Overview

overview

10

Static

static

aa0fcd6a-7...fe.exe

windows7-x64

9

aa0fcd6a-7...fe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 07:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe

  • Size

    3.3MB

  • MD5

    cc5fcae70f636b3ffa04811e2a6153f7

  • SHA1

    3c1687cca2ffd48adf107e8eda1ffb06beb7ba7f

  • SHA256

    01156bec33d1378d38aa16ae6605d4766f20ac5f48c9bb2c0744457ff9de3102

  • SHA512

    c63fc634a7c85d67000e25afd359a51aa0af4c259b7c4366fa4c05b2c844132cb459bc399098de2d5060dabadae91b8f1f889b4c6a5fd0a172d3f43e14d47c2b

  • SSDEEP

    98304:hHmVzuboSz63u94iSa7e1zLTdiVOiZMR+MJbZ5d:hH86qu94J1nTdiVOyMJbvd

Score
10/10
eternityevasion

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Attributes
  • payload_urls

    http://167.88.170.23/w993.exe

    http://167.88.170.23/s101.exe,http://167.88.170.23/101.exe,http://167.88.170.23/R101.exe

Signatures

  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 3 IoCs
    evasion
  • Executes dropped EXE 8 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 3 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
    "C:\Users\Admin\AppData\Local\Temp\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Checks computer location settings
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2864
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xeDloyk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1A1F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1500
    • C:\Users\Admin\AppData\Local\Temp\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
      "{path}"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2396
      • C:\Users\Admin\AppData\Local\Temp\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
        "{path}"
        3⤵
          PID:4428
        • C:\Users\Admin\AppData\Local\Temp\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
          "{path}"
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1820
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2488
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe" /rl HIGHEST /f
              5⤵
              • Creates scheduled task(s)
              PID:4004
            • C:\Users\Admin\AppData\Local\ServiceHub\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
              "C:\Users\Admin\AppData\Local\ServiceHub\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe"
              5⤵
              • Looks for VirtualBox Guest Additions in registry
              • Executes dropped EXE
              • Looks for VMWare Tools registry key
              • Checks BIOS information in registry
              • Checks computer location settings
              • Maps connected drives based on registry
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:4584
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xeDloyk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC20.tmp"
                6⤵
                • Creates scheduled task(s)
                PID:3660
              • C:\Users\Admin\AppData\Local\ServiceHub\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
                "{path}"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2564
                • C:\Users\Admin\AppData\Local\ServiceHub\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
                  "{path}"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4320
    • C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      1⤵
      • Runs ping.exe
      PID:2340
    • C:\Windows\SysWOW64\chcp.com
      chcp 65001
      1⤵
        PID:1372
      • C:\Users\Admin\AppData\Local\ServiceHub\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
        C:\Users\Admin\AppData\Local\ServiceHub\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
        1⤵
        • Looks for VirtualBox Guest Additions in registry
        • Executes dropped EXE
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Checks computer location settings
        • Maps connected drives based on registry
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1748
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xeDloyk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA6F9.tmp"
          2⤵
          • Creates scheduled task(s)
          PID:1256
        • C:\Users\Admin\AppData\Local\ServiceHub\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
          "{path}"
          2⤵
          • Executes dropped EXE
          PID:1420
        • C:\Users\Admin\AppData\Local\ServiceHub\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
          "{path}"
          2⤵
          • Executes dropped EXE
          PID:3880
        • C:\Users\Admin\AppData\Local\ServiceHub\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
          "{path}"
          2⤵
          • Executes dropped EXE
          PID:4060
        • C:\Users\Admin\AppData\Local\ServiceHub\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
          "{path}"
          2⤵
          • Executes dropped EXE
          PID:400

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Virtualization/Sandbox Evasion

      2
      T1497

      Credential Access

      Discovery

      Query Registry

      5
      T1012

      Virtualization/Sandbox Evasion

      2
      T1497

      System Information Discovery

      4
      T1082

      Peripheral Device Discovery

      1
      T1120

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe.log
        Filesize

        1KB

        MD5

        e02c831fc167791250b65592ebfd1267

        SHA1

        bb0155a7ed8e1319a6a42827c10491b385c94891

        SHA256

        0a8a7bba9b1ddfe528a6b26693c07562ced53302f333069bdcda1702125da2b3

        SHA512

        021061bc4027ed87110eba0f0c2651d2cc4e4c34001cf6e257bd271c9a023c7f7857c5ac4813b83095f80ce93079cfc830981a1f677e24727afc2adf50e10133

        Download Submit
      • C:\Users\Admin\AppData\Local\ServiceHub\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
        Filesize

