Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 07:21
Behavioral task
behavioral1
Sample
219c1d87426d8ed8b3e62176d1291f80.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
219c1d87426d8ed8b3e62176d1291f80.exe
Resource
win10v2004-20220812-en
General
-
Target
219c1d87426d8ed8b3e62176d1291f80.exe
-
Size
8.9MB
-
MD5
219c1d87426d8ed8b3e62176d1291f80
-
SHA1
105af4d6ca9510c99657145ff0ebf4db71238a32
-
SHA256
67014237713d167e0676ed58d8aa095cbfef04cbc834c0dc512fd5c3df6285ea
-
SHA512
0bcfb390bd234bd313ea4335faae2011e297f7d9012b14457a011c883b171b99c08e8c43a6f4502ea260a2138521c006e0e78365cbcfb74cb7a417e8e9b56dd6
-
SSDEEP
196608:FquoUUOSW7GeGIr1reEs+sqgwC1UODDjai0fyxrAWk:00EkbGIrZbbsPUODZY
Malware Config
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
-
payload_urls
http://167.88.170.23/w993.exe
http://167.88.170.23/s101.exe,http://167.88.170.23/101.exe,http://167.88.170.23/R101.exe
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Executes dropped EXE 6 IoCs
Processes:
Catalogo2019.exeCatalogo2019.exeCatalogo2019.exeCatalogo2019.exeCatalogo2019.exeCatalogo2019.exepid process 1520 Catalogo2019.exe 664 Catalogo2019.exe 1272 Catalogo2019.exe 1116 Catalogo2019.exe 1672 Catalogo2019.exe 1644 Catalogo2019.exe -
Loads dropped DLL 3 IoCs
Processes:
219c1d87426d8ed8b3e62176d1291f80.exeCatalogo2019.execmd.exepid process 1256 219c1d87426d8ed8b3e62176d1291f80.exe 1520 Catalogo2019.exe 908 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Catalogo2019.exeCatalogo2019.exeCatalogo2019.exedescription pid process target process PID 1520 set thread context of 664 1520 Catalogo2019.exe Catalogo2019.exe PID 1272 set thread context of 1116 1272 Catalogo2019.exe Catalogo2019.exe PID 1672 set thread context of 1644 1672 Catalogo2019.exe Catalogo2019.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Catalogo2019.exedescription pid process Token: SeDebugPrivilege 1116 Catalogo2019.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 1560 AcroRd32.exe 1560 AcroRd32.exe 1560 AcroRd32.exe 1560 AcroRd32.exe -
Suspicious use of WriteProcessMemory 59 IoCs
Processes:
219c1d87426d8ed8b3e62176d1291f80.exeCatalogo2019.exeCatalogo2019.execmd.exeCatalogo2019.exetaskeng.exeCatalogo2019.exedescription pid process target process PID 1256 wrote to memory of 1560 1256 219c1d87426d8ed8b3e62176d1291f80.exe AcroRd32.exe PID 1256 wrote to memory of 1560 1256 219c1d87426d8ed8b3e62176d1291f80.exe AcroRd32.exe PID 1256 wrote to memory of 1560 1256 219c1d87426d8ed8b3e62176d1291f80.exe AcroRd32.exe PID 1256 wrote to memory of 1560 1256 219c1d87426d8ed8b3e62176d1291f80.exe AcroRd32.exe PID 1256 wrote to memory of 1520 1256 219c1d87426d8ed8b3e62176d1291f80.exe Catalogo2019.exe PID 1256 wrote to memory of 1520 1256 219c1d87426d8ed8b3e62176d1291f80.exe Catalogo2019.exe PID 1256 wrote to memory of 1520 1256 219c1d87426d8ed8b3e62176d1291f80.exe Catalogo2019.exe PID 1256 wrote to memory of 1520 1256 219c1d87426d8ed8b3e62176d1291f80.exe Catalogo2019.exe PID 1520 wrote to memory of 664 1520 Catalogo2019.exe Catalogo2019.exe PID 1520 wrote to memory of 664 1520 Catalogo2019.exe Catalogo2019.exe PID 1520 wrote to memory of 664 1520 Catalogo2019.exe Catalogo2019.exe PID 1520 wrote to memory of 664 1520 Catalogo2019.exe Catalogo2019.exe PID 1520 wrote to memory of 664 1520 Catalogo2019.exe Catalogo2019.exe PID 1520 wrote to memory of 664 1520 