eternity | 164df1aecac769eb2d9485abcb776f9ee55fc1e297c5b8b2bc50009e786d41b2

General

Target

newsoftware-tester.exe
Size

6KB
MD5

d785e46b0d269b0578dcfd1b90375a6a
SHA1

d1c4a196f24f0659c29fb05e99e690c87bf6d673
SHA256

164df1aecac769eb2d9485abcb776f9ee55fc1e297c5b8b2bc50009e786d41b2
SHA512

ea93bf91f0035a2996f227e04ccca718a9a470ca477e2e5af12a5180c70c62d6efcdbfd29d40e0458baa5ebdd525b5281e342ec29d01fc6fc9173a5b625704c3
SSDEEP

96:673zsN+JBcMAiLt6NkIJmaI8RP4e/kvHxNezNt:oo+MOLtErRJcvb4

Score

10^/10

eternity purecrypter collection downloader loader spyware stealer

Malware Config

Extracted

Family

purecrypter

C2

http://justnormalsite.ddns.net/SystemEnv/uploads/newsoftware-tester_Ilbiekxz.png

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

newsoftware-tester.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	newsoftware-tester.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

36 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

newsoftware-tester.exe

description pid process target process

PID 4712 set thread context of 3580 4712 newsoftware-tester.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
36	ip-api.com

description	pid	process	target process
PID 4712 set thread context of 3580	4712	newsoftware-tester.exe	RegAsm.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RegAsm.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

1472 ipconfig.exe
4668 ipconfig.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exenewsoftware-tester.exeRegAsm.exe

pid process

1664 powershell.exe
1664 powershell.exe
3852 powershell.exe
4712 newsoftware-tester.exe
4712 newsoftware-tester.exe
3852 powershell.exe
3580 RegAsm.exe

pid	process
1472	ipconfig.exe
4668	ipconfig.exe

pid	process
1664	powershell.exe
1664	powershell.exe
3852	powershell.exe
4712	newsoftware-tester.exe
4712	newsoftware-tester.exe
3852	powershell.exe
3580	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

newsoftware-tester.exepowershell.exepowershell.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	4712	newsoftware-tester.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	3852	powershell.exe
Token: SeDebugPrivilege	3580	RegAsm.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

