.com PID 2368 wrote to memory of 1176 2368 cmd.exe chcp.com PID 2368 wrote to memory of 1176 2368 cmd.exe chcp.com PID 2368 wrote to memory of 4748 2368 cmd.exe PING.EXE PID 2368 wrote to memory of 4748 2368 cmd.exe PING.EXE PID 2368 wrote to memory of 4748 2368 cmd.exe PING.EXE PID 2368 wrote to memory of 216 2368 cmd.exe schtasks.exe PID 2368 wrote to memory of 216 2368 cmd.exe schtasks.exe PID 2368 wrote to memory of 216 2368 cmd.exe schtasks.exe PID 2368 wrote to memory of 3812 2368 cmd.exe ngentask.exe PID 2368 wrote to memory of 3812 2368 cmd.exe ngentask.exe PID 2368 wrote to memory of 3812 2368 cmd.exe ngentask.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exe"C:\Users\Admin\AppData\Local\Temp\6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe"C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exeC:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exeC:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ngentask.exe.logFilesize
321B
MD5baf5d1398fdb79e947b60fe51e45397f
SHA149e7b8389f47b93509d621b8030b75e96bb577af
SHA25610c8c7b5fa58f8c6b69f44e92a4e2af111b59fcf4f21a07e04b19e14876ccdf8
SHA512b2c9ef5581d5eae7c17ae260fe9f52344ed737fa851cb44d1cea58a32359d0ac5d0ca3099c970209bd30a0d4af6e504101f21b7054cf5eca91c0831cf12fb413
-
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exeFilesize
85KB
MD5c6ce045ca7809169a017f73d45c21462
SHA17d2504133d8235e91c2e98355c4f223cdf500d4d
SHA25641019bd2dff58eca53a25ffce26e487af0b693c3d305e67a0d4e8f8cd60c6ef6
SHA512cb42d614f4e543be090e2d09f0f6c28ecd346b8ea2ca06ba10389a735a23792bd4d4ec189f94c8dcdc0b35707b36ba0df811c18b7608f8a2cc2b8d429242b205
-
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exeFilesize
85KB
MD5c6ce045ca7809169a017f73d45c21462
SHA17d2504133d8235e91c2e98355c4f223cdf500d4d
SHA25641019bd2dff58eca53a25ffce26e487af0b693c3d305e67a0d4e8f8cd60c6ef6
SHA512cb42d614f4e543be090e2d09f0f6c28ecd346b8ea2ca06ba10389a735a23792bd4d4ec189f94c8dcdc0b35707b36ba0df811c18b7608f8a2cc2b8d429242b205
-
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exeFilesize
85KB
MD5c6ce045ca7809169a017f73d45c21462
SHA17d2504133d8235e91c2e98355c4f223cdf500d4d
SHA25641019bd2dff58eca53a25ffce26e487af0b693c3d305e67a0d4e8f8cd60c6ef6
SHA512cb42d614f4e543be090e2d09f0f6c28ecd346b8ea2ca06ba10389a735a23792bd4d4ec189f94c8dcdc0b35707b36ba0df811c18b7608f8a2cc2b8d429242b205
-
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exeFilesize
85KB
MD5c6ce045ca7809169a017f73d45c21462
SHA17d2504133d8235e91c2e98355c4f223cdf500d4d
SHA25641019bd2dff58eca53a25ffce26e487af0b693c3d305e67a0d4e8f8cd60c6ef6
SHA512cb42d614f4e543be090e2d09f0f6c28ecd346b8ea2ca06ba10389a735a23792bd4d4ec189f94c8dcdc0b35707b36ba0df811c18b7608f8a2cc2b8d429242b205
-
memory/216-145-0x0000000000000000-mapping.dmp
-
memory/1176-142-0x0000000000000000-mapping.dmp
-
memory/2368-141-0x0000000000000000-mapping.dmp
-
memory/2704-132-0x000000000236E000-0x00000000027DA000-memory.dmpFilesize
4.4MB
-
memory/2704-135-0x000000000D530000-0x000000000D599000-memory.dmpFilesize
420KB
-
memory/2704-134-0x000000000D530000-0x000000000D599000-memory.dmpFilesize
420KB
-
memory/2704-144-0x0000000002B24000-0x0000000002C02000-memory.dmpFilesize
888KB
-
memory/2704-133-0x0000000002B24000-0x0000000002C02000-memory.dmpFilesize
888KB
-
memory/2984-137-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2984-140-0x00000000055C0000-0x0000000005B64000-memory.dmpFilesize
5.6MB
-
memory/2984-139-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2984-136-0x0000000000000000-mapping.dmp
-
memory/3812-146-0x0000000000000000-mapping.dmp
-
memory/3812-150-0x0000000000A50000-0x0000000000A68000-memory.dmpFilesize
96KB
-
memory/4748-143-0x0000000000000000-mapping.dmp