Analysis
-
max time kernel
207s -
max time network
214s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 23:39
Behavioral task
behavioral1
Sample
1ecb28739a126df4e3a34516a624daad.exe
Resource
win7-20221111-en
General
-
Target
1ecb28739a126df4e3a34516a624daad.exe
-
Size
1.3MB
-
MD5
1ecb28739a126df4e3a34516a624daad
-
SHA1
e5412bb9cbb9b3569f80a66d6e6eb835787fd06f
-
SHA256
0cf7bb3681f56dc82e6b1d2ad54ca526fcd6850c02476968e53020ee65a8f9d2
-
SHA512
4bb7432d40cafbd082d0bb724d04b216b134e76fde4da9722534e709abb40aaa1d258e94fa8e97b003d99fac584ba00e613e982f8b58016401a745e671766874
-
SSDEEP
24576:rajkH+O5MMsj/8oJ0HOgwzMIdEyaXC772Q9NXw2/wPOjdGxY:mIHZ5MMpoJOp+MIVai7Tq24GjdGS
Malware Config
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
-
payload_urls
http://91.218.183.96/test/WZHF.exe
http://91.218.183.96/test/Stealer.exe, http://91.218.183.96/test/Miner.exe
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Executes dropped EXE 2 IoCs
Processes:
1ecb28739a126df4e3a34516a624daad.exe1ecb28739a126df4e3a34516a624daad.exepid process 4280 1ecb28739a126df4e3a34516a624daad.exe 5044 1ecb28739a126df4e3a34516a624daad.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1ecb28739a126df4e3a34516a624daad.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 1ecb28739a126df4e3a34516a624daad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1ecb28739a126df4e3a34516a624daad.exedescription pid process Token: SeDebugPrivilege 4280 1ecb28739a126df4e3a34516a624daad.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
1ecb28739a126df4e3a34516a624daad.execmd.exedescription pid process target process PID 996 wrote to memory of 3612 996 1ecb28739a126df4e3a34516a624daad.exe cmd.exe PID 996 wrote to memory of 3612 996 1ecb28739a126df4e3a34516a624daad.exe cmd.exe PID 996 wrote to memory of 3612 996 1ecb28739a126df4e3a34516a624daad.exe cmd.exe PID 3612 wrote to memory of 3188 3612 cmd.exe chcp.com PID 3612 wrote to memory of 3188 3612 cmd.exe chcp.com PID 3612 wrote to memory of 3188 3612 cmd.exe chcp.com PID 3612 wrote to memory of 3336 3612 cmd.exe PING.EXE PID 3612 wrote to memory of 3336 3612 cmd.exe PING.EXE PID 3612 wrote to memory of 3336 3612 cmd.exe PING.EXE PID 3612 wrote to memory of 4188 3612 cmd.exe schtasks.exe PID 3612 wrote to memory of 4188 3612 cmd.exe schtasks.exe PID 3612 wrote to memory of 4188 3612 cmd.exe schtasks.exe PID 3612 wrote to memory of 4280 3612 cmd.exe 1ecb28739a126df4e3a34516a624daad.exe PID 3612 wrote to memory of 4280 3612 cmd.exe 1ecb28739a126df4e3a34516a624daad.exe PID 3612 wrote to memory of 4280 3612 cmd.exe 1ecb28739a126df4e3a34516a624daad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ecb28739a126df4e3a34516a624daad.exe"C:\Users\Admin\AppData\Local\Temp\1ecb28739a126df4e3a34516a624daad.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "1ecb28739a126df4e3a34516a624daad" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\1ecb28739a126df4e3a34516a624daad.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "1ecb28739a126df4e3a34516a624daad" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exe"C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exeC:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1ecb28739a126df4e3a34516a624daad.exe.logFilesize
321B
MD508027eeee0542c93662aef98d70095e4
SHA142402c02bf4763fcd6fb0650fc13386f2eae8f9b
SHA2561b9ec007ac8e7de37c61313c5e1b9444df6dc0cd9110553bfa281b13204a646d
SHA512c4e7a17a1dc1f27c91791439d92435a5d750a065508e9539c9af458f21472a7ce45ba0666ef6855a00386e1a75c518d0908b82d929084a1b67ca4c65997a5979
-
C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exeFilesize
1.3MB
MD51ecb28739a126df4e3a34516a624daad
SHA1e5412bb9cbb9b3569f80a66d6e6eb835787fd06f
SHA2560cf7bb3681f56dc82e6b1d2ad54ca526fcd6850c02476968e53020ee65a8f9d2
SHA5124bb7432d40cafbd082d0bb724d04b216b134e76fde4da9722534e709abb40aaa1d258e94fa8e97b003d99fac584ba00e613e982f8b58016401a745e671766874
-
C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exeFilesize
1.3MB
MD51ecb28739a126df4e3a34516a624daad
SHA1e5412bb9cbb9b3569f80a66d6e6eb835787fd06f
SHA2560cf7bb3681f56dc82e6b1d2ad54ca526fcd6850c02476968e53020ee65a8f9d2
SHA5124bb7432d40cafbd082d0bb724d04b216b134e76fde4da9722534e709abb40aaa1d258e94fa8e97b003d99fac584ba00e613e982f8b58016401a745e671766874
-
C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exeFilesize
1.3MB
MD51ecb28739a126df4e3a34516a624daad
SHA1e5412bb9cbb9b3569f80a66d6e6eb835787fd06f
SHA2560cf7bb3681f56dc82e6b1d2ad54ca526fcd6850c02476968e53020ee65a8f9d2
SHA5124bb7432d40cafbd082d0bb724d04b216b134e76fde4da9722534e709abb40aaa1d258e94fa8e97b003d99fac584ba00e613e982f8b58016401a745e671766874
-
memory/996-132-0x0000000000C60000-0x0000000000DB2000-memory.dmpFilesize
1.3MB
-
memory/996-133-0x0000000005D90000-0x0000000006334000-memory.dmpFilesize
5.6MB
-
memory/3188-135-0x0000000000000000-mapping.dmp
-
memory/3336-136-0x0000000000000000-mapping.dmp
-
memory/3612-134-0x0000000000000000-mapping.dmp
-
memory/4188-137-0x0000000000000000-mapping.dmp
-
memory/4280-138-0x0000000000000000-mapping.dmp