newsoftware-tester.execmd.execmd.execmd.exeRegAsm.execmd.execmd.exe

description	pid	process	target process
PID 4712 wrote to memory of 2152	4712	newsoftware-tester.exe	cmd.exe
PID 4712 wrote to memory of 2152	4712	newsoftware-tester.exe	cmd.exe
PID 4712 wrote to memory of 2152	4712	newsoftware-tester.exe	cmd.exe
PID 2152 wrote to memory of 1472	2152	cmd.exe	ipconfig.exe
PID 2152 wrote to memory of 1472	2152	cmd.exe	ipconfig.exe
PID 2152 wrote to memory of 1472	2152	cmd.exe	ipconfig.exe
PID 4712 wrote to memory of 1664	4712	newsoftware-tester.exe	powershell.exe
PID 4712 wrote to memory of 1664	4712	newsoftware-tester.exe	powershell.exe
PID 4712 wrote to memory of 1664	4712	newsoftware-tester.exe	powershell.exe
PID 4712 wrote to memory of 2868	4712	newsoftware-tester.exe	cmd.exe
PID 4712 wrote to memory of 2868	4712	newsoftware-tester.exe	cmd.exe
PID 4712 wrote to memory of 2868	4712	newsoftware-tester.exe	cmd.exe
PID 4712 wrote to memory of 2872	4712	newsoftware-tester.exe	cmd.exe
PID 4712 wrote to memory of 2872	4712	newsoftware-tester.exe	cmd.exe
PID 4712 wrote to memory of 2872	4712	newsoftware-tester.exe	cmd.exe
PID 2868 wrote to memory of 3852	2868	cmd.exe	powershell.exe
PID 2868 wrote to memory of 3852	2868	cmd.exe	powershell.exe
PID 2868 wrote to memory of 3852	2868	cmd.exe	powershell.exe
PID 2872 wrote to memory of 4668	2872	cmd.exe	ipconfig.exe
PID 2872 wrote to memory of 4668	2872	cmd.exe	ipconfig.exe
PID 2872 wrote to memory of 4668	2872	cmd.exe	ipconfig.exe
PID 4712 wrote to memory of 2428	4712	newsoftware-tester.exe	RegAsm.exe
PID 4712 wrote to memory of 2428	4712	newsoftware-tester.exe	RegAsm.exe
PID 4712 wrote to memory of 2428	4712	newsoftware-tester.exe	RegAsm.exe
PID 4712 wrote to memory of 3580	4712	newsoftware-tester.exe	RegAsm.exe
PID 4712 wrote to memory of 3580	4712	newsoftware-tester.exe	RegAsm.exe
PID 4712 wrote to memory of 3580	4712	newsoftware-tester.exe	RegAsm.exe
PID 4712 wrote to memory of 3580	4712	newsoftware-tester.exe	RegAsm.exe
PID 4712 wrote to memory of 3580	4712	newsoftware-tester.exe	RegAsm.exe
PID 4712 wrote to memory of 3580	4712	newsoftware-tester.exe	RegAsm.exe
PID 4712 wrote to memory of 3580	4712	newsoftware-tester.exe	RegAsm.exe
PID 4712 wrote to memory of 3580	4712	newsoftware-tester.exe	RegAsm.exe
PID 3580 wrote to memory of 4248	3580	RegAsm.exe	cmd.exe
PID 3580 wrote to memory of 4248	3580	RegAsm.exe	cmd.exe
PID 3580 wrote to memory of 4248	3580	RegAsm.exe	cmd.exe
PID 4248 wrote to memory of 448	4248	cmd.exe	chcp.com
PID 4248 wrote to memory of 448	4248	cmd.exe	chcp.com
PID 4248 wrote to memory of 448	4248	cmd.exe	chcp.com
PID 4248 wrote to memory of 4916	4248	cmd.exe	netsh.exe
PID 4248 wrote to memory of 4916	4248	cmd.exe	netsh.exe
PID 4248 wrote to memory of 4916	4248	cmd.exe	netsh.exe
PID 4248 wrote to memory of 4724	4248	cmd.exe	findstr.exe
PID 4248 wrote to memory of 4724	4248	cmd.exe	findstr.exe
PID 4248 wrote to memory of 4724	4248	cmd.exe	findstr.exe
PID 3580 wrote to memory of 3668	3580	RegAsm.exe	cmd.exe
PID 3580 wrote to memory of 3668	3580	RegAsm.exe	cmd.exe
PID 3580 wrote to memory of 3668	3580	RegAsm.exe	cmd.exe
PID 3668 wrote to memory of 4496	3668	cmd.exe	chcp.com
PID 3668 wrote to memory of 4496	3668	cmd.exe	chcp.com
PID 3668 wrote to memory of 4496	3668	cmd.exe	chcp.com
PID 3668 wrote to memory of 3220	3668	cmd.exe	netsh.exe
PID 3668 wrote to memory of 3220	3668	cmd.exe	netsh.exe
PID 3668 wrote to memory of 3220	3668	cmd.exe	netsh.exe
PID 3668 wrote to memory of 4208	3668	cmd.exe	findstr.exe
PID 3668 wrote to memory of 4208	3668	cmd.exe	findstr.exe
PID 3668 wrote to memory of 4208	3668	cmd.exe	findstr.exe

outlook_office_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\newsoftware-tester.exe
"C:\Users\Admin\AppData\Local\Temp\newsoftware-tester.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig/release
2⤵
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
3⤵
- Gathers network information
PID:1472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
2⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig/renew
2⤵
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
3⤵
- Gathers network information
PID:4668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
PID:2428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3580

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
3⤵
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:448

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
4⤵
PID:4916

C:\Windows\SysWOW64\findstr.exe
findstr All
4⤵
PID:4724

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
3⤵
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4496

