Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 11:31
Behavioral task
behavioral1
Sample
Ransomware.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Ransomware.exe
Resource
win10v2004-20220901-en
General
-
Target
Ransomware.exe
-
Size
112KB
-
MD5
3e639bb5f41c23fddca94836c44b88a6
-
SHA1
799699566b60733bfc9429b63d63d6bff1d3225a
-
SHA256
d0ce047da46b87372013421553ff5313416364cccaf7f614cd1f20b6e6e741e7
-
SHA512
e4c395cd03d3377fd9cbb19c115496485d7cd62436c0361565bac8485ec33d024959c109a59e646f60f4d9684538ce43c4db3ca8762327847502d6b7222c1d42
-
SSDEEP
3072:aJl5QviHOEB8+Azr2/od+Kb3upxjrGoZji:az5uiHO0F/oMKb+pdrGoZ
Malware Config
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
Ransomware.exeRansomware.exepid process 4688 Ransomware.exe 2800 Ransomware.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Ransomware.exedescription ioc process File renamed C:\Users\Admin\Pictures\SaveAssert.png => C:\Users\Admin\Pictures\SaveAssert.png.ecrp Ransomware.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Ransomware.exeRansomware.exeRansomware.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Ransomware.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Ransomware.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Ransomware.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
Ransomware.exeRansomware.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.bmp" Ransomware.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.bmp" Ransomware.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Control Panel 4 IoCs
Processes:
Ransomware.exeRansomware.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallpaperStyle = "10" Ransomware.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\TileWallpaper = "0" Ransomware.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallpaperStyle = "10" Ransomware.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\TileWallpaper = "0" Ransomware.exe -
Modifies registry class 6 IoCs
Processes:
Ransomware.exeRansomware.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.ecrp\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\ServiceHub\\Ransomware.exe %1" Ransomware.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.ecrp Ransomware.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.ecrp\shell\open\command Ransomware.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.ecrp\shell Ransomware.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.ecrp\shell\open Ransomware.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.ecrp\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\ServiceHub\\Ransomware.exe %1" Ransomware.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Ransomware.exeRansomware.exepid process 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 4688 Ransomware.exe 2800 Ransomware.exe 4688 Ransomware.exe 2800 Ransomware.exe 4688 Ransomware.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Ransomware.exevssvc.exeRansomware.exedescription pid process Token: SeDebugPrivilege 4688 Ransomware.exe Token: SeBackupPrivilege 4816 vssvc.exe Token: SeRestorePrivilege 4816 vssvc.exe Token: SeAuditPrivilege 4816 vssvc.exe Token: SeDebugPrivilege 2800 Ransomware.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
Ransomware.execmd.exeRansomware.execmd.exeRansomware.execmd.exedescription pid process target process PID 4204 wrote to memory of 3628 4204 Ransomware.exe cmd.exe PID 4204 wrote to memory of 3628 4204 Ransomware.exe cmd.exe PID 4204 wrote to memory of 3628 4204 Ransomware.exe cmd.exe PID 3628 wrote to memory of 4448 3628 cmd.exe chcp.com PID 3628 wrote to memory of 4448 3628 cmd.exe chcp.com PID 3628 wrote to memory of 4448 3628 cmd.exe chcp.com PID 3628 wrote to memory of 1052 3628 cmd.exe PING.EXE PID 3628 wrote to memory of 1052 3628 cmd.exe PING.EXE PID 3628 wrote to memory of 1052 3628 cmd.exe PING.EXE PID 3628 wrote to memory of 744 3628 cmd.exe schtasks.exe PID 3628 wrote to memory of 744 3628 cmd.exe schtasks.exe PID 3628 wrote