Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
160s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2023, 06:26
Behavioral task
behavioral1
Sample
9cd351491ae286a5e72b3fbb7a370a1c924bb138970b2ac1e6d52b90ea634fab.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
9cd351491ae286a5e72b3fbb7a370a1c924bb138970b2ac1e6d52b90ea634fab.exe
Resource
win10v2004-20230915-en
General
-
Target
9cd351491ae286a5e72b3fbb7a370a1c924bb138970b2ac1e6d52b90ea634fab.exe
-
Size
1.9MB
-
MD5
5fabaccd5ac598116338a20c7a73594a
-
SHA1
8737cce7b8dd1f1c5141aa40cf77556373069842
-
SHA256
9cd351491ae286a5e72b3fbb7a370a1c924bb138970b2ac1e6d52b90ea634fab
-
SHA512
4d8f228f2cb8e55b37278950de2a07784709b47c3d7716442a162396499e7f7655d67f0da9b03e55729c5b4b72af7c3781c251b59129b8a436c51dcdd36101d8
-
SSDEEP
49152:k1QBsSmVbQ0dYeMqVRI8nEzWbONMVfJzcjpzHiUfoi:k1FSmm0d4qw8wWy+awUf/
Malware Config
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
-
payload_urls
http://167.88.170.23/w993.exe
http://167.88.170.23/s101.exe,http://167.88.170.23/101.exe,http://167.88.170.23/R101.exe
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation 9cd351491ae286a5e72b3fbb7a370a1c924bb138970b2ac1e6d52b90ea634fab.exe Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation 01.SSE NT Salary Payroll Statement Apr 21.exe -
Executes dropped EXE 4 IoCs
pid Process 2692 01.SSE NT Salary Payroll Statement Apr 21.exe 2596 01.SSE NT Salary Payroll Statement Apr 21.exe 1876 01.SSE NT Salary Payroll Statement Apr 21.exe 5020 01.SSE NT Salary Payroll Statement Apr 21.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2692 set thread context of 2596 2692 01.SSE NT Salary Payroll Statement Apr 21.exe 97 PID 1876 set thread context of 5020 1876 01.SSE NT Salary Payroll Statement Apr 21.exe 107 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1688 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings OpenWith.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 180 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5020 01.SSE NT Salary Payroll Statement Apr 21.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3632 OpenWith.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 3604 wrote to memory of 2692 3604 9cd351491ae286a5e72b3fbb7a370a1c924bb138970b2ac1e6d52b90ea634fab.exe 86 PID 3604 wrote to memory of 2692 3604 9cd351491ae286a5e72b3fbb7a370a1c924bb138970b2ac1e6d52b90ea634fab.exe 86 PID 3604 wrote to memory of 2692 3604 9cd351491ae286a5e72b3fbb7a370a1c924bb138970b2ac1e6d52b90ea634fab.exe 86 PID 2692 wrote to memory of 2596 2692 01.SSE NT Salary Payroll Statement Apr 21.exe 97 PID 2692 wrote to memory of 2596 2692 01.SSE NT Salary Payroll Statement Apr 21.exe 97 PID 2692 wrote to memory of 2596 2692 01.SSE NT Salary Payroll Statement Apr 21.exe 97 PID 2692 wrote to memory of 2596 2692 01.SSE NT Salary Payroll Statement Apr 21.exe 97 PID 2692 wrote to memory of 2596 2692 01.SSE NT Salary Payroll Statement Apr 21.exe 97 PID 2692 wrote to memory of 2596 2692 01.SSE NT Salary Payroll Statement Apr 21.exe 97 PID 2692 wrote to memory of 2596 2692 01.SSE NT Salary Payroll Statement Apr 21.exe 97 PID 2692 wrote to memory of 2596 2692 01.SSE NT Salary Payroll Statement Apr 21.exe 97 PID 2596 wrote to memory of 1836 2596 01.SSE NT Salary Payroll Statement Apr 21.exe 98 PID 2596 wrote to memory of 1836 2596 01.SSE NT Salary Payroll Statement Apr 21.exe 98 PID 2596 wrote to memory of 1836 2596 01.SSE NT Salary Payroll Statement Apr 21.exe 98 PID 1836 wrote to memory of 4800 1836 cmd.exe 100 PID 1836 wrote to memory of 4800 1836 cmd.exe 100 PID 1836 wrote to memory of 4800 1836 cmd.exe 100 PID 1836 wrote to memory of 180 1836 cmd.exe 101 PID 1836 wrote to memory of 