Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/M...

windows10-2004-x64

10

Analysis

  • max time kernel
    123s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/02/2023, 16:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/MitroxGT/GABB-Growtopia/releases/download/gabb-main/GABB-Secured.zip

Score
10/10
eternitystealer

Malware Config

Signatures

  • Detects Eternity stealer 2 IoCs
    stealer
  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • Drops startup file 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Program crash 2 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/MitroxGT/GABB-Growtopia/releases/download/gabb-main/GABB-Secured.zip
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1500 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3184
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:492
    • C:\Users\Admin\AppData\Local\Temp\Temp1_GABB-Secured.zip\GABB-Secured\GABB.exe
      "C:\Users\Admin\AppData\Local\Temp\Temp1_GABB-Secured.zip\GABB-Secured\GABB.exe"
      1⤵
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Users\Admin\AppData\Local\Temp\dcd.exe
        "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
        2⤵
        • Executes dropped EXE
        PID:5012
      • C:\Users\Admin\AppData\Local\Temp\0aged4x4.41s\GABB.exe
        "C:\Users\Admin\AppData\Local\Temp\0aged4x4.41s\GABB.exe"
        2⤵
        • Executes dropped EXE
        PID:1636
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1116 -s 2364
        2⤵
        • Program crash
        PID:3320
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 428 -p 1116 -ip 1116
      1⤵
        PID:4844
      • C:\Users\Admin\AppData\Local\Temp\Temp1_GABB-Secured.zip\GABB-Secured\GABB.exe
        "C:\Users\Admin\AppData\Local\Temp\Temp1_GABB-Secured.zip\GABB-Secured\GABB.exe"
        1⤵
        • Drops startup file
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:972
        • C:\Users\Admin\AppData\Local\Temp\dcd.exe
          "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
          2⤵
          • Executes dropped EXE
          PID:3168
        • C:\Users\Admin\AppData\Local\Temp\5jgmezyl.nnz\GABB.exe
          "C:\Users\Admin\AppData\Local\Temp\5jgmezyl.nnz\GABB.exe"
          2⤵
          • Executes dropped EXE
          PID:4688
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 972 -s 2396
          2⤵
          • Program crash
          PID:4552
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4752
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -pss -s 516 -p 972 -ip 972
        1⤵
          PID:848

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4HAJQ22Y\GABB-Secured[1].zip
          Filesize

          2.6MB

          MD5

          67077886f7da41b4b4e575a8c811b5e9

          SHA1

          e282ce26c7a9178ea70f2d150d5bc3a021bca5f5

          SHA256

          36a613f379123e2006f6711f57b341f6138e041130b89b5adbd2aaed7f67a594

          SHA512

          5cfce904edf85c4f840a6cb404c4f538fe242cfebf97a4f1c83c9ff19fa7d44886ad3c327009f4cc0ce075a58c6dda47d86cd95b5920ede30004569e9f7cca95

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4HAJQ22Y\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5AN3FZ97\GABB-Secured.zip.k2sqrnw.partial
          Filesize

          2.6MB

          MD5

          67077886f7da41b4b4e575a8c811b5e9

          SHA1

          e282ce26c7a9178ea70f2d150d5bc3a021bca5f5

          SHA256

          36a613f379123e2006f6711f57b341f6138e041130b89b5adbd2aaed7f67a594

          SHA512

          5cfce904edf85c4f840a6cb404c4f538fe242cfebf97a4f1c83c9ff19fa7d44886ad3c327009f4cc0ce075a58c6dda47d86cd95b5920ede30004569e9f7cca95

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\0aged4x4.41s\GABB.exe
          Filesize

          1.8MB

          MD5

          23b71563af5ff450418a5bacfe63d4e3

          SHA1

          e0710c35bdd94aee3952a720fff1ec16eb40761b

          SHA256

          0518340706e89adb60325d1ea1106c0ea8f69da2ecbd2ef85385edd923eb0b88

          SHA512

          e55402adc03ff4b4c90256c4b4bb7d3a7f8b7a1bb87b73d1c6bcfe5a0ab17758e53805c00f78a4d3992ef7541ea46adabe2dbc84a8af768ea9c04eb2e23b86f3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\0aged4x4.41s\GABB.exe
          Filesize

