Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
10/10/2023, 06:26
Behavioral task
behavioral1
Sample
9cd351491ae286a5e72b3fbb7a370a1c924bb138970b2ac1e6d52b90ea634fab.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
9cd351491ae286a5e72b3fbb7a370a1c924bb138970b2ac1e6d52b90ea634fab.exe
Resource
win10v2004-20230915-en
General
-
Target
9cd351491ae286a5e72b3fbb7a370a1c924bb138970b2ac1e6d52b90ea634fab.exe
-
Size
1.9MB
-
MD5
5fabaccd5ac598116338a20c7a73594a
-
SHA1
8737cce7b8dd1f1c5141aa40cf77556373069842
-
SHA256
9cd351491ae286a5e72b3fbb7a370a1c924bb138970b2ac1e6d52b90ea634fab
-
SHA512
4d8f228f2cb8e55b37278950de2a07784709b47c3d7716442a162396499e7f7655d67f0da9b03e55729c5b4b72af7c3781c251b59129b8a436c51dcdd36101d8
-
SSDEEP
49152:k1QBsSmVbQ0dYeMqVRI8nEzWbONMVfJzcjpzHiUfoi:k1FSmm0d4qw8wWy+awUf/
Malware Config
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
-
payload_urls
http://167.88.170.23/w993.exe
http://167.88.170.23/s101.exe,http://167.88.170.23/101.exe,http://167.88.170.23/R101.exe
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Executes dropped EXE 4 IoCs
pid Process 2544 01.SSE NT Salary Payroll Statement Apr 21.exe 3056 01.SSE NT Salary Payroll Statement Apr 21.exe 1512 01.SSE NT Salary Payroll Statement Apr 21.exe 1932 01.SSE NT Salary Payroll Statement Apr 21.exe -
Loads dropped DLL 3 IoCs
pid Process 1692 9cd351491ae286a5e72b3fbb7a370a1c924bb138970b2ac1e6d52b90ea634fab.exe 2544 01.SSE NT Salary Payroll Statement Apr 21.exe 2916 cmd.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2544 set thread context of 3056 2544 01.SSE NT Salary Payroll Statement Apr 21.exe 31 PID 1512 set thread context of 1932 1512 01.SSE NT Salary Payroll Statement Apr 21.exe 39 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2768 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2628 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1932 01.SSE NT Salary Payroll Statement Apr 21.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1692 wrote to memory of 2544 1692 9cd351491ae286a5e72b3fbb7a370a1c924bb138970b2ac1e6d52b90ea634fab.exe 29 PID 1692 wrote to memory of 2544 1692 9cd351491ae286a5e72b3fbb7a370a1c924bb138970b2ac1e6d52b90ea634fab.exe 29 PID 1692 wrote to memory of 2544 1692 9cd351491ae286a5e72b3fbb7a370a1c924bb138970b2ac1e6d52b90ea634fab.exe 29 PID 1692 wrote to memory of 2544 1692 9cd351491ae286a5e72b3fbb7a370a1c924bb138970b2ac1e6d52b90ea634fab.exe 29 PID 2544 wrote to memory of 3056 2544 01.SSE NT Salary Payroll Statement Apr 21.exe 31 PID 2544 wrote to memory of 3056 2544 01.SSE NT Salary Payroll Statement Apr 21.exe 31 PID 2544 wrote to memory of 3056 2544 01.SSE NT Salary Payroll Statement Apr 21.exe 31 PID 2544 wrote to memory of 3056 2544 01.SSE NT Salary Payroll Statement Apr 21.exe 31 PID 2544 wrote to memory of 3056 2544 01.SSE NT Salary Payroll Statement Apr 21.exe 31 PID 2544 wrote to memory of 3056 2544 01.SSE NT Salary Payroll Statement Apr 21.exe 31 PID 2544 wrote to memory of 3056 2544 01.SSE NT Salary Payroll Statement Apr 21.exe 31 PID 2544 wrote to memory of 3056 2544 01.SSE NT Salary Payroll Statement Apr 21.exe 31 PID 2544 wrote to memory of 3056 2544 01.SSE NT Salary Payroll Statement Apr 21.exe 31 PID 3056 wrote to memory of 2916 3056 01.SSE NT Salary Payroll Statement Apr 21.exe 32 PID 3056 wrote to memory of 2916 3056 01.SSE NT Salary Payroll Statement Apr 21.exe 32 PID 3056 wrote to memory of 2916 3056 01.SSE NT Salary Payroll Statement Apr 21.exe 32 PID 3056 wrote to memory of 2916 3056 01.SSE NT Salary Payroll Statement Apr 21.exe 32 PID 2916 wrote to memory of 2496 2916 cmd.exe 34 PID 2916 wrote to memory of 2496 2916 cmd.exe 34 PID 2916 wrote to memory of 2496 2916 cmd.exe 34 PID 2916 wrote