180 1836 cmd.exe 101 PID 1836 wrote to memory of 180 1836 cmd.exe 101 PID 1836 wrote to memory of 1688 1836 cmd.exe 102 PID 1836 wrote to memory of 1688 1836 cmd.exe 102 PID 1836 wrote to memory of 1688 1836 cmd.exe 102 PID 1836 wrote to memory of 1876 1836 cmd.exe 103 PID 1836 wrote to memory of 1876 1836 cmd.exe 103 PID 1836 wrote to memory of 1876 1836 cmd.exe 103 PID 1876 wrote to memory of 5020 1876 01.SSE NT Salary Payroll Statement Apr 21.exe 107 PID 1876 wrote to memory of 5020 1876 01.SSE NT Salary Payroll Statement Apr 21.exe 107 PID 1876 wrote to memory of 5020 1876 01.SSE NT Salary Payroll Statement Apr 21.exe 107 PID 1876 wrote to memory of 5020 1876 01.SSE NT Salary Payroll Statement Apr 21.exe 107 PID 1876 wrote to memory of 5020 1876 01.SSE NT Salary Payroll Statement Apr 21.exe 107 PID 1876 wrote to memory of 5020 1876 01.SSE NT Salary Payroll Statement Apr 21.exe 107 PID 1876 wrote to memory of 5020 1876 01.SSE NT Salary Payroll Statement Apr 21.exe 107 PID 1876 wrote to memory of 5020 1876 01.SSE NT Salary Payroll Statement Apr 21.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\9cd351491ae286a5e72b3fbb7a370a1c924bb138970b2ac1e6d52b90ea634fab.exe"C:\Users\Admin\AppData\Local\Temp\9cd351491ae286a5e72b3fbb7a370a1c924bb138970b2ac1e6d52b90ea634fab.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Users\Admin\AppData\Local\Temp\01.SSE NT Salary Payroll Statement Apr 21.exe"C:\Users\Admin\AppData\Local\Temp\01.SSE NT Salary Payroll Statement Apr 21.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\01.SSE NT Salary Payroll Statement Apr 21.exe"{path}"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "01.SSE NT Salary Payroll Statement Apr 21" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\01.SSE NT Salary Payroll Statement Apr 21.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\01.SSE NT Salary Payroll Statement Apr 21.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\01.SSE NT Salary Payroll Statement Apr 21.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:4800
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- Runs ping.exe
PID:180
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "01.SSE NT Salary Payroll Statement Apr 21" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\01.SSE NT Salary Payroll Statement Apr 21.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
PID:1688
-
-
C:\Users\Admin\AppData\Local\ServiceHub\01.SSE NT Salary Payroll Statement Apr 21.exe"C:\Users\Admin\AppData\Local\ServiceHub\01.SSE NT Salary Payroll Statement Apr 21.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Local\ServiceHub\01.SSE NT Salary Payroll Statement Apr 21.exe"{path}"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
-
-
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe "C:\Users\Admin\AppData\Local\ServiceHub\01.SSE"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\01.SSE NT Salary Payroll Statement Apr 21.exe.log
Filesize1KB
MD584e77a587d94307c0ac1357eb4d3d46f
SHA183cc900f9401f43d181207d64c5adba7a85edc1e
SHA256e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691
-
Filesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
Filesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
Filesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
Filesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
Filesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
Filesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6
-
Filesize
1.8MB
MD568d348019229f619929995cf7f7dfa4d
SHA19e2f888c42d51f91c900bec478e703fe145e1a54
SHA2566a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077
SHA51231bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6