          1.8MB

          MD5

          23b71563af5ff450418a5bacfe63d4e3

          SHA1

          e0710c35bdd94aee3952a720fff1ec16eb40761b

          SHA256

          0518340706e89adb60325d1ea1106c0ea8f69da2ecbd2ef85385edd923eb0b88

          SHA512

          e55402adc03ff4b4c90256c4b4bb7d3a7f8b7a1bb87b73d1c6bcfe5a0ab17758e53805c00f78a4d3992ef7541ea46adabe2dbc84a8af768ea9c04eb2e23b86f3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\0aged4x4.41s\GABB.exe
          Filesize

          1.8MB

          MD5

          23b71563af5ff450418a5bacfe63d4e3

          SHA1

          e0710c35bdd94aee3952a720fff1ec16eb40761b

          SHA256

          0518340706e89adb60325d1ea1106c0ea8f69da2ecbd2ef85385edd923eb0b88

          SHA512

          e55402adc03ff4b4c90256c4b4bb7d3a7f8b7a1bb87b73d1c6bcfe5a0ab17758e53805c00f78a4d3992ef7541ea46adabe2dbc84a8af768ea9c04eb2e23b86f3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\5jgmezyl.nnz\GABB.exe
          Filesize

          1.8MB

          MD5

          23b71563af5ff450418a5bacfe63d4e3

          SHA1

          e0710c35bdd94aee3952a720fff1ec16eb40761b

          SHA256

          0518340706e89adb60325d1ea1106c0ea8f69da2ecbd2ef85385edd923eb0b88

          SHA512

          e55402adc03ff4b4c90256c4b4bb7d3a7f8b7a1bb87b73d1c6bcfe5a0ab17758e53805c00f78a4d3992ef7541ea46adabe2dbc84a8af768ea9c04eb2e23b86f3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\5jgmezyl.nnz\GABB.exe
          Filesize

          1.8MB

          MD5

          23b71563af5ff450418a5bacfe63d4e3

          SHA1

          e0710c35bdd94aee3952a720fff1ec16eb40761b

          SHA256

          0518340706e89adb60325d1ea1106c0ea8f69da2ecbd2ef85385edd923eb0b88

          SHA512

          e55402adc03ff4b4c90256c4b4bb7d3a7f8b7a1bb87b73d1c6bcfe5a0ab17758e53805c00f78a4d3992ef7541ea46adabe2dbc84a8af768ea9c04eb2e23b86f3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dcd.exe
          Filesize

          227KB

          MD5

          b5ac46e446cead89892628f30a253a06

          SHA1

          f4ad1044a7f77a1b02155c3a355a1bb4177076ca

          SHA256

          def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

          SHA512

          bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dcd.exe
          Filesize

          227KB

          MD5

          b5ac46e446cead89892628f30a253a06

          SHA1

          f4ad1044a7f77a1b02155c3a355a1bb4177076ca

          SHA256

          def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

          SHA512

          bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dcd.exe
          Filesize

          227KB

          MD5

          b5ac46e446cead89892628f30a253a06

          SHA1

          f4ad1044a7f77a1b02155c3a355a1bb4177076ca

          SHA256

          def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

          SHA512

          bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GABB.exe
          Filesize

          5.3MB

          MD5

          88abcf7fbb8bbeeaecd486a500ef1d97

          SHA1

          4320358bf410bb94caca4bbb5349f33fbc015249

          SHA256

          98e4fe2f4a4eb843e0409157cee11a62da9ff550ad1d2b8d73c88a016bf7d148

          SHA512

          2c017d62f082d52d2a32c78327f3d08431958cd47df636e6efdc4c6bb1d32f76d0e1f4a59b400e1ece1e31da0a91120a2ac6cd1d0b9ff677c3376d70b4647db0

          Download Submit

        • memory/972-181-0x0000000002C70000-0x0000000002C80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/972-195-0x0000000002C70000-0x0000000002C80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/972-196-0x0000000002C70000-0x0000000002C80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1116-166-0x000000001D7F0000-0x000000001D800000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1116-165-0x0000000001B40000-0x0000000001B41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1116-167-0x000000001D7F0000-0x000000001D800000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1116-152-0x0000000003460000-0x00000000034B0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/1116-151-0x0000000000EE0000-0x00000000013D2000-memory.dmp

          Filesize

          4.9MB

          Download