Analysis
-
max time kernel
155s -
max time network
92s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 20:47
Behavioral task
behavioral1
Sample
Worm.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Worm.exe
Resource
win10v2004-20220901-en
General
-
Target
Worm.exe
-
Size
1.3MB
-
MD5
d16f7b6510caf611ce85f0488ae0a65d
-
SHA1
e7913e7dcdfc9be3a51bbd67a8e0e807b63bc33d
-
SHA256
df80fae5ea335a49df56a862dfc87ef1c444f1a9c23d13cc55930b9c527838cf
-
SHA512
7d623007a1b80a2ec205d579104eca0ce7866501c7773c9298d4bed8790c7acc88a1eaabe5dbfe5b9d78d6934e58a6d88f5262a26316b47a6da74f09dcb79d53
-
SSDEEP
24576:fgEdnkH+O5MMsj/8oJ0HOgwzMIdEyaXC772Q9NXw2/wPOjdGxY:fgEuHZ5MMpoJOp+MIVai7Tq24GjdGS
Malware Config
Extracted
eternity
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
-
payload_urls
http://140.82.34.147/Client.exe
http://140.82.34.147/Client.exe
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
Worm.exeWorm.exeWorm.exepid process 916 Worm.exe 1504 Worm.exe 568 Worm.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1472 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1472 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Worm.exedescription pid process Token: SeDebugPrivilege 916 Worm.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
Worm.execmd.exetaskeng.exedescription pid process target process PID 1944 wrote to memory of 1472 1944 Worm.exe cmd.exe PID 1944 wrote to memory of 1472 1944 Worm.exe cmd.exe PID 1944 wrote to memory of 1472 1944 Worm.exe cmd.exe PID 1944 wrote to memory of 1472 1944 Worm.exe cmd.exe PID 1472 wrote to memory of 1064 1472 cmd.exe chcp.com PID 1472 wrote to memory of 1064 1472 cmd.exe chcp.com PID 1472 wrote to memory of 1064 1472 cmd.exe chcp.com PID 1472 wrote to memory of 1064 1472 cmd.exe chcp.com PID 1472 wrote to memory of 940 1472 cmd.exe PING.EXE PID 1472 wrote to memory of 940 1472 cmd.exe PING.EXE PID 1472 wrote to memory of 940 1472 cmd.exe PING.EXE PID 1472 wrote to memory of 940 1472 cmd.exe PING.EXE PID 1472 wrote to memory of 1232 1472 cmd.exe schtasks.exe PID 1472 wrote to memory of 1232 1472 cmd.exe schtasks.exe PID 1472 wrote to memory of 1232 1472 cmd.exe schtasks.exe PID 1472 wrote to memory of 1232 1472 cmd.exe schtasks.exe PID 1472 wrote to memory of 916 1472 cmd.exe Worm.exe PID 1472 wrote to memory of 916 1472 cmd.exe Worm.exe PID 1472 wrote to memory of 916 1472 cmd.exe Worm.exe PID 1472 wrote to memory of 916 1472 cmd.exe Worm.exe PID 2004 wrote to memory of 1504 2004 taskeng.exe Worm.exe PID 2004 wrote to memory of 1504 2004 taskeng.exe Worm.exe PID 2004 wrote to memory of 1504 2004 taskeng.exe Worm.exe PID 2004 wrote to memory of 1504 2004 taskeng.exe Worm.exe PID 2004 wrote to memory of 568 2004 taskeng.exe Worm.exe PID 2004 wrote to memory of 568 2004 taskeng.exe Worm.exe PID 2004 wrote to memory of 568 2004 taskeng.exe Worm.exe PID 2004 wrote to memory of 568 2004 taskeng.exe Worm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Worm.exe"C:\Users\Admin\AppData\Local\Temp\Worm.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Worm" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Worm.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe"2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Worm" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe"C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {A5709E92-DE72-41C2-948F-53A06096F875} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\ServiceHub\Worm.exeC:\Users\Admin\AppData\Local\ServiceHub\Worm.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\ServiceHub\Worm.exeC:\Users\Admin\AppData\Local\ServiceHub\Worm.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\ServiceHub\Worm.exeFilesize
