Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
09-03-2023 20:01
Behavioral task
behavioral1
Sample
28dfcf156ed2ac3a05ad4dc7dffc7b1d.exe
Resource
win7-20230220-en
General
-
Target
28dfcf156ed2ac3a05ad4dc7dffc7b1d.exe
-
Size
1.7MB
-
MD5
28dfcf156ed2ac3a05ad4dc7dffc7b1d
-
SHA1
80a3c0309c9976d7f4e12fa1d43f589a5e9bb4fc
-
SHA256
8771bd1aa86852d62474f9f811fad596dd7405c4b31e119c71d77413ce9b4035
-
SHA512
f4c87135c7b92ab76be07de36e4435ab03609243661d3e19c78e7f2faa825b7af0ff937d64063bd903ca0f45618629b1bb41df4c37368eeb477915e9ffe11238
-
SSDEEP
49152:sZzujF1mUmQW1CTB8/cRAfC30buKZYZRDDE7iQ8FfRJJegqrO4V:Iqbm/QW1CC/cRAs2a4V
Malware Config
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Executes dropped EXE 1 IoCs
Processes:
ShellExperienceHost.exepid process 584 ShellExperienceHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 436 2000 WerFault.exe 28dfcf156ed2ac3a05ad4dc7dffc7b1d.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
28dfcf156ed2ac3a05ad4dc7dffc7b1d.exedescription pid process target process PID 2000 wrote to memory of 436 2000 28dfcf156ed2ac3a05ad4dc7dffc7b1d.exe WerFault.exe PID 2000 wrote to memory of 436 2000 28dfcf156ed2ac3a05ad4dc7dffc7b1d.exe WerFault.exe PID 2000 wrote to memory of 436 2000 28dfcf156ed2ac3a05ad4dc7dffc7b1d.exe WerFault.exe PID 2000 wrote to memory of 436 2000 28dfcf156ed2ac3a05ad4dc7dffc7b1d.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28dfcf156ed2ac3a05ad4dc7dffc7b1d.exe"C:\Users\Admin\AppData\Local\Temp\28dfcf156ed2ac3a05ad4dc7dffc7b1d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ShellExperienceHost.exe"C:\Users\Admin\AppData\Local\Temp\ShellExperienceHost.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 9282⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ShellExperienceHost.exeFilesize
1.6MB
MD54743db60c94dc6af7b5443115df4cdcc
SHA15c15eb26989b7e3bc04d343ae926fd668636b630
SHA2564c920501a1c25235ddbd63825a238ff29c4bd89bd054cd0157ec7f55ed20ce59
SHA512ea23af8e4310392de4c458bff371081c8a2b8a2b957f3aa6c8a7a245d2875e396dfa04fc2d590edfee13056cc28960cc182c0c3cc03999b62738c201edf04c8b
-
memory/2000-54-0x0000000000C40000-0x0000000000DF2000-memory.dmpFilesize
1.7MB
-
memory/2000-56-0x0000000002310000-0x0000000002350000-memory.dmpFilesize
256KB