Analysis
-
max time kernel
161s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2022 11:36
Behavioral task
behavioral1
Sample
08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe
Resource
win10v2004-20221111-en
General
-
Target
08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe
-
Size
1.3MB
-
MD5
17f511ac04c38cc724a32db5ee6396df
-
SHA1
989d1cb5f7e47a84c375b7413928d7ab73e24ff5
-
SHA256
08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951
-
SHA512
3f681c60582c0bdd7efc198063ad9a5bf5e685dede586ab067272cffdfced628af7075bec907353dbec9a5ae5d30b7382f91e9b68325ff5c2c67325db9584317
-
SSDEEP
24576:sEkH+O5MMsj/8oJ0HOgwzMIdEyaXC772Q9NXw2/wPOjdGxYq:sZHZ5MMpoJOp+MIVai7Tq24GjdGS
Malware Config
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
-
payload_urls
http://167.88.170.23/w993.exe
http://167.88.170.23/s101.exe,http://167.88.170.23/101.exe,http://167.88.170.23/R101.exe
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Executes dropped EXE 2 IoCs
Processes:
08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exepid process 4824 08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe 4564 08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exedescription pid process Token: SeDebugPrivilege 4824 08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.execmd.exedescription pid process target process PID 2168 wrote to memory of 1164 2168 08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe cmd.exe PID 2168 wrote to memory of 1164 2168 08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe cmd.exe PID 2168 wrote to memory of 1164 2168 08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe cmd.exe PID 1164 wrote to memory of 900 1164 cmd.exe chcp.com PID 1164 wrote to memory of 900 1164 cmd.exe chcp.com PID 1164 wrote to memory of 900 1164 cmd.exe chcp.com PID 1164 wrote to memory of 1332 1164 cmd.exe PING.EXE PID 1164 wrote to memory of 1332 1164 cmd.exe PING.EXE PID 1164 wrote to memory of 1332 1164 cmd.exe PING.EXE PID 1164 wrote to memory of 964 1164 cmd.exe schtasks.exe PID 1164 wrote to memory of 964 1164 cmd.exe schtasks.exe PID 1164 wrote to memory of 964 1164 cmd.exe schtasks.exe PID 1164 wrote to memory of 4824 1164 cmd.exe 08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe PID 1164 wrote to memory of 4824 1164 cmd.exe 08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe PID 1164 wrote to memory of 4824 1164 cmd.exe 08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe"C:\Users\Admin\AppData\Local\Temp\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\ServiceHub\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe"C:\Users\Admin\AppData\Local\ServiceHub\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\ServiceHub\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exeC:\Users\Admin\AppData\Local\ServiceHub\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe.logFilesize
321B
MD508027eeee0542c93662aef98d70095e4
SHA142402c02bf4763fcd6fb0650fc13386f2eae8f9b
SHA2561b9ec007ac8e7de37c61313c5e1b9444df6dc0cd9110553bfa281b13204a646d
SHA512c4e7a17a1dc1f27c91791439d92435a5d750a065508e9539c9af458f21472a7ce45ba0666ef6855a00386e1a75c518d0908b82d929084a1b67ca4c65997a5979
-
C:\Users\Admin\AppData\Local\ServiceHub\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exeFilesize
1.3MB
MD517f511ac04c38cc724a32db5ee6396df
SHA1989d1cb5f7e47a84c375b7413928d7ab73e24ff5
SHA25608fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951
SHA5123f681c60582c0bdd7efc198063ad9a5bf5e685dede586ab067272cffdfced628af7075bec907353dbec9a5ae5d30b7382f91e9b68325ff5c2c67325db9584317
-
C:\Users\Admin\AppData\Local\ServiceHub\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exeFilesize
1.3MB
MD517f511ac04c38cc724a32db5ee6396df
SHA1989d1cb5f7e47a84c375b7413928d7ab73e24ff5
SHA25608fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951
SHA5123f681c60582c0bdd7efc198063ad9a5bf5e685dede586ab067272cffdfced628af7075bec907353dbec9a5ae5d30b7382f91e9b68325ff5c2c67325db9584317
-
C:\Users\Admin\AppData\Local\ServiceHub\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exeFilesize
1.3MB
MD517f511ac04c38cc724a32db5ee6396df
SHA1989d1cb5f7e47a84c375b7413928d7ab73e24ff5
SHA25608fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951
SHA5123f681c60582c0bdd7efc198063ad9a5bf5e685dede586ab067272cffdfced628af7075bec907353dbec9a5ae5d30b7382f91e9b68325ff5c2c67325db9584317
-
memory/900-135-0x0000000000000000-mapping.dmp
-
memory/964-137-0x0000000000000000-mapping.dmp
-
memory/1164-134-0x0000000000000000-mapping.dmp
-
memory/1332-136-0x0000000000000000-mapping.dmp
-
memory/2168-132-0x0000000000960000-0x0000000000AB2000-memory.dmpFilesize
1.3MB
-
memory/2168-133-0x0000000005960000-0x0000000005F04000-memory.dmpFilesize
5.6MB
-
memory/4824-138-0x0000000000000000-mapping.dmp