Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 11:31
Behavioral task
behavioral1
Sample
Ransomware.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Ransomware.exe
Resource
win10v2004-20220901-en
General
-
Target
Ransomware.exe
-
Size
112KB
-
MD5
3e639bb5f41c23fddca94836c44b88a6
-
SHA1
799699566b60733bfc9429b63d63d6bff1d3225a
-
SHA256
d0ce047da46b87372013421553ff5313416364cccaf7f614cd1f20b6e6e741e7
-
SHA512
e4c395cd03d3377fd9cbb19c115496485d7cd62436c0361565bac8485ec33d024959c109a59e646f60f4d9684538ce43c4db3ca8762327847502d6b7222c1d42
-
SSDEEP
3072:aJl5QviHOEB8+Azr2/od+Kb3upxjrGoZji:az5uiHO0F/oMKb+pdrGoZ
Malware Config
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
Ransomware.exeRansomware.exepid process 528 Ransomware.exe 1568 Ransomware.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Ransomware.exedescription ioc process File renamed C:\Users\Admin\Pictures\ReceiveCompare.png => C:\Users\Admin\Pictures\ReceiveCompare.png.ecrp Ransomware.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1680 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1680 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1636 vssadmin.exe 912 vssadmin.exe -
Modifies registry class 6 IoCs
Processes:
Ransomware.exeRansomware.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.ecrp\shell\open Ransomware.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.ecrp\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\ServiceHub\\Ransomware.exe %1" Ransomware.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.ecrp\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\ServiceHub\\Ransomware.exe %1" Ransomware.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.ecrp Ransomware.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.ecrp\shell\open\command Ransomware.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.ecrp\shell Ransomware.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Ransomware.exeRansomware.exepid process 528 Ransomware.exe 528 Ransomware.exe 528 Ransomware.exe 528 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe 1568 Ransomware.exe 528 Ransomware.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Ransomware.exevssvc.exeRansomware.exedescription pid process Token: SeDebugPrivilege 528 Ransomware.exe Token: SeBackupPrivilege 1676 vssvc.exe Token: SeRestorePrivilege 1676 vssvc.exe Token: SeAuditPrivilege 1676 vssvc.exe Token: SeDebugPrivilege 1568 Ransomware.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
Ransomware.execmd.exeRansomware.execmd.exetaskeng.exeRansomware.execmd.exedescription pid process target process PID 1252 wrote to memory of 1680 1252 Ransomware.exe cmd.exe PID 1252 wrote to memory of 1680 1252 Ransomware.exe cmd.exe PID 1252 wrote to memory of 1680 1252 Ransomware.exe cmd.exe PID 1252 wrote to memory of 1680 1252 Ransomware.exe cmd.exe PID 1680 wrote to memory of 1536 1680 cmd.exe chcp.com PID 1680 wrote to memory of 1536 1680 cmd.exe chcp.com PID 1680 wrote to memory of 1536 1680 cmd.exe chcp.com PID 1680 wrote to memory of 1536 1680 cmd.exe chcp.com PID 1680 wrote to memory of 332 1680 cmd.exe PING.EXE PID 1680 wrote to memory of 332 1680 cmd.exe PING.EXE PID 1680 wrote to memory of 332 1680 cmd.exe PING.EXE PID 1680 wrote to memory of 332 1680 cmd.exe PING.EXE PID 1680 wrote to memory of 1516 1680 cmd.exe schtasks.exe PID 1680 wrote to memory of 1516 1680 cmd.exe schtasks.exe PID 1680 wrote to memory of 1516 1680 cmd.exe schtasks.exe PID 1680 wrote to memory of 1516 1680 cmd.exe schtasks.exe PID 1680 wrote to memory of 528 1680 cmd.exe Ransomware.exe PID 1680 wrote to memory of 528 1680 cmd.exe Ransomware.exe PID 1680 wrote to memory of 528 1680 cmd.exe Ransomware.exe PID 1680 wrote to memory of 528 1680 cmd.exe Ransomware.exe PID 528 wrote to memory of 268 528 Ransomware.exe cmd.exe PID 528 wrote to memory of 268 528 Ransomware.exe cmd.exe PID 528 wrote to memory of 268 528 Ransomware.exe cmd.exe PID 528 wrote to memory of 268 528 Ransomware.exe cmd.exe PID 268 wrote to memory of 688 268 cmd.exe chcp.com PID 268 wrote to memory of 688 268 cmd.exe chcp.com PID 268 wrote to memory of 688 268 cmd.exe chcp.com PID 268 wrote to memory