Catalogo2019.exe Catalogo2019.exe PID 1520 wrote to memory of 664 1520 Catalogo2019.exe Catalogo2019.exe PID 1520 wrote to memory of 664 1520 Catalogo2019.exe Catalogo2019.exe PID 1520 wrote to memory of 664 1520 Catalogo2019.exe Catalogo2019.exe PID 664 wrote to memory of 908 664 Catalogo2019.exe cmd.exe PID 664 wrote to memory of 908 664 Catalogo2019.exe cmd.exe PID 664 wrote to memory of 908 664 Catalogo2019.exe cmd.exe PID 664 wrote to memory of 908 664 Catalogo2019.exe cmd.exe PID 908 wrote to memory of 1288 908 cmd.exe chcp.com PID 908 wrote to memory of 1288 908 cmd.exe chcp.com PID 908 wrote to memory of 1288 908 cmd.exe chcp.com PID 908 wrote to memory of 1288 908 cmd.exe chcp.com PID 908 wrote to memory of 1884 908 cmd.exe PING.EXE PID 908 wrote to memory of 1884 908 cmd.exe PING.EXE PID 908 wrote to memory of 1884 908 cmd.exe PING.EXE PID 908 wrote to memory of 1884 908 cmd.exe PING.EXE PID 908 wrote to memory of 1668 908 cmd.exe schtasks.exe PID 908 wrote to memory of 1668 908 cmd.exe schtasks.exe PID 908 wrote to memory of 1668 908 cmd.exe schtasks.exe PID 908 wrote to memory of 1668 908 cmd.exe schtasks.exe PID 908 wrote to memory of 1272 908 cmd.exe Catalogo2019.exe PID 908 wrote to memory of 1272 908 cmd.exe Catalogo2019.exe PID 908 wrote to memory of 1272 908 cmd.exe Catalogo2019.exe PID 908 wrote to memory of 1272 908 cmd.exe Catalogo2019.exe PID 1272 wrote to memory of 1116 1272 Catalogo2019.exe Catalogo2019.exe PID 1272 wrote to memory of 1116 1272 Catalogo2019.exe Catalogo2019.exe PID 1272 wrote to memory of 1116 1272 Catalogo2019.exe Catalogo2019.exe PID 1272 wrote to memory of 1116 1272 Catalogo2019.exe Catalogo2019.exe PID 1272 wrote to memory of 1116 1272 Catalogo2019.exe Catalogo2019.exe PID 1272 wrote to memory of 1116 1272 Catalogo2019.exe Catalogo2019.exe PID 1272 wrote to memory of 1116 1272 Catalogo2019.exe Catalogo2019.exe PID 1272 wrote to memory of 1116 1272 Catalogo2019.exe Catalogo2019.exe PID 1272 wrote to memory of 1116 1272 Catalogo2019.exe Catalogo2019.exe PID 1732 wrote to memory of 1672 1732 taskeng.exe Catalogo2019.exe PID 1732 wrote to memory of 1672 1732 taskeng.exe Catalogo2019.exe PID 1732 wrote to memory of 1672 1732 taskeng.exe Catalogo2019.exe PID 1732 wrote to memory of 1672 1732 taskeng.exe Catalogo2019.exe PID 1672 wrote to memory of 1644 1672 Catalogo2019.exe Catalogo2019.exe PID 1672 wrote to memory of 1644 1672 Catalogo2019.exe Catalogo2019.exe PID 1672 wrote to memory of 1644 1672 Catalogo2019.exe Catalogo2019.exe PID 1672 wrote to memory of 1644 1672 Catalogo2019.exe Catalogo2019.exe PID 1672 wrote to memory of 1644 1672 Catalogo2019.exe Catalogo2019.exe PID 1672 wrote to memory of 1644 1672 Catalogo2019.exe Catalogo2019.exe PID 1672 wrote to memory of 1644 1672 Catalogo2019.exe Catalogo2019.exe PID 1672 wrote to memory of 1644 1672 Catalogo2019.exe Catalogo2019.exe PID 1672 wrote to memory of 1644 1672 Catalogo2019.exe Catalogo2019.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\219c1d87426d8ed8b3e62176d1291f80.exe"C:\Users\Admin\AppData\Local\Temp\219c1d87426d8ed8b3e62176d1291f80.