eternity | 164df1aecac769eb2d9485abcb776f9ee55fc1e297c5b8b2bc50009e786d41b2

Analysis

max time kernel
90s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2023 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

newsoftware-tester.exe
Size

6KB
MD5

d785e46b0d269b0578dcfd1b90375a6a
SHA1

d1c4a196f24f0659c29fb05e99e690c87bf6d673
SHA256

164df1aecac769eb2d9485abcb776f9ee55fc1e297c5b8b2bc50009e786d41b2
SHA512

ea93bf91f0035a2996f227e04ccca718a9a470ca477e2e5af12a5180c70c62d6efcdbfd29d40e0458baa5ebdd525b5281e342ec29d01fc6fc9173a5b625704c3
SSDEEP

96:673zsN+JBcMAiLt6NkIJmaI8RP4e/kvHxNezNt:oo+MOLtErRJcvb4

Score

10^/10

eternity purecrypter collection downloader loader spyware stealer

Malware Config

Extracted

Family

purecrypter

http://justnormalsite.ddns.net/SystemEnv/uploads/newsoftware-tester_Ilbiekxz.png

Extracted

Family

eternity

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	newsoftware-tester.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4712 set thread context of 3580	4712	newsoftware-tester.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RegAsm.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1472	ipconfig.exe
4668	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1664	powershell.exe
1664	powershell.exe
3852	powershell.exe
4712	newsoftware-tester.exe
4712	newsoftware-tester.exe
3852	powershell.exe
3580	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4712	newsoftware-tester.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	3852	powershell.exe
Token: SeDebugPrivilege	3580	RegAsm.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 2152	4712	newsoftware-tester.exe	80
PID 4712 wrote to memory of 2152	4712	newsoftware-tester.exe	80
PID 4712 wrote to memory of 2152	4712	newsoftware-tester.exe	80
PID 2152 wrote to memory of 1472	2152	cmd.exe	82
PID 2152 wrote to memory of 1472	2152	cmd.exe	82
PID 2152 wrote to memory of 1472	2152	cmd.exe	82
PID 4712 wrote to memory of 1664	4712	newsoftware-tester.exe	83
PID 4712 wrote to memory of 1664	4712	newsoftware-tester.exe	83
PID 4712 wrote to memory of 1664	4712	newsoftware-tester.exe	83
PID 4712 wrote to memory of 2868	4712	newsoftware-tester.exe	92
PID 4712 wrote to memory of 2868	4712	newsoftware-tester.exe	92
PID 4712 wrote to memory of 2868	4712	newsoftware-tester.exe	92
PID 4712 wrote to memory of 2872	4712	newsoftware-tester.exe	94
PID 4712 wrote to memory of 2872	4712	newsoftware-tester.exe	94
PID 4712 wrote to memory of 2872	4712	newsoftware-tester.exe	94
PID 2868 wrote to memory of 3852	2868	cmd.exe	96
PID 2868 wrote to memory of 3852	2868	cmd.exe	96
PID 2868 wrote to memory of 3852	2868	cmd.exe	96
PID 2872 wrote to memory of 4668	2872	cmd.exe	97
PID 2872 wrote to memory of 4668	2872	cmd.exe	97
PID 2872 wrote to memory of 4668	2872	cmd.exe	97
PID 4712 wrote to memory of 2428	4712	newsoftware-tester.exe	98
PID 4712 wrote to memory of 2428	4712	newsoftware-tester.exe	98
PID 4712 wrote to memory of 2428	4712	newsoftware-tester.exe	98
PID 4712 wrote to memory of 3580	4712	newsoftware-tester.exe	99
PID 4712 wrote to memory of 3580	4712	newsoftware-tester.exe	99
PID 4712 wrote to memory of 3580	4712	newsoftware-tester.exe	99
PID 4712 wrote to memory of 3580	4712	newsoftware-tester.exe	99
PID 4712 wrote to memory of 3580	4712	newsoftware-tester.exe	99
PID 4712 wrote to memory of 3580	4712	newsoftware-tester.exe	99
PID 4712 wrote to memory of 3580	4712	newsoftware-tester.exe	99
PID 4712 wrote to memory of 3580	4712	newsoftware-tester.exe	99
PID 3580 wrote to memory of 4248	3580	RegAsm.exe	100
PID 3580 wrote to memory of 4248	3580	RegAsm.exe	100
PID 3580 wrote to memory of 4248	3580	RegAsm.exe	100
PID 4248 wrote to memory of 448	4248	cmd.exe	102
PID 4248 wrote to memory of 448	4248	cmd.exe	102
PID 4248 wrote to memory of 448	4248	cmd.exe	102
PID 4248 wrote to memory of 4916	4248	cmd.exe	103
PID 4248 wrote to memory of 4916	4248	cmd.exe	103
PID 4248 wrote to memory of 4916	4248	cmd.exe	103
PID 4248 wrote to memory of 4724	4248	cmd.exe	104
PID 4248 wrote to memory of 4724	4248	cmd.exe	104
PID 4248 wrote to memory of 4724	4248	cmd.exe	104
PID 3580 wrote to memory of 3668	3580	RegAsm.exe	105
PID 3580 wrote to memory of 3668	3580	RegAsm.exe	105
PID 3580 wrote to memory of 3668	3580	RegAsm.exe	105
PID 3668 wrote to memory of 4496	3668	cmd.exe	107
PID 3668 wrote to memory of 4496	3668	cmd.exe	107
PID 3668 wrote to memory of 4496	3668	cmd.exe	107
PID 3668 wrote to memory of 3220	3668	cmd.exe	108
PID 3668 wrote to memory of 3220	3668	cmd.exe	108
PID 3668 wrote to memory of 3220	3668	cmd.exe	108
PID 3668 wrote to memory of 4208	3668	cmd.exe	109
PID 3668 wrote to memory of 4208	3668	cmd.exe	109
PID 3668 wrote to memory of 4208	3668	cmd.exe	109

