Analysis
-
max time kernel
91s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 18:17
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220901-en
General
-
Target
file.exe
-
Size
911KB
-
MD5
01eb600a30f772fc4728c582cdd2cf41
-
SHA1
e44dcfbce0e2e61fc1f35537af512130b42b09f4
-
SHA256
b1a709dfd66397a9bf376c286924c06e8b21e52137b83e936f36896560f62d24
-
SHA512
071e21bb6b56a688936c6ae0b59528655e0c0fda1f3dc638a4d165ed6823ab322a15cdb58142e8484cd895f8dc54fcfad74714327497e78f07fd63c28382b733
-
SSDEEP
24576:ZTCKy6iFR5hcuMz4PMTDsNIbR3iexC/bwsNxW8:ZTCKy6iFR5hcuMz4PMTgNIb08KW
Malware Config
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 2496 set thread context of 1796 2496 file.exe vbc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier vbc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
vbc.exepid process 1796 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1796 vbc.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
file.exevbc.execmd.execmd.exedescription pid process target process PID 2496 wrote to memory of 1796 2496 file.exe vbc.exe PID 2496 wrote to memory of 1796 2496 file.exe vbc.exe PID 2496 wrote to memory of 1796 2496 file.exe vbc.exe PID 2496 wrote to memory of 1796 2496 file.exe vbc.exe PID 2496 wrote to memory of 1796 2496 file.exe vbc.exe PID 2496 wrote to memory of 1796 2496 file.exe vbc.exe PID 2496 wrote to memory of 1796 2496 file.exe vbc.exe PID 2496 wrote to memory of 1796 2496 file.exe vbc.exe PID 1796 wrote to memory of 2576 1796 vbc.exe cmd.exe PID 1796 wrote to memory of 2576 1796 vbc.exe cmd.exe PID 1796 wrote to memory of 2576 1796 vbc.exe cmd.exe PID 2576 wrote to memory of 2196 2576 cmd.exe chcp.com PID 2576 wrote to memory of 2196 2576 cmd.exe chcp.com PID 2576 wrote to memory of 2196 2576 cmd.exe chcp.com PID 2576 wrote to memory of 2332 2576 cmd.exe netsh.exe PID 2576 wrote to memory of 2332 2576 cmd.exe netsh.exe PID 2576 wrote to memory of 2332 2576 cmd.exe netsh.exe PID 2576 wrote to memory of 1980 2576 cmd.exe findstr.exe PID 2576 wrote to memory of 1980 2576 cmd.exe findstr.exe PID 2576 wrote to memory of 1980 2576 cmd.exe findstr.exe PID 1796 wrote to memory of 1304 1796 vbc.exe cmd.exe PID 1796 wrote to memory of 1304 1796 vbc.exe cmd.exe PID 1796 wrote to memory of 1304 1796 vbc.exe cmd.exe PID 1304 wrote to memory of 4748 1304 cmd.exe chcp.com PID 1304 wrote to memory of 4748 1304 cmd.exe chcp.com PID 1304 wrote to memory of 4748 1304 cmd.exe chcp.com PID 1304 wrote to memory of 2520 1304 cmd.exe netsh.exe PID 1304 wrote to memory of 2520 1304 cmd.exe netsh.exe PID 1304 wrote to memory of 2520 1304 cmd.exe netsh.exe PID 1304 wrote to memory of 2472 1304 cmd.exe findstr.exe PID 1304 wrote to memory of 2472 1304 cmd.exe findstr.exe PID 1304 wrote to memory of 2472 1304 cmd.exe findstr.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile name="65001" key=clear4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr Key4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1304-145-0x0000000000000000-mapping.dmp
-
memory/1796-137-0x0000000005C90000-0x0000000005D22000-memory.dmpFilesize
584KB
-
memory/1796-141-0x00000000068B0000-0x000000000694C000-memory.dmpFilesize
624KB
-
memory/1796-136-0x0000000005440000-0x00000000059E4000-memory.dmpFilesize
5.6MB
-
memory/1796-133-0x0000000000000000-mapping.dmp
-
memory/1796-138-0x0000000005BF0000-0x0000000005C56000-memory.dmpFilesize
408KB
-
memory/1796-139-0x0000000006860000-0x00000000068B0000-memory.dmpFilesize
320KB
-
memory/1796-135-0x0000000000800000-0x000000000085A000-memory.dmpFilesize
360KB
-
memory/1980-144-0x0000000000000000-mapping.dmp
-
memory/2196-142-0x0000000000000000-mapping.dmp
-
memory/2332-143-0x0000000000000000-mapping.dmp
-
memory/2472-148-0x0000000000000000-mapping.dmp
-
memory/2496-132-0x0000000000F10000-0x0000000000FFA000-memory.dmpFilesize
936KB
-
memory/2520-147-0x0000000000000000-mapping.dmp
-
memory/2576-140-0x0000000000000000-mapping.dmp
-
memory/4748-146-0x0000000000000000-mapping.dmp