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Catalogo2019.pdf"2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exe"C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Catalogo2019" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Catalogo2019" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe"C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe"{path}"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {DD0ADCAD-7C08-4CA5-ACE5-320C28838611} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exeC:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe"{path}"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exeFilesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exeFilesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exeFilesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exeFilesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exeFilesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exeFilesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exeFilesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exeFilesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
C:\Users\Admin\AppData\Local\Temp\Catalogo2019.pdfFilesize
6.9MB
MD5860c783b07be69a39bcc9ffd3037c26e
SHA1aecdf16bd194f061a9a61e43e6572e5cc207721c
SHA256cc61f690953749f79783f8001b7e450709e74d54a13857806bc4bda1603bcb4e
SHA512f01840127856ae37167de832b67d8361452365d452c58a753a4f9c1692dde44f1b1c6d2f1083e3e9999fc4642e03a08bf6e5c3ade2b3e3a3cf21ca4996b6e3a8
-
\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exeFilesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
\Users\Admin\AppData\Local\Temp\Catalogo2019.exeFilesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
\Users\Admin\AppData\Local\Temp\Catalogo2019.exeFilesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
memory/664-75-0x000000000054C73E-mapping.dmp
-
memory/664-80-0x0000000000400000-0x0000000000552000-memory.dmpFilesize
1.3MB
-
memory/664-70-0x0000000000400000-0x0000000000552000-memory.dmpFilesize
1.3MB
-
memory/664-72-0x0000000000400000-0x0000000000552000-memory.dmpFilesize
1.3MB
-
memory/664-74-0x0000000000400000-0x0000000000552000-memory.dmpFilesize
1.3MB
-
memory/664-73-0x0000000000400000-0x0000000000552000-memory.dmpFilesize
1.3MB
-
memory/664-78-0x0000000000400000-0x0000000000552000-memory.dmpFilesize
1.3MB
-
memory/664-69-0x0000000000400000-0x0000000000552000-memory.dmpFilesize
1.3MB
-
memory/908-82-0x0000000000000000-mapping.dmp
-
memory/1116-98-0x000000000054C73E-mapping.dmp
-
memory/1116-101-0x0000000000400000-0x0000000000552000-memory.dmpFilesize
1.3MB
-
memory/1116-103-0x0000000000400000-0x0000000000552000-memory.dmpFilesize
1.3MB
-
memory/1256-54-0x00000000002C0000-0x0000000000BB0000-memory.dmpFilesize
8.9MB
-
memory/1256-55-0x0000000075C61000-0x0000000075C63000-memory.dmpFilesize
8KB
-
memory/1272-90-0x0000000000AA0000-0x0000000000C7E000-memory.dmpFilesize
1.9MB
-
memory/1272-88-0x0000000000000000-mapping.dmp
-
memory/1288-83-0x0000000000000000-mapping.dmp
-
memory/1520-67-0x000000000BC10000-0x000000000BD62000-memory.dmpFilesize
1.3MB
-
memory/1520-62-0x0000000000B00000-0x0000000000CDE000-memory.dmpFilesize
1.9MB
-
memory/1520-65-0x0000000000550000-0x0000000000562000-memory.dmpFilesize
72KB
-
memory/1520-66-0x0000000008370000-0x0000000008514000-memory.dmpFilesize
1.6MB
-
memory/1520-59-0x0000000000000000-mapping.dmp
-
memory/1560-56-0x0000000000000000-mapping.dmp
-
memory/1644-114-0x000000000054C73E-mapping.dmp
-
memory/1668-85-0x0000000000000000-mapping.dmp
-
memory/1672-105-0x0000000000000000-mapping.dmp
-
memory/1884-84-0x0000000000000000-mapping.dmp