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\newsoftware-tester.exe
"C:\Users\Admin\AppData\Local\Temp\newsoftware-tester.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig/release
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:1472
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3852
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig/renew
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:4668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  2⤵
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:3580
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4248
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:448
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      PID:4916
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      PID:4724
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:4496
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile name="65001" key=clear
      4⤵
      PID:3220
  - - C:\Windows\SysWOW64\findstr.exe
      findstr Key
      4⤵
      PID:4208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
1d1dbecb0757e04b446e85a5079786f9

SHA1
0deddd438e4d56671bac4013542929e9de6ca487

SHA256
3759c5ede174c4e1749f86c7ff6d9f2dd56d6c8f070cad7af043805cd1fd89fb

SHA512
fea4e02d6f535f295290065e2863b7594d97d4a8b65b709791c2a51369a7ab0e4e3a6c2625f1eeee185ad31e7dd8b67dd51887cdcabf05a6005c5e0e2d7d4e43

Download Submit
memory/1664-142-0x0000000007AB0000-0x000000000812A000-memory.dmp

Filesize
6.5MB

Download
memory/1664-139-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/1664-140-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/1664-141-0x0000000006250000-0x000000000626E000-memory.dmp

Filesize
120KB

Download
memory/1664-143-0x0000000006740000-0x000000000675A000-memory.dmp

Filesize
104KB

Download
memory/1664-138-0x0000000005400000-0x0000000005A28000-memory.dmp

Filesize
6.2MB

Download
memory/1664-137-0x0000000002960000-0x0000000002996000-memory.dmp

Filesize
216KB

Download
memory/3580-151-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3580-161-0x0000000006A50000-0x0000000006AEC000-memory.dmp

Filesize
624KB

Download
memory/3580-153-0x00000000057F0000-0x0000000005D94000-memory.dmp

Filesize
5.6MB

Download
memory/3580-154-0x0000000005FA0000-0x0000000006032000-memory.dmp

Filesize
584KB

Download
memory/3580-160-0x0000000006500000-0x0000000006550000-memory.dmp

Filesize
320KB

Download
memory/3852-156-0x0000000007640000-0x0000000007672000-memory.dmp

Filesize
200KB

Download
memory/3852-166-0x0000000007C40000-0x0000000007CD6000-memory.dmp

Filesize
600KB

Download
memory/3852-173-0x0000000007B80000-0x0000000007B88000-memory.dmp

Filesize
32KB

Download
memory/3852-157-0x0000000072150000-0x000000007219C000-memory.dmp

Filesize
304KB

Download
memory/3852-172-0x0000000007BA0000-0x0000000007BBA000-memory.dmp

Filesize
104KB

Download
memory/3852-162-0x0000000007A10000-0x0000000007A1A000-memory.dmp

Filesize
40KB

Download
memory/3852-171-0x00000000064D0000-0x00000000064DE000-memory.dmp

Filesize
56KB

Download
memory/3852-158-0x0000000006C40000-0x0000000006C5E000-memory.dmp

Filesize
120KB

Download
memory/4712-132-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/4712-133-0x0000000006420000-0x0000000006442000-memory.dmp

Filesize
136KB

Download