Overview

overview

10

Static

static

10

4a1a3e2e68...53.exe

windows7-x64

10

4a1a3e2e68...53.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-10-2023 23:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a1a3e2e68ef0499b404323d2274dd205d274e07486fb5f5322d45bc91638453.exe

  • Size

    1.8MB

  • MD5

    d1ffd0ba2513053f93441c5d94f50a12

  • SHA1

    8be6fc526a3160dac6ec8b77f31928e41d70d235

  • SHA256

    4a1a3e2e68ef0499b404323d2274dd205d274e07486fb5f5322d45bc91638453

  • SHA512

    93b738f4ff55470b7c71613ef640b7c75493c2c6f8e3ec0bfa4fcff8b400e46f3159e8943f429424e5e2e530b77a6c01dc09d30ca9b677dc731fc03c8c9b19d5

  • SSDEEP

    49152:zvYE24PZjPHHUF1x+XVqu88o4Fx1G8jGbgTUj:TRX8xkVquXoI1G8jmOUj

Score
10/10
eternitycollectionspywarestealer

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Signatures

  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a1a3e2e68ef0499b404323d2274dd205d274e07486fb5f5322d45bc91638453.exe
    "C:\Users\Admin\AppData\Local\Temp\4a1a3e2e68ef0499b404323d2274dd205d274e07486fb5f5322d45bc91638453.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4256
    • C:\Users\Admin\AppData\Local\Temp\final.exe
      "C:\Users\Admin\AppData\Local\Temp\final.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:2784
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4064
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:3516
          • C:\Windows\system32\netsh.exe
            netsh wlan show profile
            4⤵
              PID:3052
            • C:\Windows\system32\findstr.exe
              findstr All
              4⤵
                PID:3644
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2780
              • C:\Windows\system32\chcp.com
                chcp 65001
                4⤵
                  PID:2140
                • C:\Windows\system32\netsh.exe
                  netsh wlan show profile name="65001" key=clear
                  4⤵
                    PID:2424
                  • C:\Windows\system32\findstr.exe
                    findstr Key
                    4⤵
                      PID:5064
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\final.exe"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:208
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      4⤵
                        PID:4256
                      • C:\Windows\system32\PING.EXE
                        ping 127.0.0.1
                        4⤵
                        • Runs ping.exe
                        PID:2268
                  • C:\Users\Admin\AppData\Local\Temp\putty.exe
                    "C:\Users\Admin\AppData\Local\Temp\putty.exe"
                    2⤵
                    • Executes dropped EXE
                    • Suspicious behavior: GetForegroundWindowSpam
                    PID:3408

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\final.exe
                  Filesize

                  339KB

                  MD5

                  4fda94538a7bcac9c4a72e67b2d674d0

                  SHA1

                  3eb366d65dead522584d16e1a72199c44263895c

                  SHA256

                  2ecd4f32aca928082ba98c018f846c76604ef800ea8e22642370e3e24f0edb4b

                  SHA512

                  a9155b440ea2d3146bbaf23107075f6c019dbe646161f2dde77a39bcc7f08efc0a13ff4f3c59d7acc6325d04e1a6639f567a2b04b4d7fb104b271ae2a6290746

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\final.exe
                  Filesize

                  339KB

                  MD5

                  4fda94538a7bcac9c4a72e67b2d674d0

                  SHA1

                  3eb366d65dead522584d16e1a72199c44263895c

                  SHA256

                  2ecd4f32aca928082ba98c018f846c76604ef800ea8e22642370e3e24f0edb4b

                  SHA512

                  a9155b440ea2d3146bbaf23107075f6c019dbe646161f2dde77a39bcc7f08efc0a13ff4f3c59d7acc6325d04e1a6639f567a2b04b4d7fb104b271ae2a6290746

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\final.exe
                  Filesize

                  339KB

                  MD5

                  4fda94538a7bcac9c4a72e67b2d674d0

                  SHA1

                  3eb366d65dead522584d16e1a72199c44263895c

                  SHA256

                  2ecd4f32aca928082ba98c018f846c76604ef800ea8e22642370e3e24f0edb4b

                  SHA512

                  a9155b440ea2d3146bbaf23107075f6c019dbe646161f2dde77a39bcc7f08efc0a13ff4f3c59d7acc6325d04e1a6639f567a2b04b4d7fb104b271ae2a6290746

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\putty.exe
                  Filesize

                  1.4MB

                  MD5

                  47e88c8e89c1e99ca76ec3d8bab8c3d8

                  SHA1

                  2eb0d2ad0730adaca7a4a8dd32715cd4b3809721

                  SHA256

                  13d499124f676b7d0e326c36a6af6d9968e8eb6b66f98fcefb166eae22149b7c

                  SHA512

                  7acde2c6713b70e2344be2a5f76d1867da8ce30bf9a90afb9044b6d65ffee1580e7e18722dd7960304ef583f16833b6cfb62fc648487f076f394401c25ab2fc5

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\putty.exe
                  Filesize

                  1.4MB

                  MD5

                  47e88c8e89c1e99ca76ec3d8bab8c3d8

                  SHA1

                  2eb0d2ad0730adaca7a4a8dd32715cd4b3809721

                  SHA256

                  13d499124f676b7d0e326c36a6af6d9968e8eb6b66f98fcefb166eae22149b7c

                  SHA512

                  7acde2c6713b70e2344be2a5f76d1867da8ce30bf9a90afb9044b6d65ffee1580e7e18722dd7960304ef583f16833b6cfb62fc648487f076f394401c25ab2fc5

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\putty.exe
                  Filesize

                  1.4MB

                  MD5

                  47e88c8e89c1e99ca76ec3d8bab8c3d8

                  SHA1

                  2eb0d2ad0730adaca7a4a8dd32715cd4b3809721

                  SHA256

                  13d499124f676b7d0e326c36a6af6d9968e8eb6b66f98fcefb166eae22149b7c

                  SHA512

                  7acde2c6713b70e2344be2a5f76d1867da8ce30bf9a90afb9044b6d65ffee1580e7e18722dd7960304ef583f16833b6cfb62fc648487f076f394401c25ab2fc5

                  Download Submit

                • memory/2784-16-0x00007FFF4BD80000-0x00007FFF4C841000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/2784-15-0x000002B0BFAC0000-0x000002B0BFB1A000-memory.dmp

                  Filesize

                  360KB

                  Download

                • memory/2784-29-0x00007FFF4BD80000-0x00007FFF4C841000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/2784-30-0x000002B0DA260000-0x000002B0DA270000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2784-31-0x000002B0DA1A0000-0x000002B0DA1F0000-memory.dmp

                  Filesize

                  320KB

                  Download

                • memory/2784-32-0x000002B0DA260000-0x000002B0DA270000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2784-34-0x00007FFF4BD80000-0x00007FFF4C841000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/4256-2-0x0000000005190000-0x0000000005734000-memory.dmp

                  Filesize

                  5.6MB

                  Download

                • memory/4256-0-0x00000000000B0000-0x0000000000278000-memory.dmp

                  Filesize

                  1.8MB

                  Download

                • memory/4256-1-0x0000000074810000-0x0000000074FC0000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/4256-28-0x0000000074810000-0x0000000074FC0000-memory.dmp

                  Filesize

                  7.7MB

                  Download