Analysis
-
max time kernel
337s -
max time network
391s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 11:25
Behavioral task
behavioral1
Sample
Ransomware.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Ransomware.exe
Resource
win10v2004-20221111-en
General
-
Target
Ransomware.exe
-
Size
112KB
-
MD5
3e639bb5f41c23fddca94836c44b88a6
-
SHA1
799699566b60733bfc9429b63d63d6bff1d3225a
-
SHA256
d0ce047da46b87372013421553ff5313416364cccaf7f614cd1f20b6e6e741e7
-
SHA512
e4c395cd03d3377fd9cbb19c115496485d7cd62436c0361565bac8485ec33d024959c109a59e646f60f4d9684538ce43c4db3ca8762327847502d6b7222c1d42
-
SSDEEP
3072:aJl5QviHOEB8+Azr2/od+Kb3upxjrGoZji:az5uiHO0F/oMKb+pdrGoZ
Malware Config
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Ransomware.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation Ransomware.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Ransomware.execmd.exedescription pid process target process PID 1112 wrote to memory of 3700 1112 Ransomware.exe cmd.exe PID 1112 wrote to memory of 3700 1112 Ransomware.exe cmd.exe PID 1112 wrote to memory of 3700 1112 Ransomware.exe cmd.exe PID 3700 wrote to memory of 2592 3700 cmd.exe chcp.com PID 3700 wrote to memory of 2592 3700 cmd.exe chcp.com PID 3700 wrote to memory of 2592 3700 cmd.exe chcp.com PID 3700 wrote to memory of 1248 3700 cmd.exe PING.EXE PID 3700 wrote to memory of 1248 3700 cmd.exe PING.EXE PID 3700 wrote to memory of 1248 3700 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Ransomware" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Ransomware.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1112-132-0x00000000001B0000-0x00000000001D2000-memory.dmpFilesize
136KB
-
memory/1112-133-0x0000000005130000-0x00000000056D4000-memory.dmpFilesize
5.6MB
-
memory/1112-134-0x0000000004B80000-0x0000000004C12000-memory.dmpFilesize
584KB
-
memory/1248-137-0x0000000000000000-mapping.dmp
-
memory/2592-136-0x0000000000000000-mapping.dmp
-
memory/3700-135-0x0000000000000000-mapping.dmp