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile name="65001" key=clear
4⤵
PID:3220

C:\Windows\SysWOW64\findstr.exe
findstr Key
4⤵
PID:4208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
1d1dbecb0757e04b446e85a5079786f9

SHA1
0deddd438e4d56671bac4013542929e9de6ca487

SHA256
3759c5ede174c4e1749f86c7ff6d9f2dd56d6c8f070cad7af043805cd1fd89fb

SHA512
fea4e02d6f535f295290065e2863b7594d97d4a8b65b709791c2a51369a7ab0e4e3a6c2625f1eeee185ad31e7dd8b67dd51887cdcabf05a6005c5e0e2d7d4e43

Download Submit
memory/448-163-0x0000000000000000-mapping.dmp

Download
memory/1472-135-0x0000000000000000-mapping.dmp

Download
memory/1664-142-0x0000000007AB0000-0x000000000812A000-memory.dmp

Filesize
6.5MB

Download
memory/1664-136-0x0000000000000000-mapping.dmp

Download
memory/1664-139-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/1664-140-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/1664-141-0x0000000006250000-0x000000000626E000-memory.dmp

Filesize
120KB

Download
memory/1664-143-0x0000000006740000-0x000000000675A000-memory.dmp

Filesize
104KB

Download
memory/1664-138-0x0000000005400000-0x0000000005A28000-memory.dmp

Filesize
6.2MB

Download
memory/1664-137-0x0000000002960000-0x0000000002996000-memory.dmp

Filesize
216KB

Download
memory/2152-134-0x0000000000000000-mapping.dmp

Download
memory/2428-149-0x0000000000000000-mapping.dmp

Download
memory/2868-144-0x0000000000000000-mapping.dmp

Download
memory/2872-145-0x0000000000000000-mapping.dmp

Download
memory/3220-169-0x0000000000000000-mapping.dmp

Download
memory/3580-150-0x0000000000000000-mapping.dmp

Download
memory/3580-151-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3580-161-0x0000000006A50000-0x0000000006AEC000-memory.dmp

Filesize
624KB

Download
memory/3580-153-0x00000000057F0000-0x0000000005D94000-memory.dmp

Filesize
5.6MB

Download
memory/3580-154-0x0000000005FA0000-0x0000000006032000-memory.dmp

Filesize
584KB

Download
memory/3580-160-0x0000000006500000-0x0000000006550000-memory.dmp

Filesize
320KB

Download
memory/3668-167-0x0000000000000000-mapping.dmp

Download
memory/3852-156-0x0000000007640000-0x0000000007672000-memory.dmp

Filesize
200KB

Download
memory/3852-166-0x0000000007C40000-0x0000000007CD6000-memory.dmp

Filesize
600KB

Download
memory/3852-173-0x0000000007B80000-0x0000000007B88000-memory.dmp

Filesize
32KB

Download
memory/3852-157-0x0000000072150000-0x000000007219C000-memory.dmp

Filesize
304KB

Download
memory/3852-172-0x0000000007BA0000-0x0000000007BBA000-memory.dmp

Filesize
104KB

Download
memory/3852-162-0x0000000007A10000-0x0000000007A1A000-memory.dmp

Filesize
40KB

Download
memory/3852-171-0x00000000064D0000-0x00000000064DE000-memory.dmp

Filesize
56KB

Download
memory/3852-146-0x0000000000000000-mapping.dmp

Download
memory/3852-158-0x0000000006C40000-0x0000000006C5E000-memory.dmp

Filesize
120KB

Download
memory/4208-170-0x0000000000000000-mapping.dmp

Download
memory/4248-159-0x0000000000000000-mapping.dmp

Download
memory/4496-168-0x0000000000000000-mapping.dmp

Download
memory/4668-147-0x0000000000000000-mapping.dmp

Download
memory/4712-132-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/4712-133-0x0000000006420000-0x0000000006442000-memory.dmp

Filesize
136KB

Download
memory/4724-165-0x0000000000000000-mapping.dmp

Download
memory/4916-164-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads