Analysis
-
max time kernel
28s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
09-03-2023 18:21
Behavioral task
behavioral1
Sample
025fe9e8bd3665254c3b4494885eb84e.exe
Resource
win7-20230220-en
General
-
Target
025fe9e8bd3665254c3b4494885eb84e.exe
-
Size
549KB
-
MD5
025fe9e8bd3665254c3b4494885eb84e
-
SHA1
500f6ee879a6d00fc6e393699c4f5415bd4da68a
-
SHA256
e19ff8cad63099065c403f206caa9fd950b732aeb28c3189dea419f5207e035d
-
SHA512
cc14ddb646332892084aa7e7374cb7345fd024f09b72c20efcc767dcbe40414bed74d1c0c8b5b543327836b6da3703f9f714a4d96248d6e9ea60203639e8e706
-
SSDEEP
12288:i0MlE4sdpmt1VCrTabAdgel1LqL+cszd0tppwZCGD:97b2fkeGgelQszd0tppiDD
Malware Config
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Executes dropped EXE 1 IoCs
Processes:
SpeechUXWiz.exepid process 1800 SpeechUXWiz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1648 2028 WerFault.exe 025fe9e8bd3665254c3b4494885eb84e.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
025fe9e8bd3665254c3b4494885eb84e.exedescription pid process target process PID 2028 wrote to memory of 1648 2028 025fe9e8bd3665254c3b4494885eb84e.exe WerFault.exe PID 2028 wrote to memory of 1648 2028 025fe9e8bd3665254c3b4494885eb84e.exe WerFault.exe PID 2028 wrote to memory of 1648 2028 025fe9e8bd3665254c3b4494885eb84e.exe WerFault.exe PID 2028 wrote to memory of 1648 2028 025fe9e8bd3665254c3b4494885eb84e.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\025fe9e8bd3665254c3b4494885eb84e.exe"C:\Users\Admin\AppData\Local\Temp\025fe9e8bd3665254c3b4494885eb84e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SpeechUXWiz.exe"C:\Users\Admin\AppData\Local\Temp\SpeechUXWiz.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 9002⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SpeechUXWiz.exeFilesize
455KB
MD502bce04d6192eb6bc85a195e0187e707
SHA1975ecd7e4d51da13584f8453c9e4959fb94c0545
SHA2566fa424ddd31e80d679d987fd94fb2a35d8bbead7f5f09404af531b46dbae85b6
SHA512f1b82d484867585e206a2d48b64791724ed9aae57fe55fae755a786bee228482cb9cbc03b1e84cfa4d7fd5bbda0f733fe9500c8303834e3b23fb89580f589733
-
memory/2028-54-0x0000000000140000-0x00000000001CE000-memory.dmpFilesize
568KB
-
memory/2028-56-0x00000000048D0000-0x0000000004910000-memory.dmpFilesize
256KB
-
memory/2028-60-0x00000000048D0000-0x0000000004910000-memory.dmpFilesize
256KB