Overview

overview

10

Static

static

1

a441cc2354...fa.exe

windows7-x64

10

a441cc2354...fa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    110s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09-04-2023 07:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a441cc23543964d970035077ac9131fa.exe

  • Size

    2.4MB

  • MD5

    a441cc23543964d970035077ac9131fa

  • SHA1

    cec5ef656cd35aacb80f9a6c2000d21957bec31d

  • SHA256

    43d252805faac982741d6ad405c322a7a2ade61c4c3fec418d47b09843deda4f

  • SHA512

    f0fb634a8ea1179755d9d7be34ab264e5a9569d078cd2e593f04f7f68435a4373b30894b20d5e31d1482160c2282175e83141e1c59a9febda08cd7712e857a7b

  • SSDEEP

    49152:+NFaV3ViuD+moCQZhHUWYfo11q33dRGyRt7:mG1QZWo11q3FRF

Score
10/10
eternityworm

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Attributes
  • payload_urls

    http://167.88.170.23/swo/sw.exe

    http://167.88.170.23/swo/swo.exe

Signatures

  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a441cc23543964d970035077ac9131fa.exe
    "C:\Users\Admin\AppData\Local\Temp\a441cc23543964d970035077ac9131fa.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
        PID:564
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1364
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "InstallUtil" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe"
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:284
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            4⤵
              PID:460
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:552
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "InstallUtil" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe" /rl HIGHEST /f
              4⤵
              • Creates scheduled task(s)
              PID:1228
            • C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe
              "C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe"
              4⤵
              • Executes dropped EXE
              PID:1628
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {C2F28C13-C65F-456F-B8AE-2ADF28386810} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1136
        • C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe
          C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe
          2⤵
          • Executes dropped EXE
          PID:1036

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe
        Filesize

        40KB

        MD5

        91c9ae9c9a17a9db5e08b120e668c74c

        SHA1

        50770954c1ceb0bb6f1d5d3f2de2a0a065773723

        SHA256

        e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

        SHA512

        ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

        Download Submit

      • C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe
        Filesize

        40KB

        MD5

        91c9ae9c9a17a9db5e08b120e668c74c

        SHA1

        50770954c1ceb0bb6f1d5d3f2de2a0a065773723

        SHA256

        e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

        SHA512

        ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

        Download Submit

      • C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe
        Filesize

        40KB

        MD5

        91c9ae9c9a17a9db5e08b120e668c74c

        SHA1

        50770954c1ceb0bb6f1d5d3f2de2a0a065773723

        SHA256

        e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

        SHA512

        ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

        Download Submit

      • \Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe
        Filesize

        40KB

        MD5

        91c9ae9c9a17a9db5e08b120e668c74c

        SHA1

        50770954c1ceb0bb6f1d5d3f2de2a0a065773723

        SHA256

        e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

        SHA512

        ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

        Download Submit

      • memory/564-65-0x00000000000D0000-0x0000000000222000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/564-68-0x00000000000D0000-0x0000000000222000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/564-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/564-67-0x00000000000D0000-0x0000000000222000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/564-66-0x00000000000D0000-0x0000000000222000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1036-85-0x0000000001030000-0x000000000103C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1364-76-0x0000000000400000-0x0000000000552000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1364-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1364-77-0x0000000000400000-0x0000000000552000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1364-75-0x0000000000400000-0x0000000000552000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1628-83-0x0000000000FC0000-0x0000000000FCC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2004-61-0x0000000004F90000-0x0000000004FD0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2004-60-0x0000000004F90000-0x0000000004FD0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2004-64-0x00000000002D0000-0x00000000002D6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/2004-54-0x0000000000C30000-0x0000000000EA0000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/2004-62-0x0000000004F90000-0x0000000004FD0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2004-59-0x0000000004F90000-0x0000000004FD0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2004-58-0x0000000004F90000-0x0000000004FD0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2004-57-0x0000000000920000-0x0000000000938000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2004-63-0x0000000000AF0000-0x0000000000B0A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2004-56-0x0000000004D90000-0x0000000004DDA000-memory.dmp

        Filesize

        296KB

        Download

      • memory/2004-55-0x0000000004F90000-0x0000000004FD0000-memory.dmp

        Filesize

        256KB

        Download