to memory of 2496 2916 cmd.exe 34 PID 2916 wrote to memory of 2628 2916 cmd.exe 35 PID 2916 wrote to memory of 2628 2916 cmd.exe 35 PID 2916 wrote to memory of 2628 2916 cmd.exe 35 PID 2916 wrote to memory of 2628 2916 cmd.exe 35 PID 2916 wrote to memory of 2768 2916 cmd.exe 36 PID 2916 wrote to memory of 2768 2916 cmd.exe 36 PID 2916 wrote to memory of 2768 2916 cmd.exe 36 PID 2916 wrote to memory of 2768 2916 cmd.exe 36 PID 2916 wrote to memory of 1512 2916 cmd.exe 37 PID 2916 wrote to memory of 1512 2916 cmd.exe 37 PID 2916 wrote to memory of 1512 2916 cmd.exe 37 PID 2916 wrote to memory of 1512 2916 cmd.exe 37 PID 1512 wrote to memory of 1932 1512 01.SSE NT Salary Payroll Statement Apr 21.exe 39 PID 1512 wrote to memory of 1932 1512 01.SSE NT Salary Payroll Statement Apr 21.exe 39 PID 1512 wrote to memory of 1932 1512 01.SSE NT Salary Payroll Statement Apr 21.exe 39 PID 1512 wrote to memory of 1932 1512 01.SSE NT Salary Payroll Statement Apr 21.exe 39 PID 1512 wrote to memory of 1932 1512 01.SSE NT Salary Payroll Statement Apr 21.exe 39 PID 1512 wrote to memory of 1932 1512 01.SSE NT Salary Payroll Statement Apr 21.exe 39 PID 1512 wrote to memory of 1932 1512 01.SSE NT Salary Payroll Statement Apr 21.exe 39 PID 1512 wrote to memory of 1932 1512 01.SSE NT Salary Payroll Statement Apr 21.exe 39 PID 1512 wrote to memory of 1932 1512 01.SSE NT Salary Payroll Statement Apr 21.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\9cd351491ae286a5e72b3fbb7a370a1c924bb138970b2ac1e6d52b90ea634fab.exe"C:\Users\Admin\AppData\Local\Temp\9cd351491ae286a5e72b3fbb7a370a1c924bb138970b2ac1e6d52b90ea634fab.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\01.SSE NT Salary Payroll Statement Apr 21.exe"C:\Users\Admin\AppData\Local\Temp\01.SSE NT Salary Payroll Statement Apr 21.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\01.SSE NT Salary Payroll Statement Apr 21.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "01.SSE NT Salary Payroll Statement Apr 21" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\01.SSE NT Salary Payroll Statement Apr 21.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\01.SSE NT Salary Payroll Statement Apr 21.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\01.SSE NT Salary Payroll Statement Apr 21.exe"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:2496
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- Runs ping.exe
PID:2628
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "01.SSE NT Salary Payroll Statement Apr 21" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\01.SSE NT Salary Payroll Statement Apr 21.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
PID:2768
-
-
C:\Users\Admin\AppData\Local\ServiceHub\01.SSE NT Salary Payroll Statement Apr 21.exe"C:\Users\Admin\AppData\Local\ServiceHub\01.SSE NT Salary Payroll Statement Apr 21.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\ServiceHub\01.SSE NT Salary Payroll Statement Apr 21.exe"{path}"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {290B881A-5221-43E1-86C5-FAD1BFB25C14} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]1⤵PID:2480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
Filesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
Filesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
Filesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
Filesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
Filesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
Filesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
Filesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
Filesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
Filesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6