Overview

overview

10

Static

static

4cbcdf2f7b...f8.exe

windows7-x64

10

4cbcdf2f7b...f8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    103s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2022 07:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8.exe

  • Size

    2.2MB

  • MD5

    e2ce08aa7b23795d34d4fcc960663f05

  • SHA1

    8fcc5510c9e43f5c8a12e8fa188d96f2351e64ca

  • SHA256

    4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8

  • SHA512

    bf91e0faee1fdfdcebccf2c2868c2d84b74414aa0857c147da44acdd6108ba9fe703045c1acfd52723683a9ea2cb72b38a15b4eb31bea23220897131bf496e5d

  • SSDEEP

    49152:B0mY7jteX4+g8Zi5/sTGGnd9cB1IPszdv6sX79RP1YIPTF:WmY7jtu4+g8IOV+vjRZ5PT

Score
10/10
eternity

Malware Config

Extracted

Family

eternity

C2

http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion

Attributes
  • payload_urls

    http://167.88.170.23/w99.exe

    http://ndmit.com/test/501.exe,http://ndmit.com/test/star5.exe,http://ndmit.com/test/0079.exe

Signatures

  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8.exe
    "C:\Users\Admin\AppData\Local\Temp\4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5076
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zIjhAXoYufmHwh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1702.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:532
    • C:\Users\Admin\AppData\Local\Temp\4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8.exe
      "{path}"
      2⤵
        PID:4104
      • C:\Users\Admin\AppData\Local\Temp\4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8.exe
        "{path}"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4024
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4420
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            4⤵
              PID:2904
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:4632
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8.exe" /rl HIGHEST /f
              4⤵
              • Creates scheduled task(s)
              PID:1584
            • C:\Users\Admin\AppData\Local\ServiceHub\4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8.exe
              "C:\Users\Admin\AppData\Local\ServiceHub\4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8.exe"
              4⤵
              • Executes dropped EXE
              • Checks computer location settings
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:1844
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zIjhAXoYufmHwh" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC2C3.tmp"
                5⤵
                • Creates scheduled task(s)
                PID:2112
              • C:\Users\Admin\AppData\Local\ServiceHub\4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8.exe
                "{path}"
                5⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:3340
      • C:\Users\Admin\AppData\Local\ServiceHub\4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8.exe
        C:\Users\Admin\AppData\Local\ServiceHub\4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8.exe
        1⤵
        • Executes dropped EXE
        PID:312

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8.exe.log
        Filesize

        1KB

        MD5

        84e77a587d94307c0ac1357eb4d3d46f

        SHA1

        83cc900f9401f43d181207d64c5adba7a85edc1e

        SHA256

        e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

        SHA512

        aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

        Download Submit
      • C:\Users\Admin\AppData\Local\ServiceHub\4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8.exe
        Filesize

        2.2MB

        MD5

        e2ce08aa7b23795d34d4fcc960663f05

        SHA1

        8fcc5510c9e43f5c8a12e8fa188d96f2351e64ca

        SHA256

        4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8

        SHA512

        bf91e0faee1fdfdcebccf2c2868c2d84b74414aa0857c147da44acdd6108ba9fe703045c1acfd52723683a9ea2cb72b38a15b4eb31bea23220897131bf496e5d

        Download Submit
      • C:\Users\Admin\AppData\Local\ServiceHub\4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8.exe
        Filesize

        2.2MB

        MD5

        e2ce08aa7b23795d34d4fcc960663f05

        SHA1

        8fcc5510c9e43f5c8a12e8fa188d96f2351e64ca

        SHA256

        4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8

        SHA512

        bf91e0faee1fdfdcebccf2c2868c2d84b74414aa0857c147da44acdd6108ba9fe703045c1acfd52723683a9ea2cb72b38a15b4eb31bea23220897131bf496e5d

        Download Submit
      • C:\Users\Admin\AppData\Local\ServiceHub\4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8.exe
        Filesize

        2.2MB

        MD5

        e2ce08aa7b23795d34d4fcc960663f05

        SHA1

        8fcc5510c9e43f5c8a12e8fa188d96f2351e64ca

        SHA256

        4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8

        SHA512

        bf91e0faee1fdfdcebccf2c2868c2d84b74414aa0857c147da44acdd6108ba9fe703045c1acfd52723683a9ea2cb72b38a15b4eb31bea23220897131bf496e5d

        Download Submit
      • C:\Users\Admin\AppData\Local\ServiceHub\4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8.exe
        Filesize

        2.2MB

        MD5

        e2ce08aa7b23795d34d4fcc960663f05

        SHA1

        8fcc5510c9e43f5c8a12e8fa188d96f2351e64ca

        SHA256

        4cbcdf2f7b00b024c5e2a59bc4f41a4c8631c6459e1afa0a83f2b261fa74def8

        SHA512

        bf91e0faee1fdfdcebccf2c2868c2d84b74414aa0857c147da44acdd6108ba9fe703045c1acfd52723683a9ea2cb72b38a15b4eb31bea23220897131bf496e5d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmp1702.tmp
        Filesize

        1KB

        MD5

        af26ae44ab722dbde38917efb46bdcd1

        SHA1

        e0d6e8ee3b7dd530cb8e7839d7bf33583ea24155

        SHA256

        65534738b166d54c1016a58a2ced6dc93c1404cf9b812e1d2f47198f251b3c91

        SHA512

        b65495ce9a11c82c181351241d6c74c3f2d12dfeacfece0e82136c31b39cac8736b021f9c830acef45e3c2a931cba0ebf62e4fb640491a1af38e22cd1e183b99

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmpC2C3.tmp
        Filesize

        1KB

        MD5

        af26ae44ab722dbde38917efb46bdcd1

        SHA1

        e0d6e8ee3b7dd530cb8e7839d7bf33583ea24155

        SHA256

        65534738b166d54c1016a58a2ced6dc93c1404cf9b812e1d2f47198f251b3c91

        SHA512

        b65495ce9a11c82c181351241d6c74c3f2d12dfeacfece0e82136c31b39cac8736b021f9c830acef45e3c2a931cba0ebf62e4fb640491a1af38e22cd1e183b99

        Download Submit
      • memory/532-137-0x0000000000000000-mapping.dmp
        Download
      • memory/1584-146-0x0000000000000000-mapping.dmp
        Download
      • memory/1844-147-0x0000000000000000-mapping.dmp
        Download
      • memory/2112-150-0x0000000000000000-mapping.dmp
        Download
      • memory/2904-144-0x0000000000000000-mapping.dmp
        Download
      • memory/3340-152-0x0000000000000000-mapping.dmp
        Download
      • memory/3340-156-0x0000000006A40000-0x0000000006A90000-memory.dmp
        Filesize

        320KB

        Download
      • memory/4024-141-0x0000000000400000-0x0000000000552000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/4024-140-0x0000000000000000-mapping.dmp
        Download
      • memory/4104-139-0x0000000000000000-mapping.dmp
        Download
      • memory/4420-143-0x0000000000000000-mapping.dmp
        Download
      • memory/4632-145-0x0000000000000000-mapping.dmp
        Download
      • memory/5076-136-0x0000000004ED0000-0x0000000004EDA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/5076-132-0x0000000000250000-0x0000000000484000-memory.dmp
        Filesize

        2.2MB

        Download
      • memory/5076-135-0x0000000004F70000-0x000000000500C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/5076-134-0x0000000004E30000-0x0000000004EC2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/5076-133-0x0000000005340000-0x00000000058E4000-memory.dmp
        Filesize

        5.6MB

        Download