of 688 268 cmd.exe chcp.com PID 268 wrote to memory of 1636 268 cmd.exe vssadmin.exe PID 268 wrote to memory of 1636 268 cmd.exe vssadmin.exe PID 268 wrote to memory of 1636 268 cmd.exe vssadmin.exe PID 268 wrote to memory of 1636 268 cmd.exe vssadmin.exe PID 1524 wrote to memory of 1568 1524 taskeng.exe Ransomware.exe PID 1524 wrote to memory of 1568 1524 taskeng.exe Ransomware.exe PID 1524 wrote to memory of 1568 1524 taskeng.exe Ransomware.exe PID 1524 wrote to memory of 1568 1524 taskeng.exe Ransomware.exe PID 1568 wrote to memory of 1428 1568 Ransomware.exe cmd.exe PID 1568 wrote to memory of 1428 1568 Ransomware.exe cmd.exe PID 1568 wrote to memory of 1428 1568 Ransomware.exe cmd.exe PID 1568 wrote to memory of 1428 1568 Ransomware.exe cmd.exe PID 1428 wrote to memory of 1172 1428 cmd.exe chcp.com PID 1428 wrote to memory of 1172 1428 cmd.exe chcp.com PID 1428 wrote to memory of 1172 1428 cmd.exe chcp.com PID 1428 wrote to memory of 1172 1428 cmd.exe chcp.com PID 1428 wrote to memory of 912 1428 cmd.exe vssadmin.exe PID 1428 wrote to memory of 912 1428 cmd.exe vssadmin.exe PID 1428 wrote to memory of 912 1428 cmd.exe vssadmin.exe PID 1428 wrote to memory of 912 1428 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Ransomware" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Ransomware.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe"2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Ransomware" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe"C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe"3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && vssadmin delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {C6CC2ADC-00C3-4B77-868F-CD5227B0BFC1} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exeC:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exeFilesize
112KB
MD53e639bb5f41c23fddca94836c44b88a6
SHA1799699566b60733bfc9429b63d63d6bff1d3225a
SHA256d0ce047da46b87372013421553ff5313416364cccaf7f614cd1f20b6e6e741e7
SHA512e4c395cd03d3377fd9cbb19c115496485d7cd62436c0361565bac8485ec33d024959c109a59e646f60f4d9684538ce43c4db3ca8762327847502d6b7222c1d42
-
C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exeFilesize
112KB
MD53e639bb5f41c23fddca94836c44b88a6
SHA1799699566b60733bfc9429b63d63d6bff1d3225a
SHA256d0ce047da46b87372013421553ff5313416364cccaf7f614cd1f20b6e6e741e7
SHA512e4c395cd03d3377fd9cbb19c115496485d7cd62436c0361565bac8485ec33d024959c109a59e646f60f4d9684538ce43c4db3ca8762327847502d6b7222c1d42
-
C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exeFilesize
112KB
MD53e639bb5f41c23fddca94836c44b88a6
SHA1799699566b60733bfc9429b63d63d6bff1d3225a
SHA256d0ce047da46b87372013421553ff5313416364cccaf7f614cd1f20b6e6e741e7
SHA512e4c395cd03d3377fd9cbb19c115496485d7cd62436c0361565bac8485ec33d024959c109a59e646f60f4d9684538ce43c4db3ca8762327847502d6b7222c1d42
-
\Users\Admin\AppData\Local\ServiceHub\Ransomware.exeFilesize
112KB
MD53e639bb5f41c23fddca94836c44b88a6
SHA1799699566b60733bfc9429b63d63d6bff1d3225a
SHA256d0ce047da46b87372013421553ff5313416364cccaf7f614cd1f20b6e6e741e7
SHA512e4c395cd03d3377fd9cbb19c115496485d7cd62436c0361565bac8485ec33d024959c109a59e646f60f4d9684538ce43c4db3ca8762327847502d6b7222c1d42
-
memory/268-66-0x0000000000000000-mapping.dmp
-
memory/332-58-0x0000000000000000-mapping.dmp
-
memory/528-64-0x0000000000810000-0x0000000000832000-memory.dmpFilesize
136KB
-
memory/528-62-0x0000000000000000-mapping.dmp
-
memory/528-75-0x0000000005AA6000-0x0000000005AB7000-memory.dmpFilesize
68KB
-
memory/688-67-0x0000000000000000-mapping.dmp
-
memory/912-74-0x0000000000000000-mapping.dmp
-
memory/1172-73-0x0000000000000000-mapping.dmp
-
memory/1252-55-0x0000000074DE1000-0x0000000074DE3000-memory.dmpFilesize
8KB
-
memory/1252-54-0x0000000000B70000-0x0000000000B92000-memory.dmpFilesize
136KB
-
memory/1428-72-0x0000000000000000-mapping.dmp
-
memory/1516-59-0x0000000000000000-mapping.dmp
-
memory/1536-57-0x0000000000000000-mapping.dmp
-
memory/1568-69-0x0000000000000000-mapping.dmp
-
memory/1568-76-0x0000000005CE6000-0x0000000005CF7000-memory.dmpFilesize
68KB
-
memory/1636-68-0x0000000000000000-mapping.dmp
-
memory/1680-56-0x0000000000000000-mapping.dmp