        3.3MB

        MD5

        cc5fcae70f636b3ffa04811e2a6153f7

        SHA1

        3c1687cca2ffd48adf107e8eda1ffb06beb7ba7f

        SHA256

        01156bec33d1378d38aa16ae6605d4766f20ac5f48c9bb2c0744457ff9de3102

        SHA512

        c63fc634a7c85d67000e25afd359a51aa0af4c259b7c4366fa4c05b2c844132cb459bc399098de2d5060dabadae91b8f1f889b4c6a5fd0a172d3f43e14d47c2b

        Download Submit
      • C:\Users\Admin\AppData\Local\ServiceHub\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
        Filesize

        3.3MB

        MD5

        cc5fcae70f636b3ffa04811e2a6153f7

        SHA1

        3c1687cca2ffd48adf107e8eda1ffb06beb7ba7f

        SHA256

        01156bec33d1378d38aa16ae6605d4766f20ac5f48c9bb2c0744457ff9de3102

        SHA512

        c63fc634a7c85d67000e25afd359a51aa0af4c259b7c4366fa4c05b2c844132cb459bc399098de2d5060dabadae91b8f1f889b4c6a5fd0a172d3f43e14d47c2b

        Download Submit
      • C:\Users\Admin\AppData\Local\ServiceHub\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
        Filesize

        3.3MB

        MD5

        cc5fcae70f636b3ffa04811e2a6153f7

        SHA1

        3c1687cca2ffd48adf107e8eda1ffb06beb7ba7f

        SHA256

        01156bec33d1378d38aa16ae6605d4766f20ac5f48c9bb2c0744457ff9de3102

        SHA512

        c63fc634a7c85d67000e25afd359a51aa0af4c259b7c4366fa4c05b2c844132cb459bc399098de2d5060dabadae91b8f1f889b4c6a5fd0a172d3f43e14d47c2b

        Download Submit
      • C:\Users\Admin\AppData\Local\ServiceHub\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
        Filesize

        3.3MB

        MD5

        cc5fcae70f636b3ffa04811e2a6153f7

        SHA1

        3c1687cca2ffd48adf107e8eda1ffb06beb7ba7f

        SHA256

        01156bec33d1378d38aa16ae6605d4766f20ac5f48c9bb2c0744457ff9de3102

        SHA512

        c63fc634a7c85d67000e25afd359a51aa0af4c259b7c4366fa4c05b2c844132cb459bc399098de2d5060dabadae91b8f1f889b4c6a5fd0a172d3f43e14d47c2b

        Download Submit
      • C:\Users\Admin\AppData\Local\ServiceHub\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
        Filesize

        3.3MB

        MD5

        cc5fcae70f636b3ffa04811e2a6153f7

        SHA1

        3c1687cca2ffd48adf107e8eda1ffb06beb7ba7f

        SHA256

        01156bec33d1378d38aa16ae6605d4766f20ac5f48c9bb2c0744457ff9de3102

        SHA512

        c63fc634a7c85d67000e25afd359a51aa0af4c259b7c4366fa4c05b2c844132cb459bc399098de2d5060dabadae91b8f1f889b4c6a5fd0a172d3f43e14d47c2b

        Download Submit
      • C:\Users\Admin\AppData\Local\ServiceHub\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
        Filesize

        3.3MB

        MD5

        cc5fcae70f636b3ffa04811e2a6153f7

        SHA1

        3c1687cca2ffd48adf107e8eda1ffb06beb7ba7f

        SHA256

        01156bec33d1378d38aa16ae6605d4766f20ac5f48c9bb2c0744457ff9de3102

        SHA512

        c63fc634a7c85d67000e25afd359a51aa0af4c259b7c4366fa4c05b2c844132cb459bc399098de2d5060dabadae91b8f1f889b4c6a5fd0a172d3f43e14d47c2b

        Download Submit
      • C:\Users\Admin\AppData\Local\ServiceHub\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
        Filesize

        3.3MB

        MD5

        cc5fcae70f636b3ffa04811e2a6153f7

        SHA1

        3c1687cca2ffd48adf107e8eda1ffb06beb7ba7f

        SHA256

        01156bec33d1378d38aa16ae6605d4766f20ac5f48c9bb2c0744457ff9de3102

        SHA512

        c63fc634a7c85d67000e25afd359a51aa0af4c259b7c4366fa4c05b2c844132cb459bc399098de2d5060dabadae91b8f1f889b4c6a5fd0a172d3f43e14d47c2b

        Download Submit
      • C:\Users\Admin\AppData\Local\ServiceHub\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
        Filesize

        3.3MB

        MD5

        cc5fcae70f636b3ffa04811e2a6153f7

        SHA1

        3c1687cca2ffd48adf107e8eda1ffb06beb7ba7f

        SHA256

        01156bec33d1378d38aa16ae6605d4766f20ac5f48c9bb2c0744457ff9de3102

        SHA512

        c63fc634a7c85d67000e25afd359a51aa0af4c259b7c4366fa4c05b2c844132cb459bc399098de2d5060dabadae91b8f1f889b4c6a5fd0a172d3f43e14d47c2b

        Download Submit
      • C:\Users\Admin\AppData\Local\ServiceHub\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
        Filesize

        3.3MB

        MD5

        cc5fcae70f636b3ffa04811e2a6153f7

        SHA1

        3c1687cca2ffd48adf107e8eda1ffb06beb7ba7f

        SHA256

        01156bec33d1378d38aa16ae6605d4766f20ac5f48c9bb2c0744457ff9de3102

        SHA512

        c63fc634a7c85d67000e25afd359a51aa0af4c259b7c4366fa4c05b2c844132cb459bc399098de2d5060dabadae91b8f1f889b4c6a5fd0a172d3f43e14d47c2b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmp1A1F.tmp
        Filesize

        1KB

        MD5

        04f5c44163b281c7be6d12722296435c

        SHA1

        b2e418f82f27c845069e905f9a3d11d350dded27

        SHA256

        6f01afedc85a51c874f10096bf0b478aaa2865656b01b59a6a9a1c316ad8ae67

        SHA512

        ec42bbc09572027bb32ed331dbc652a00fa6eb86dd8f3dd19550ef7ff06bf15e997aa6959f6c910b1d0d2a6c10672fe9f35799808c05be86477b64d18adf385c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmpA6F9.tmp
        Filesize

        1KB

        MD5

        04f5c44163b281c7be6d12722296435c

        SHA1

        b2e418f82f27c845069e905f9a3d11d350dded27

        SHA256

        6f01afedc85a51c874f10096bf0b478aaa2865656b01b59a6a9a1c316ad8ae67

        SHA512

        ec42bbc09572027bb32ed331dbc652a00fa6eb86dd8f3dd19550ef7ff06bf15e997aa6959f6c910b1d0d2a6c10672fe9f35799808c05be86477b64d18adf385c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmpC20.tmp
        Filesize

        1KB

        MD5

        04f5c44163b281c7be6d12722296435c

        SHA1

        b2e418f82f27c845069e905f9a3d11d350dded27

        SHA256

        6f01afedc85a51c874f10096bf0b478aaa2865656b01b59a6a9a1c316ad8ae67

        SHA512

        ec42bbc09572027bb32ed331dbc652a00fa6eb86dd8f3dd19550ef7ff06bf15e997aa6959f6c910b1d0d2a6c10672fe9f35799808c05be86477b64d18adf385c

        Download Submit
      • memory/400-170-0x0000000000000000-mapping.dmp
        Download
      • memory/1256-162-0x0000000000000000-mapping.dmp
        Download
      • memory/1372-147-0x0000000000000000-mapping.dmp
        Download
      • memory/1420-164-0x0000000000000000-mapping.dmp
        Download
      • memory/1500-138-0x0000000000000000-mapping.dmp
        Download
      • memory/1820-143-0x0000000000000000-mapping.dmp
        Download
      • memory/1820-144-0x0000000000400000-0x0000000000552000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2340-148-0x0000000000000000-mapping.dmp
        Download
      • memory/2396-141-0x0000000000400000-0x0000000000640000-memory.dmp
        Filesize

        2.2MB

        Download
      • memory/2396-140-0x0000000000000000-mapping.dmp
        Download
      • memory/2488-146-0x0000000000000000-mapping.dmp
        Download
      • memory/2564-155-0x0000000000000000-mapping.dmp
        Download
      • memory/2864-136-0x0000000004CF0000-0x0000000004CFA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/2864-133-0x0000000005220000-0x00000000057C4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/2864-134-0x0000000004D10000-0x0000000004DA2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2864-135-0x0000000004DB0000-0x0000000004E4C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/2864-132-0x00000000000C0000-0x0000000000414000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/2864-137-0x0000000008750000-0x00000000087B6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3660-153-0x0000000000000000-mapping.dmp
        Download
      • memory/3880-166-0x0000000000000000-mapping.dmp
        Download
      • memory/4004-149-0x0000000000000000-mapping.dmp
        Download
      • memory/4060-168-0x0000000000000000-mapping.dmp
        Download
      • memory/4320-159-0x0000000000000000-mapping.dmp
        Download
      • memory/4428-142-0x0000000000000000-mapping.dmp
        Download
      • memory/4584-150-0x0000000000000000-mapping.dmp
        Download