Overview

overview

10

Static

static

Mortage in...ed.exe

windows7-x64

10

Mortage in...ed.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    244s
  • max time network
    266s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2022 21:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Mortage information files PDF_parsed.exe

  • Size

    512KB

  • MD5

    7ed167098505af94bfeade11982b112e

  • SHA1

    083a7280bb44d39e08cb4bb4d47d1ab5ace6fb0a

  • SHA256

    1e9da999708729b12cf9b9e29c44d4a1968251f2b5a9b8882f2bf2627503731a

  • SHA512

    4e22118885319443aeb90bbd6d896503d139e0204e34ebbf49c0f922454ac5b5a781adeee3564e561a23b52d69dac6cf872b2129d9aa4825384201da990145fb

  • SSDEEP

    12288:s2zrXH5tH9a6OXEU2sxZReE5G6fuDp0P4ptTzGlKUh:jznHVOx2sVhGQPaM

Score
10/10
eternitycollection

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Signatures

  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Mortage information files PDF_parsed.exe
    "C:\Users\Admin\AppData\Local\Temp\Mortage information files PDF_parsed.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3764
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:3972
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3388
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:616
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            4⤵
              PID:736
            • C:\Windows\SysWOW64\findstr.exe
              findstr All
              4⤵
                PID:2696
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
              3⤵
                PID:232
                • C:\Windows\SysWOW64\chcp.com
                  chcp 65001
                  4⤵
                    PID:4208
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh wlan show profile name="65001" key=clear
                    4⤵
                      PID:1384
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr Key
                      4⤵
                        PID:1508
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1800
                      3⤵
                      • Program crash
                      PID:3948
                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Mortgage information.pdf"
                    2⤵
                    • Checks processor information in registry
                    • Modifies Internet Explorer settings
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:1388
                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4840
                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B36009E8AC203B50B9723C51363E1C10 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                        4⤵
                          PID:1260
                        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D0BD34CB6F8FF3AF2DD57D795D42733A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D0BD34CB6F8FF3AF2DD57D795D42733A --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
                          4⤵
                            PID:2972
                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C4979FE25DE220BF6BBF0AC2FB81F5C4 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                            4⤵
                              PID:1148
                            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=36E4A852ECA33CBEBE78FC7DAB844B4B --mojo-platform-channel-handle=1804 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                              4⤵
                                PID:3764
                              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=16EC38F4E85531A5506F703646F10005 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                4⤵
                                  PID:424
                              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                                3⤵
                                  PID:4976
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:3904
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3972 -ip 3972
                                1⤵
                                  PID:3768

                                Network

                                MITRE ATT&CK Matrix ATT&CK v6

                                Initial Access

                                Execution

                                Scripting

                                1
                                T1064

                                Persistence

                                Privilege Escalation

                                Defense Evasion

                                Scripting

                                1
                                T1064

                                Modify Registry

                                1
                                T1112

                                Credential Access

                                Discovery

                                Query Registry

                                2
                                T1012

                                System Information Discovery

                                3
                                T1082

                                Lateral Movement

                                Collection

                                Email Collection

                                1
                                T1114

                                Exfiltration

                                Command and Control

                                Impact

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Temp\Mortgage information.pdf
                                  Filesize

                                  562B

                                  MD5

                                  0f392d724c8242800b0f234dbf6353cb

                                  SHA1

                                  ec0a4f253537205bf3b13d0b5e798b2d4f0c32d9

                                  SHA256

                                  9d7a8e84403659c3b764b0eb57977af2d8fa2c9a04f3e0b3f24eda76c8e1e306

                                  SHA512

                                  6409e6a8dd6ea66ae7704aae11b351de3051d31d2a8c7af716a9959099ea4118a64069501d9813ea0b3013f37280e113c2f8730ea0ce5ab78d4ebb14d39ac717

                                  Download Submit
                                • memory/232-165-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/424-163-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/616-144-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/736-145-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/1148-157-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/1260-149-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/1384-167-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/1388-138-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/1508-168-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/2696-146-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/2972-152-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/3388-141-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/3764-132-0x0000000000D50000-0x0000000000DD4000-memory.dmp
                                  Filesize

                                  528KB

                                  Download
                                • memory/3764-135-0x0000000005870000-0x00000000058D6000-memory.dmp
                                  Filesize

                                  408KB

                                  Download
                                • memory/3764-160-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/3764-134-0x00000000057D0000-0x0000000005862000-memory.dmp
                                  Filesize

                                  584KB

                                  Download
                                • memory/3764-133-0x0000000005CE0000-0x0000000006284000-memory.dmp
                                  Filesize

                                  5.6MB

                                  Download
                                • memory/3972-136-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/3972-143-0x0000000006380000-0x000000000641C000-memory.dmp
                                  Filesize

                                  624KB

                                  Download
                                • memory/3972-142-0x00000000065A0000-0x00000000065F0000-memory.dmp
                                  Filesize

                                  320KB

                                  Download
                                • memory/3972-137-0x0000000000400000-0x000000000045A000-memory.dmp
                                  Filesize

                                  360KB

                                  Download
                                • memory/4208-166-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/4840-140-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/4976-147-0x0000000000000000-mapping.dmp
                                  Download