Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
07/10/2023, 04:04
Behavioral task
behavioral1
Sample
242c47b16c8755e72d7d1fdbc9ff0f17.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
242c47b16c8755e72d7d1fdbc9ff0f17.exe
Resource
win10v2004-20230915-en
General
-
Target
242c47b16c8755e72d7d1fdbc9ff0f17.exe
-
Size
334KB
-
MD5
242c47b16c8755e72d7d1fdbc9ff0f17
-
SHA1
445486022335d121378877268cfc5a0625b53e4f
-
SHA256
3898dfa5cb6bbc6d6c48c202d31333d3b214d0f2ac7c4396eb54d6ed09bf24ba
-
SHA512
f46985cb70a351a57fcf2dfb4b6a0733ac26b93c09daecadc611c5c80e749cc5a52fe10b03a761a4c6de903f3f79bacde7c1f61d056e51040d55bb1ee77317b1
-
SSDEEP
6144:ge1/duat9Ej/QUsovmgk17/G1aQx9pf7IWbhrC:ge1/dUso61gVRI
Malware Config
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 242c47b16c8755e72d7d1fdbc9ff0f17.exe Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 242c47b16c8755e72d7d1fdbc9ff0f17.exe Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 242c47b16c8755e72d7d1fdbc9ff0f17.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 242c47b16c8755e72d7d1fdbc9ff0f17.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 242c47b16c8755e72d7d1fdbc9ff0f17.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4860 242c47b16c8755e72d7d1fdbc9ff0f17.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4860 242c47b16c8755e72d7d1fdbc9ff0f17.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4860 wrote to memory of 4512 4860 242c47b16c8755e72d7d1fdbc9ff0f17.exe 83 PID 4860 wrote to memory of 4512 4860 242c47b16c8755e72d7d1fdbc9ff0f17.exe 83 PID 4512 wrote to memory of 628 4512 cmd.exe 85 PID 4512 wrote to memory of 628 4512 cmd.exe 85 PID 4512 wrote to memory of 1532 4512 cmd.exe 86 PID 4512 wrote to memory of 1532 4512 cmd.exe 86 PID 4512 wrote to memory of 460 4512 cmd.exe 87 PID 4512 wrote to memory of 460 4512 cmd.exe 87 PID 4860 wrote to memory of 3664 4860 242c47b16c8755e72d7d1fdbc9ff0f17.exe 89 PID 4860 wrote to memory of 3664 4860 242c47b16c8755e72d7d1fdbc9ff0f17.exe 89 PID 3664 wrote to memory of 3804 3664 cmd.exe 91 PID 3664 wrote to memory of 3804 3664 cmd.exe 91 PID 3664 wrote to memory of 1300 3664 cmd.exe 92 PID 3664 wrote to memory of 1300 3664 cmd.exe 92 PID 3664 wrote to memory of 4620 3664 cmd.exe 93 PID 3664 wrote to memory of 4620 3664 cmd.exe 93 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 242c47b16c8755e72d7d1fdbc9ff0f17.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 242c47b16c8755e72d7d1fdbc9ff0f17.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\242c47b16c8755e72d7d1fdbc9ff0f17.exe"C:\Users\Admin\AppData\Local\Temp\242c47b16c8755e72d7d1fdbc9ff0f17.exe"1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4860 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:628
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵PID:1532
-
-
C:\Windows\system32\findstr.exefindstr All3⤵PID:460
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key2⤵
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:3804
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile name="65001" key=clear3⤵PID:1300
-
-
C:\Windows\system32\findstr.exefindstr Key3⤵PID:4620
-
-