Analysis
-
max time kernel
150s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 13:36
Behavioral task
behavioral1
Sample
473f46db582a36a515ecfe8e5868fdb8.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
473f46db582a36a515ecfe8e5868fdb8.exe
Resource
win10v2004-20221111-en
General
-
Target
473f46db582a36a515ecfe8e5868fdb8.exe
-
Size
334KB
-
MD5
473f46db582a36a515ecfe8e5868fdb8
-
SHA1
05ce62f525777fba78008f1f173a276e64fce313
-
SHA256
e4be69c1ceba3062ec26e49016f33883b861bcbc78894eae4995f6a3491975ba
-
SHA512
118413909ac5e7b4d2b14a902617e86c96fc03297dd4700cfbb90d733462f1f5f6fcbf7575f52d839009aa4f5e00db57f8e765e1d87b2781aac957bf0b8c9ae5
-
SSDEEP
6144:z0p51/LpL/3Tud/iYQENI5K8ZnjwD9zbwg7DP:z0p51/L9fII5K8ljwh
Malware Config
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
1520409355cc42289ae5ea46b6cd828b
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
473f46db582a36a515ecfe8e5868fdb8.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 473f46db582a36a515ecfe8e5868fdb8.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 473f46db582a36a515ecfe8e5868fdb8.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 473f46db582a36a515ecfe8e5868fdb8.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 41 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
473f46db582a36a515ecfe8e5868fdb8.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 473f46db582a36a515ecfe8e5868fdb8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 473f46db582a36a515ecfe8e5868fdb8.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
473f46db582a36a515ecfe8e5868fdb8.exepid process 396 473f46db582a36a515ecfe8e5868fdb8.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
473f46db582a36a515ecfe8e5868fdb8.exedescription pid process Token: SeDebugPrivilege 396 473f46db582a36a515ecfe8e5868fdb8.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
473f46db582a36a515ecfe8e5868fdb8.execmd.execmd.exedescription pid process target process PID 396 wrote to memory of 8 396 473f46db582a36a515ecfe8e5868fdb8.exe cmd.exe PID 396 wrote to memory of 8 396 473f46db582a36a515ecfe8e5868fdb8.exe cmd.exe PID 8 wrote to memory of 4444 8 cmd.exe chcp.com PID 8 wrote to memory of 4444 8 cmd.exe chcp.com PID 8 wrote to memory of 4680 8 cmd.exe netsh.exe PID 8 wrote to memory of 4680 8 cmd.exe netsh.exe PID 8 wrote to memory of 4232 8 cmd.exe findstr.exe PID 8 wrote to memory of 4232 8 cmd.exe findstr.exe PID 396 wrote to memory of 3432 396 473f46db582a36a515ecfe8e5868fdb8.exe cmd.exe PID 396 wrote to memory of 3432 396 473f46db582a36a515ecfe8e5868fdb8.exe cmd.exe PID 3432 wrote to memory of 2640 3432 cmd.exe chcp.com PID 3432 wrote to memory of 2640 3432 cmd.exe chcp.com PID 3432 wrote to memory of 4672 3432 cmd.exe netsh.exe PID 3432 wrote to memory of 4672 3432 cmd.exe netsh.exe PID 3432 wrote to memory of 1140 3432 cmd.exe findstr.exe PID 3432 wrote to memory of 1140 3432 cmd.exe findstr.exe -
outlook_office_path 1 IoCs
Processes:
473f46db582a36a515ecfe8e5868fdb8.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 473f46db582a36a515ecfe8e5868fdb8.exe -
outlook_win_path 1 IoCs
Processes:
473f46db582a36a515ecfe8e5868fdb8.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 473f46db582a36a515ecfe8e5868fdb8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\473f46db582a36a515ecfe8e5868fdb8.exe"C:\Users\Admin\AppData\Local\Temp\473f46db582a36a515ecfe8e5868fdb8.exe"1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:396 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:4444
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵PID:4680
-
-
C:\Windows\system32\findstr.exefindstr All3⤵PID:4232
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key2⤵
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2640
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile name="65001" key=clear3⤵PID:4672
-
-
C:\Windows\system32\findstr.exefindstr Key3⤵PID:1140
-
-