to memory of 744 3628 cmd.exe schtasks.exe PID 3628 wrote to memory of 4688 3628 cmd.exe Ransomware.exe PID 3628 wrote to memory of 4688 3628 cmd.exe Ransomware.exe PID 3628 wrote to memory of 4688 3628 cmd.exe Ransomware.exe PID 4688 wrote to memory of 3760 4688 Ransomware.exe cmd.exe PID 4688 wrote to memory of 3760 4688 Ransomware.exe cmd.exe PID 4688 wrote to memory of 3760 4688 Ransomware.exe cmd.exe PID 3760 wrote to memory of 556 3760 cmd.exe chcp.com PID 3760 wrote to memory of 556 3760 cmd.exe chcp.com PID 3760 wrote to memory of 556 3760 cmd.exe chcp.com PID 2800 wrote to memory of 928 2800 Ransomware.exe cmd.exe PID 2800 wrote to memory of 928 2800 Ransomware.exe cmd.exe PID 2800 wrote to memory of 928 2800 Ransomware.exe cmd.exe PID 928 wrote to memory of 3476 928 cmd.exe chcp.com PID 928 wrote to memory of 3476 928 cmd.exe chcp.com PID 928 wrote to memory of 3476 928 cmd.exe chcp.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Ransomware" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Ransomware.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Ransomware" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe"C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe"3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && vssadmin delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exeC:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ransomware.exe.logFilesize
609B
MD5d12b2202c8663de63120a7239216f4c9
SHA1f0263381d735e0d3a029378de06e6c49f386bb4f
SHA256a1523cbbb1efe7eaed779caf6077a067519945accb1ab61a4c39323fffea6e5d
SHA512942e728bb334cd3a7c634617c04cc2848124505a7a5b3f3081e5d46334e313b1f6fbf854e94d4f44dd51692c39cd19d239b15de3f0aa443ebd8d60db2868ab80
-
C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exeFilesize
112KB
MD53e639bb5f41c23fddca94836c44b88a6
SHA1799699566b60733bfc9429b63d63d6bff1d3225a
SHA256d0ce047da46b87372013421553ff5313416364cccaf7f614cd1f20b6e6e741e7
SHA512e4c395cd03d3377fd9cbb19c115496485d7cd62436c0361565bac8485ec33d024959c109a59e646f60f4d9684538ce43c4db3ca8762327847502d6b7222c1d42
-
C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exeFilesize
112KB
MD53e639bb5f41c23fddca94836c44b88a6
SHA1799699566b60733bfc9429b63d63d6bff1d3225a
SHA256d0ce047da46b87372013421553ff5313416364cccaf7f614cd1f20b6e6e741e7
SHA512e4c395cd03d3377fd9cbb19c115496485d7cd62436c0361565bac8485ec33d024959c109a59e646f60f4d9684538ce43c4db3ca8762327847502d6b7222c1d42
-
C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exeFilesize
112KB
MD53e639bb5f41c23fddca94836c44b88a6
SHA1799699566b60733bfc9429b63d63d6bff1d3225a
SHA256d0ce047da46b87372013421553ff5313416364cccaf7f614cd1f20b6e6e741e7
SHA512e4c395cd03d3377fd9cbb19c115496485d7cd62436c0361565bac8485ec33d024959c109a59e646f60f4d9684538ce43c4db3ca8762327847502d6b7222c1d42
-
C:\Users\Admin\AppData\Local\Temp\wallpaper.bmpFilesize
675KB
MD5b420b3cf29ef7e6bb92981c335c3d46e
SHA13452295e8c91cad5361bb4242281eeeab35937c0
SHA256bdad2fb308667a40e3f19347ea99368f75f6a86323575bf458f8683e528099df
SHA512350a08e54b00713516b751cf3c7931baffd6e308e56843ebd5be35f69bbfcccda15d433e8ec5ab7272baec20801fbc7698d60e5e14d79900a18edfa99c84d28a
-
memory/556-145-0x0000000000000000-mapping.dmp
-
memory/744-138-0x0000000000000000-mapping.dmp
-
memory/928-148-0x0000000000000000-mapping.dmp
-
memory/1052-137-0x0000000000000000-mapping.dmp
-
memory/3476-149-0x0000000000000000-mapping.dmp
-
memory/3628-135-0x0000000000000000-mapping.dmp
-
memory/3760-144-0x0000000000000000-mapping.dmp
-
memory/4204-132-0x0000000000AA0000-0x0000000000AC2000-memory.dmpFilesize
136KB
-
memory/4204-134-0x00000000054D0000-0x0000000005562000-memory.dmpFilesize
584KB
-
memory/4204-133-0x00000000059E0000-0x0000000005F84000-memory.dmpFilesize
5.6MB
-
memory/4448-136-0x0000000000000000-mapping.dmp
-
memory/4688-143-0x0000000005850000-0x00000000058B6000-memory.dmpFilesize
408KB
-
memory/4688-139-0x0000000000000000-mapping.dmp
-
memory/4688-146-0x0000000007570000-0x000000000757A000-memory.dmpFilesize
40KB