Overview

overview

10

Static

static

10

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2023 13:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    113KB

  • MD5

    2ae68a2dba8b4d6279d32fb7d70955fa

  • SHA1

    8a575e9c5c64ff797b9a7dca776a816e444f7485

  • SHA256

    fdb6a85d8a54244ce523286412d18ddefbf2b59e54f59576311d9f54e68a398f

  • SHA512

    df0358ec74e4e4d6367b351318277e5e932b6d1a6b4797ac1fcb6fc11374f80c50a62ff79f24bc0846b7623e27ffecdd65e41ca9da52db952d7cb6474d275b44

  • SSDEEP

    3072:06rBzfCEUmPVES5ca+Rop3rMFnobA+sMDJax2XZZji:0OBzfC18ES5dN3rMFnobW12XZZ

Score
10/10
eternityevasionransomware

Malware Config

Signatures

  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 6 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4996
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "file" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\file.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\file.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\file.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3672
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:2416
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:4776
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /tn "file" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\file.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:2500
        • C:\Users\Admin\AppData\Local\ServiceHub\file.exe
          "C:\Users\Admin\AppData\Local\ServiceHub\file.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Sets desktop wallpaper using registry
          • Modifies Control Panel
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4660
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C chcp 65001 && vssadmin delete shadows /all /quiet
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:5080
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
                PID:1892
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5040
      • C:\Users\Admin\AppData\Local\ServiceHub\file.exe
        C:\Users\Admin\AppData\Local\ServiceHub\file.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Sets desktop wallpaper using registry
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:408
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C chcp 65001 && vssadmin delete shadows /all /quiet
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:220
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            3⤵
              PID:3096

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log
          Filesize

          701B

          MD5

          1cfcc2ffa3019d3784f5852dd5547f84

          SHA1

          3fe48e46b1f9df2e3b4a5d8ddd6b1792d3ce7513

          SHA256

          464a15de513b3da8a8d28732020c88a5b3d9e1b08c0d1d0b7248821999dae23a

          SHA512

          76117b61890d2b4abd85a8aad98b8a2f65aeb885efee74206c0b83aa7f305f7b1b62c6ded58fa3042d06298310074f27849f54f52aabb805eb68e5a75eff55de

          Download Submit

        • C:\Users\Admin\AppData\Local\ServiceHub\file.exe
          Filesize

          113KB

          MD5

          2ae68a2dba8b4d6279d32fb7d70955fa

          SHA1

          8a575e9c5c64ff797b9a7dca776a816e444f7485

          SHA256

          fdb6a85d8a54244ce523286412d18ddefbf2b59e54f59576311d9f54e68a398f

          SHA512

          df0358ec74e4e4d6367b351318277e5e932b6d1a6b4797ac1fcb6fc11374f80c50a62ff79f24bc0846b7623e27ffecdd65e41ca9da52db952d7cb6474d275b44

          Download Submit

        • C:\Users\Admin\AppData\Local\ServiceHub\file.exe
          Filesize

          113KB

          MD5

          2ae68a2dba8b4d6279d32fb7d70955fa

          SHA1

          8a575e9c5c64ff797b9a7dca776a816e444f7485

          SHA256

          fdb6a85d8a54244ce523286412d18ddefbf2b59e54f59576311d9f54e68a398f

          SHA512

          df0358ec74e4e4d6367b351318277e5e932b6d1a6b4797ac1fcb6fc11374f80c50a62ff79f24bc0846b7623e27ffecdd65e41ca9da52db952d7cb6474d275b44

          Download Submit

        • C:\Users\Admin\AppData\Local\ServiceHub\file.exe
          Filesize

          113KB

          MD5

          2ae68a2dba8b4d6279d32fb7d70955fa

          SHA1

          8a575e9c5c64ff797b9a7dca776a816e444f7485

          SHA256

          fdb6a85d8a54244ce523286412d18ddefbf2b59e54f59576311d9f54e68a398f

          SHA512

          df0358ec74e4e4d6367b351318277e5e932b6d1a6b4797ac1fcb6fc11374f80c50a62ff79f24bc0846b7623e27ffecdd65e41ca9da52db952d7cb6474d275b44

          Download Submit

        • memory/408-187-0x0000000005530000-0x0000000005540000-memory.dmp

          Filesize

          64KB

          Download

        • memory/408-186-0x0000000005530000-0x0000000005540000-memory.dmp

          Filesize

          64KB

          Download

        • memory/408-185-0x0000000005530000-0x0000000005540000-memory.dmp

          Filesize

          64KB

          Download

        • memory/408-182-0x0000000005530000-0x0000000005540000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4660-180-0x0000000005A10000-0x0000000005A20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4660-178-0x0000000005A10000-0x0000000005A20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4660-179-0x0000000005A10000-0x0000000005A20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4660-177-0x0000000008580000-0x000000000858A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4660-145-0x0000000005A10000-0x0000000005A20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4996-133-0x0000000000F20000-0x0000000000F42000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4996-137-0x0000000005870000-0x0000000005880000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4996-136-0x00000000059C0000-0x0000000005A26000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4996-135-0x00000000058F0000-0x0000000005982000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4996-134-0x0000000005F70000-0x0000000006514000-memory.dmp

          Filesize

          5.6MB

          Download