1.3MB
MD5d16f7b6510caf611ce85f0488ae0a65d
SHA1e7913e7dcdfc9be3a51bbd67a8e0e807b63bc33d
SHA256df80fae5ea335a49df56a862dfc87ef1c444f1a9c23d13cc55930b9c527838cf
SHA5127d623007a1b80a2ec205d579104eca0ce7866501c7773c9298d4bed8790c7acc88a1eaabe5dbfe5b9d78d6934e58a6d88f5262a26316b47a6da74f09dcb79d53
-
C:\Users\Admin\AppData\Local\ServiceHub\Worm.exeFilesize
1.3MB
MD5d16f7b6510caf611ce85f0488ae0a65d
SHA1e7913e7dcdfc9be3a51bbd67a8e0e807b63bc33d
SHA256df80fae5ea335a49df56a862dfc87ef1c444f1a9c23d13cc55930b9c527838cf
SHA5127d623007a1b80a2ec205d579104eca0ce7866501c7773c9298d4bed8790c7acc88a1eaabe5dbfe5b9d78d6934e58a6d88f5262a26316b47a6da74f09dcb79d53
-
C:\Users\Admin\AppData\Local\ServiceHub\Worm.exeFilesize
1.3MB
MD5d16f7b6510caf611ce85f0488ae0a65d
SHA1e7913e7dcdfc9be3a51bbd67a8e0e807b63bc33d
SHA256df80fae5ea335a49df56a862dfc87ef1c444f1a9c23d13cc55930b9c527838cf
SHA5127d623007a1b80a2ec205d579104eca0ce7866501c7773c9298d4bed8790c7acc88a1eaabe5dbfe5b9d78d6934e58a6d88f5262a26316b47a6da74f09dcb79d53
-
C:\Users\Admin\AppData\Local\ServiceHub\Worm.exeFilesize
1.3MB
MD5d16f7b6510caf611ce85f0488ae0a65d
SHA1e7913e7dcdfc9be3a51bbd67a8e0e807b63bc33d
SHA256df80fae5ea335a49df56a862dfc87ef1c444f1a9c23d13cc55930b9c527838cf
SHA5127d623007a1b80a2ec205d579104eca0ce7866501c7773c9298d4bed8790c7acc88a1eaabe5dbfe5b9d78d6934e58a6d88f5262a26316b47a6da74f09dcb79d53
-
\Users\Admin\AppData\Local\ServiceHub\Worm.exeFilesize
1.3MB
MD5d16f7b6510caf611ce85f0488ae0a65d
SHA1e7913e7dcdfc9be3a51bbd67a8e0e807b63bc33d
SHA256df80fae5ea335a49df56a862dfc87ef1c444f1a9c23d13cc55930b9c527838cf
SHA5127d623007a1b80a2ec205d579104eca0ce7866501c7773c9298d4bed8790c7acc88a1eaabe5dbfe5b9d78d6934e58a6d88f5262a26316b47a6da74f09dcb79d53
-
memory/568-76-0x00000000012F0000-0x0000000001442000-memory.dmpFilesize
1.3MB
-
memory/568-74-0x0000000000000000-mapping.dmp
-
memory/916-64-0x0000000000B40000-0x0000000000C92000-memory.dmpFilesize
1.3MB
-
memory/916-69-0x0000000005940000-0x00000000059BA000-memory.dmpFilesize
488KB
-
memory/916-62-0x0000000000000000-mapping.dmp
-
memory/916-68-0x00000000002F0000-0x000000000030A000-memory.dmpFilesize
104KB
-
memory/916-66-0x0000000005D20000-0x0000000005E6A000-memory.dmpFilesize
1.3MB
-
memory/916-67-0x0000000005E70000-0x0000000005F92000-memory.dmpFilesize
1.1MB
-
memory/940-58-0x0000000000000000-mapping.dmp
-
memory/1064-57-0x0000000000000000-mapping.dmp
-
memory/1232-59-0x0000000000000000-mapping.dmp
-
memory/1472-56-0x0000000000000000-mapping.dmp
-
memory/1504-70-0x0000000000000000-mapping.dmp
-
memory/1504-72-0x00000000012F0000-0x0000000001442000-memory.dmpFilesize
1.3MB
-
memory/1944-54-0x0000000001250000-0x00000000013A2000-memory.dmpFilesize
1.3MB
-
memory/1944-55-0x0000000075451000-0x0000000075453000-memory.dmpFilesize
8KB