Analysis
-
max time kernel
98s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 20:47
Behavioral task
behavioral1
Sample
Worm.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Worm.exe
Resource
win10v2004-20220901-en
General
-
Target
Worm.exe
-
Size
1.3MB
-
MD5
d16f7b6510caf611ce85f0488ae0a65d
-
SHA1
e7913e7dcdfc9be3a51bbd67a8e0e807b63bc33d
-
SHA256
df80fae5ea335a49df56a862dfc87ef1c444f1a9c23d13cc55930b9c527838cf
-
SHA512
7d623007a1b80a2ec205d579104eca0ce7866501c7773c9298d4bed8790c7acc88a1eaabe5dbfe5b9d78d6934e58a6d88f5262a26316b47a6da74f09dcb79d53
-
SSDEEP
24576:fgEdnkH+O5MMsj/8oJ0HOgwzMIdEyaXC772Q9NXw2/wPOjdGxY:fgEuHZ5MMpoJOp+MIVai7Tq24GjdGS
Malware Config
Extracted
eternity
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
-
payload_urls
http://140.82.34.147/Client.exe
http://140.82.34.147/Client.exe
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
Worm.exeWorm.exeWorm.exepid process 2380 Worm.exe 4504 Worm.exe 672 Worm.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Worm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Worm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Worm.exedescription pid process Token: SeDebugPrivilege 2380 Worm.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Worm.execmd.exedescription pid process target process PID 3440 wrote to memory of 1780 3440 Worm.exe cmd.exe PID 3440 wrote to memory of 1780 3440 Worm.exe cmd.exe PID 3440 wrote to memory of 1780 3440 Worm.exe cmd.exe PID 1780 wrote to memory of 5088 1780 cmd.exe chcp.com PID 1780 wrote to memory of 5088 1780 cmd.exe chcp.com PID 1780 wrote to memory of 5088 1780 cmd.exe chcp.com PID 1780 wrote to memory of 2460 1780 cmd.exe PING.EXE PID 1780 wrote to memory of 2460 1780 cmd.exe PING.EXE PID 1780 wrote to memory of 2460 1780 cmd.exe PING.EXE PID 1780 wrote to memory of 2104 1780 cmd.exe schtasks.exe PID 1780 wrote to memory of 2104 1780 cmd.exe schtasks.exe PID 1780 wrote to memory of 2104 1780 cmd.exe schtasks.exe PID 1780 wrote to memory of 2380 1780 cmd.exe Worm.exe PID 1780 wrote to memory of 2380 1780 cmd.exe Worm.exe PID 1780 wrote to memory of 2380 1780 cmd.exe Worm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Worm.exe"C:\Users\Admin\AppData\Local\Temp\Worm.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Worm" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Worm.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Worm" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe"C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\ServiceHub\Worm.exeC:\Users\Admin\AppData\Local\ServiceHub\Worm.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\ServiceHub\Worm.exeC:\Users\Admin\AppData\Local\ServiceHub\Worm.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Worm.exe.logFilesize
321B
MD508027eeee0542c93662aef98d70095e4
SHA142402c02bf4763fcd6fb0650fc13386f2eae8f9b
SHA2561b9ec007ac8e7de37c61313c5e1b9444df6dc0cd9110553bfa281b13204a646d
SHA512c4e7a17a1dc1f27c91791439d92435a5d750a065508e9539c9af458f21472a7ce45ba0666ef6855a00386e1a75c518d0908b82d929084a1b67ca4c65997a5979
-
C:\Users\Admin\AppData\Local\ServiceHub\Worm.exeFilesize
1.3MB
MD5d16f7b6510caf611ce85f0488ae0a65d
SHA1e7913e7dcdfc9be3a51bbd67a8e0e807b63bc33d
SHA256df80fae5ea335a49df56a862dfc87ef1c444f1a9c23d13cc55930b9c527838cf
SHA5127d623007a1b80a2ec205d579104eca0ce7866501c7773c9298d4bed8790c7acc88a1eaabe5dbfe5b9d78d6934e58a6d88f5262a26316b47a6da74f09dcb79d53
-
C:\Users\Admin\AppData\Local\ServiceHub\Worm.exeFilesize
1.3MB
MD5d16f7b6510caf611ce85f0488ae0a65d
SHA1e7913e7dcdfc9be3a51bbd67a8e0e807b63bc33d
SHA256df80fae5ea335a49df56a862dfc87ef1c444f1a9c23d13cc55930b9c527838cf
SHA5127d623007a1b80a2ec205d579104eca0ce7866501c7773c9298d4bed8790c7acc88a1eaabe5dbfe5b9d78d6934e58a6d88f5262a26316b47a6da74f09dcb79d53
-
C:\Users\Admin\AppData\Local\ServiceHub\Worm.exeFilesize
1.3MB
MD5d16f7b6510caf611ce85f0488ae0a65d
SHA1e7913e7dcdfc9be3a51bbd67a8e0e807b63bc33d
SHA256df80fae5ea335a49df56a862dfc87ef1c444f1a9c23d13cc55930b9c527838cf
SHA5127d623007a1b80a2ec205d579104eca0ce7866501c7773c9298d4bed8790c7acc88a1eaabe5dbfe5b9d78d6934e58a6d88f5262a26316b47a6da74f09dcb79d53
-
C:\Users\Admin\AppData\Local\ServiceHub\Worm.exeFilesize
1.3MB
MD5d16f7b6510caf611ce85f0488ae0a65d
SHA1e7913e7dcdfc9be3a51bbd67a8e0e807b63bc33d
SHA256df80fae5ea335a49df56a862dfc87ef1c444f1a9c23d13cc55930b9c527838cf
SHA5127d623007a1b80a2ec205d579104eca0ce7866501c7773c9298d4bed8790c7acc88a1eaabe5dbfe5b9d78d6934e58a6d88f5262a26316b47a6da74f09dcb79d53
-
memory/1780-134-0x0000000000000000-mapping.dmp
-
memory/2104-137-0x0000000000000000-mapping.dmp
-
memory/2380-138-0x0000000000000000-mapping.dmp
-
memory/2380-142-0x0000000006760000-0x00000000067B0000-memory.dmpFilesize
320KB
-
memory/2380-143-0x0000000006D60000-0x0000000006DF2000-memory.dmpFilesize
584KB
-
memory/2460-136-0x0000000000000000-mapping.dmp
-
memory/3440-132-0x0000000000430000-0x0000000000582000-memory.dmpFilesize
1.3MB
-
memory/3440-133-0x0000000005410000-0x00000000059B4000-memory.dmpFilesize
5.6MB
-
memory/5088-135-0x0000000000000000-mapping.dmp