Analysis
-
max time kernel
30s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
09-03-2023 20:32
Behavioral task
behavioral1
Sample
038789d6cef36f7c28a3131c0bf3dff5.exe
Resource
win7-20230220-en
General
-
Target
038789d6cef36f7c28a3131c0bf3dff5.exe
-
Size
1.7MB
-
MD5
038789d6cef36f7c28a3131c0bf3dff5
-
SHA1
f1d1523f31df0c6c36234692de3c5ead577e9578
-
SHA256
5d007b2e9db06688735624bd49cbf01853685fbbb872e98173e87c07bd5f4533
-
SHA512
a8b7f2e60904693c9f9b0499d21d653cef8fc82058d8d68ed40692508b25a952ac6505cdade7205f819a2e8f60de0230db2c235329bbb468f3f4536de3353951
-
SSDEEP
24576:21H1ulUSNugkX6i1v0qNka1R1EUymL+95IekCoVvfxm9C64XZV:23uKL6Cka6SMo14obX
Malware Config
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Executes dropped EXE 1 IoCs
Processes:
ShellExperienceHost.exepid process 1924 ShellExperienceHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1128 1048 WerFault.exe 038789d6cef36f7c28a3131c0bf3dff5.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
038789d6cef36f7c28a3131c0bf3dff5.exedescription pid process target process PID 1048 wrote to memory of 1128 1048 038789d6cef36f7c28a3131c0bf3dff5.exe WerFault.exe PID 1048 wrote to memory of 1128 1048 038789d6cef36f7c28a3131c0bf3dff5.exe WerFault.exe PID 1048 wrote to memory of 1128 1048 038789d6cef36f7c28a3131c0bf3dff5.exe WerFault.exe PID 1048 wrote to memory of 1128 1048 038789d6cef36f7c28a3131c0bf3dff5.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\038789d6cef36f7c28a3131c0bf3dff5.exe"C:\Users\Admin\AppData\Local\Temp\038789d6cef36f7c28a3131c0bf3dff5.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ShellExperienceHost.exe"C:\Users\Admin\AppData\Local\Temp\ShellExperienceHost.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 9202⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ShellExperienceHost.exeFilesize
1.6MB
MD54743db60c94dc6af7b5443115df4cdcc
SHA15c15eb26989b7e3bc04d343ae926fd668636b630
SHA2564c920501a1c25235ddbd63825a238ff29c4bd89bd054cd0157ec7f55ed20ce59
SHA512ea23af8e4310392de4c458bff371081c8a2b8a2b957f3aa6c8a7a245d2875e396dfa04fc2d590edfee13056cc28960cc182c0c3cc03999b62738c201edf04c8b
-
memory/1048-54-0x0000000000950000-0x0000000000B02000-memory.dmpFilesize
1.7MB
-
memory/1048-56-0x00000000042A0000-0x00000000042E0000-memory.dmpFilesize
256KB
-
memory/1048-60-0x00000000042A0000-0x00000000042E0000-memory.dmpFilesize
256KB