Overview

overview

10

Static

static

10

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-04-2023 14:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    112KB

  • MD5

    5505bbddc971765df496f907b222c2fb

  • SHA1

    de3c8668481fa3dacf2052951d45a9c3a388575d

  • SHA256

    a5498ad33354516c8a2affe2de3e3cf515aafb252d5647d0f8c6efe4b46806a4

  • SHA512

    7bec3c8dfa0f63db2ae182805dff0602f55b6e419f30b279992d891542f128c121542a05c214d9436f6baeae895cf09027c5d308731682df41d84e6283fd08eb

  • SSDEEP

    1536:IsCK9eaNw9AFBPGMPYnQZZZZZZZZZonTZ6PhCOybwXuzIBnwbp3r+hX1dZji:xCSbwmFBPGtTZWhybwX7Bo36TZji

Score
10/10
eternityransomware

Malware Config

Signatures

  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 6 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3536
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "file" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\file.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\file.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\file.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1436
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:2300
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:3004
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /tn "file" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\file.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:4588
        • C:\Users\Admin\AppData\Local\ServiceHub\file.exe
          "C:\Users\Admin\AppData\Local\ServiceHub\file.exe"
          3⤵
          • Modifies extensions of user files
          • Checks computer location settings
          • Executes dropped EXE
          • Sets desktop wallpaper using registry
          • Modifies Control Panel
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4624
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C chcp 65001 && vssadmin delete shadows /all /quiet
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2996
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
                PID:4212
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4976
      • C:\Users\Admin\AppData\Local\ServiceHub\file.exe
        C:\Users\Admin\AppData\Local\ServiceHub\file.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Sets desktop wallpaper using registry
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1348
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C chcp 65001 && vssadmin delete shadows /all /quiet
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1880
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            3⤵
              PID:1128

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log
          Filesize

          701B

          MD5

          1cfcc2ffa3019d3784f5852dd5547f84

          SHA1

          3fe48e46b1f9df2e3b4a5d8ddd6b1792d3ce7513

          SHA256

          464a15de513b3da8a8d28732020c88a5b3d9e1b08c0d1d0b7248821999dae23a

          SHA512

          76117b61890d2b4abd85a8aad98b8a2f65aeb885efee74206c0b83aa7f305f7b1b62c6ded58fa3042d06298310074f27849f54f52aabb805eb68e5a75eff55de

          Download Submit

        • C:\Users\Admin\AppData\Local\ServiceHub\file.exe
          Filesize

          112KB

          MD5

          5505bbddc971765df496f907b222c2fb

          SHA1

          de3c8668481fa3dacf2052951d45a9c3a388575d

          SHA256

          a5498ad33354516c8a2affe2de3e3cf515aafb252d5647d0f8c6efe4b46806a4

          SHA512

          7bec3c8dfa0f63db2ae182805dff0602f55b6e419f30b279992d891542f128c121542a05c214d9436f6baeae895cf09027c5d308731682df41d84e6283fd08eb

          Download Submit

        • C:\Users\Admin\AppData\Local\ServiceHub\file.exe
          Filesize

          112KB

          MD5

          5505bbddc971765df496f907b222c2fb

          SHA1

          de3c8668481fa3dacf2052951d45a9c3a388575d

          SHA256

          a5498ad33354516c8a2affe2de3e3cf515aafb252d5647d0f8c6efe4b46806a4

          SHA512

          7bec3c8dfa0f63db2ae182805dff0602f55b6e419f30b279992d891542f128c121542a05c214d9436f6baeae895cf09027c5d308731682df41d84e6283fd08eb

          Download Submit

        • C:\Users\Admin\AppData\Local\ServiceHub\file.exe
          Filesize

          112KB

          MD5

          5505bbddc971765df496f907b222c2fb

          SHA1

          de3c8668481fa3dacf2052951d45a9c3a388575d

          SHA256

          a5498ad33354516c8a2affe2de3e3cf515aafb252d5647d0f8c6efe4b46806a4

          SHA512

          7bec3c8dfa0f63db2ae182805dff0602f55b6e419f30b279992d891542f128c121542a05c214d9436f6baeae895cf09027c5d308731682df41d84e6283fd08eb

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wallpaper.bmp
          Filesize

          675KB

          MD5

          13ab867699e7cc884f60afdcfe8d9540

          SHA1

          fef6b65aa872021fbca0d193b892c5ecc9998e5f

          SHA256

          bb5470f162bf1d78a7bb3e8eb42c235c1963625c6f56d1da6de39b942755065e

          SHA512

          1f806b14bbe35768dc823ce000b742f243dfc400eaba953f9a639992ad74b5aea21f34257241f395ede118a9a2589d0541bf6810058f582d07aff325dbb3ceee

          Download Submit

        • memory/1348-181-0x0000000004C80000-0x0000000004C90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1348-176-0x0000000004C80000-0x0000000004C90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1348-180-0x0000000004C80000-0x0000000004C90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1348-179-0x0000000004C80000-0x0000000004C90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3536-139-0x00000000049C0000-0x00000000049D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3536-136-0x0000000004AA0000-0x0000000004B06000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3536-133-0x0000000000020000-0x0000000000042000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3536-135-0x0000000004A00000-0x0000000004A92000-memory.dmp

          Filesize

          584KB

          Download

        • memory/3536-134-0x0000000004ED0000-0x0000000005474000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4624-145-0x0000000004DF0000-0x0000000004E00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4624-174-0x0000000004DF0000-0x0000000004E00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4624-173-0x0000000004DF0000-0x0000000004E00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4624-172-0x0000000004DF0000-0x0000000004E00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4624-171-0x0000000006A70000-0x0000000006A7A000-memory.dmp

          Filesize

          40KB

          Download