Analysis
-
max time kernel
140s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 23:39
Behavioral task
behavioral1
Sample
1ecb28739a126df4e3a34516a624daad.exe
Resource
win7-20221111-en
General
-
Target
1ecb28739a126df4e3a34516a624daad.exe
-
Size
1.3MB
-
MD5
1ecb28739a126df4e3a34516a624daad
-
SHA1
e5412bb9cbb9b3569f80a66d6e6eb835787fd06f
-
SHA256
0cf7bb3681f56dc82e6b1d2ad54ca526fcd6850c02476968e53020ee65a8f9d2
-
SHA512
4bb7432d40cafbd082d0bb724d04b216b134e76fde4da9722534e709abb40aaa1d258e94fa8e97b003d99fac584ba00e613e982f8b58016401a745e671766874
-
SSDEEP
24576:rajkH+O5MMsj/8oJ0HOgwzMIdEyaXC772Q9NXw2/wPOjdGxY:mIHZ5MMpoJOp+MIVai7Tq24GjdGS
Malware Config
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
-
payload_urls
http://91.218.183.96/test/WZHF.exe
http://91.218.183.96/test/Stealer.exe, http://91.218.183.96/test/Miner.exe
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Executes dropped EXE 2 IoCs
Processes:
1ecb28739a126df4e3a34516a624daad.exe1ecb28739a126df4e3a34516a624daad.exepid process 916 1ecb28739a126df4e3a34516a624daad.exe 1504 1ecb28739a126df4e3a34516a624daad.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1092 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1092 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1ecb28739a126df4e3a34516a624daad.exedescription pid process Token: SeDebugPrivilege 916 1ecb28739a126df4e3a34516a624daad.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
1ecb28739a126df4e3a34516a624daad.execmd.exetaskeng.exedescription pid process target process PID 1264 wrote to memory of 1092 1264 1ecb28739a126df4e3a34516a624daad.exe cmd.exe PID 1264 wrote to memory of 1092 1264 1ecb28739a126df4e3a34516a624daad.exe cmd.exe PID 1264 wrote to memory of 1092 1264 1ecb28739a126df4e3a34516a624daad.exe cmd.exe PID 1264 wrote to memory of 1092 1264 1ecb28739a126df4e3a34516a624daad.exe cmd.exe PID 1092 wrote to memory of 1152 1092 cmd.exe chcp.com PID 1092 wrote to memory of 1152 1092 cmd.exe chcp.com PID 1092 wrote to memory of 1152 1092 cmd.exe chcp.com PID 1092 wrote to memory of 1152 1092 cmd.exe chcp.com PID 1092 wrote to memory of 1744 1092 cmd.exe PING.EXE PID 1092 wrote to memory of 1744 1092 cmd.exe PING.EXE PID 1092 wrote to memory of 1744 1092 cmd.exe PING.EXE PID 1092 wrote to memory of 1744 1092 cmd.exe PING.EXE PID 1092 wrote to memory of 320 1092 cmd.exe schtasks.exe PID 1092 wrote to memory of 320 1092 cmd.exe schtasks.exe PID 1092 wrote to memory of 320 1092 cmd.exe schtasks.exe PID 1092 wrote to memory of 320 1092 cmd.exe schtasks.exe PID 1092 wrote to memory of 916 1092 cmd.exe 1ecb28739a126df4e3a34516a624daad.exe PID 1092 wrote to memory of 916 1092 cmd.exe 1ecb28739a126df4e3a34516a624daad.exe PID 1092 wrote to memory of 916 1092 cmd.exe 1ecb28739a126df4e3a34516a624daad.exe PID 1092 wrote to memory of 916 1092 cmd.exe 1ecb28739a126df4e3a34516a624daad.exe PID 1672 wrote to memory of 1504 1672 taskeng.exe 1ecb28739a126df4e3a34516a624daad.exe PID 1672 wrote to memory of 1504 1672 taskeng.exe 1ecb28739a126df4e3a34516a624daad.exe PID 1672 wrote to memory of 1504 1672 taskeng.exe 1ecb28739a126df4e3a34516a624daad.exe PID 1672 wrote to memory of 1504 1672 taskeng.exe 1ecb28739a126df4e3a34516a624daad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ecb28739a126df4e3a34516a624daad.exe"C:\Users\Admin\AppData\Local\Temp\1ecb28739a126df4e3a34516a624daad.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "1ecb28739a126df4e3a34516a624daad" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\1ecb28739a126df4e3a34516a624daad.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exe"2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "1ecb28739a126df4e3a34516a624daad" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exe"C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {B1E4E243-099F-4AF2-BED3-14FA3BA2DF1A} S-1-5-21-3385717845-2518323428-350143044-1000:SABDUHNY\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exeC:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exeFilesize
1.3MB
MD51ecb28739a126df4e3a34516a624daad
SHA1e5412bb9cbb9b3569f80a66d6e6eb835787fd06f
SHA2560cf7bb3681f56dc82e6b1d2ad54ca526fcd6850c02476968e53020ee65a8f9d2
SHA5124bb7432d40cafbd082d0bb724d04b216b134e76fde4da9722534e709abb40aaa1d258e94fa8e97b003d99fac584ba00e613e982f8b58016401a745e671766874
-
C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exeFilesize
1.3MB
MD51ecb28739a126df4e3a34516a624daad
SHA1e5412bb9cbb9b3569f80a66d6e6eb835787fd06f
SHA2560cf7bb3681f56dc82e6b1d2ad54ca526fcd6850c02476968e53020ee65a8f9d2
SHA5124bb7432d40cafbd082d0bb724d04b216b134e76fde4da9722534e709abb40aaa1d258e94fa8e97b003d99fac584ba00e613e982f8b58016401a745e671766874
-
C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exeFilesize
1.3MB
MD51ecb28739a126df4e3a34516a624daad
SHA1e5412bb9cbb9b3569f80a66d6e6eb835787fd06f
SHA2560cf7bb3681f56dc82e6b1d2ad54ca526fcd6850c02476968e53020ee65a8f9d2
SHA5124bb7432d40cafbd082d0bb724d04b216b134e76fde4da9722534e709abb40aaa1d258e94fa8e97b003d99fac584ba00e613e982f8b58016401a745e671766874
-
\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exeFilesize
1.3MB
MD51ecb28739a126df4e3a34516a624daad
SHA1e5412bb9cbb9b3569f80a66d6e6eb835787fd06f
SHA2560cf7bb3681f56dc82e6b1d2ad54ca526fcd6850c02476968e53020ee65a8f9d2
SHA5124bb7432d40cafbd082d0bb724d04b216b134e76fde4da9722534e709abb40aaa1d258e94fa8e97b003d99fac584ba00e613e982f8b58016401a745e671766874
-
memory/320-59-0x0000000000000000-mapping.dmp
-
memory/916-62-0x0000000000000000-mapping.dmp
-
memory/916-64-0x0000000000FB0000-0x0000000001102000-memory.dmpFilesize
1.3MB
-
memory/1092-56-0x0000000000000000-mapping.dmp
-
memory/1152-57-0x0000000000000000-mapping.dmp
-
memory/1264-54-0x0000000000010000-0x0000000000162000-memory.dmpFilesize
1.3MB
-
memory/1264-55-0x0000000075291000-0x0000000075293000-memory.dmpFilesize
8KB
-
memory/1504-66-0x0000000000000000-mapping.dmp
-
memory/1744-58-0x0000000000000000-mapping.dmp