Overview

overview

10

Static

static

Booking_026xls.exe

windows7-x64

1

Booking_026xls.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    228s
  • max time network
    291s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/01/2023, 15:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Booking_026xls.exe

  • Size

    762KB

  • MD5

    a585978049b92aae727e1194e57fe33b

  • SHA1

    fe4d4fa0fee1d7659a51bf7bc4cdb9eff1c8a091

  • SHA256

    bcb56d0fe856303e717cc5063013acebff9df5645629472ab2600248a604d0b9

  • SHA512

    de4f9a3c748ba8b82fb4cb2fa5f816317dc68aa632de26304d708037b9a1c65a55c5125b84ce42b5200438103ab3066f50064ba24c9c089c61f59ba0bcae1a18

  • SSDEEP

    12288:rzSgbiZU6XgScm6mTGL0YEW+VxEPW0jNM8WUFJVbqaT5SomZn0ZaHJBq6Tc9Vo:HSPXgVSTGLZEW+VyM8vb95bn8w

Score
10/10
eternitycollectionspywarestealer

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Signatures

  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Booking_026xls.exe
    "C:\Users\Admin\AppData\Local\Temp\Booking_026xls.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Users\Admin\AppData\Local\Temp\Booking_026xls.exe
      "{path}"
      2⤵
        PID:3172
      • C:\Users\Admin\AppData\Local\Temp\Booking_026xls.exe
        "{path}"
        2⤵
          PID:2648
        • C:\Users\Admin\AppData\Local\Temp\Booking_026xls.exe
          "{path}"
          2⤵
            PID:5092
          • C:\Users\Admin\AppData\Local\Temp\Booking_026xls.exe
            "{path}"
            2⤵
              PID:4212
            • C:\Users\Admin\AppData\Local\Temp\Booking_026xls.exe
              "{path}"
              2⤵
              • Accesses Microsoft Outlook profiles
              • Checks processor information in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • outlook_office_path
              • outlook_win_path
              PID:2344
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3556
                • C:\Windows\SysWOW64\chcp.com
                  chcp 65001
                  4⤵
                    PID:1008
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh wlan show profile
                    4⤵
                      PID:856
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr All
                      4⤵
                        PID:2420
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4812
                      • C:\Windows\SysWOW64\chcp.com
                        chcp 65001
                        4⤵
                          PID:3888
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh wlan show profile name="65001" key=clear
                          4⤵
                            PID:4244
                          • C:\Windows\SysWOW64\findstr.exe
                            findstr Key
                            4⤵
                              PID:1160

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Booking_026xls.exe.log
                        Filesize

                        1KB

                        MD5

                        84e77a587d94307c0ac1357eb4d3d46f

                        SHA1

                        83cc900f9401f43d181207d64c5adba7a85edc1e

                        SHA256

                        e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

                        SHA512

                        aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

                        Download Submit

                      • memory/2344-142-0x0000000000400000-0x000000000045A000-memory.dmp

                        Filesize

                        360KB

                        Download

                      • memory/2344-145-0x0000000006890000-0x00000000068E0000-memory.dmp

                        Filesize

                        320KB

                        Download

                      • memory/2344-143-0x00000000061A0000-0x0000000006206000-memory.dmp

                        Filesize

                        408KB

                        Download

                      • memory/4724-136-0x0000000004DD0000-0x0000000004DDA000-memory.dmp

                        Filesize

                        40KB

                        Download

                      • memory/4724-135-0x0000000004F70000-0x000000000500C000-memory.dmp

                        Filesize

                        624KB

                        Download

                      • memory/4724-132-0x0000000000370000-0x0000000000434000-memory.dmp

                        Filesize

                        784KB

                        Download

                      • memory/4724-134-0x0000000004DE0000-0x0000000004E72000-memory.dmp

                        Filesize

                        584KB

                        Download

                      • memory/4724-133-0x0000000005480000-0x0000000005A24000-memory.dmp

                        Filesize

                        5.6MB

                        Download