Overview

overview

10

Static

static

3

NEAS.86935...e0.exe

windows7-x64

10

NEAS.86935...e0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-11-2023 16:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.8693548357f9556e04d86a07ce8bc1e0.exe

  • Size

    484KB

  • MD5

    8693548357f9556e04d86a07ce8bc1e0

  • SHA1

    5d445512f1d85562409f39ba881fdc111e0bd781

  • SHA256

    93ff4def71ab15e25c20be5f917d359c23bfb7bf25728837f4f93c8ee2f825a5

  • SHA512

    37b727180052b17780d2d4a6d393fe1ea5d12bbdfdd67af351484b3e7ca22dde1c04cb2f0c653851796298e697ee9a20d71bd680e6c057485a316a7eb725b96f

  • SSDEEP

    6144:jSiQNghYd0/nf1LxBmestlJWtYOx/YMzdNbFsjPBYL:eiQf6/nRyhtlJWtXzd4jPa

Score
10/10
eternitycollectionspywarestealer

Malware Config

Extracted

Family

eternity

C2

http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion

Signatures

  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.8693548357f9556e04d86a07ce8bc1e0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.8693548357f9556e04d86a07ce8bc1e0.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:3088
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3844
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:376
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          3⤵
            PID:4020
          • C:\Windows\SysWOW64\findstr.exe
            findstr All
            3⤵
              PID:3472

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3088-0-0x0000000000400000-0x000000000047D000-memory.dmp

          Filesize

          500KB

          Download

        • memory/3088-1-0x00000000006D0000-0x000000000072A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/3088-5-0x0000000074FE0000-0x0000000075790000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3088-6-0x0000000004B50000-0x00000000050F4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3088-7-0x0000000005200000-0x0000000005210000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3088-8-0x0000000005A90000-0x0000000005B22000-memory.dmp

          Filesize

          584KB

          Download

        • memory/3088-9-0x0000000005B30000-0x0000000005B96000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3088-10-0x0000000006120000-0x0000000006170000-memory.dmp

          Filesize

          320KB

          Download

        • memory/3088-11-0x0000000005FB0000-0x000000000604C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/3088-12-0x0000000000400000-0x000000000047D000-memory.dmp

          Filesize

          500KB

          Download

        • memory/3088-13-0x0000000074FE0000-0x0000000075790000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3088-14-0x0000000005200000-0x0000000005210000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3088-17-0x0000000074FE0000-0x0000000075790000-memory.dmp

          Filesize

          7.7MB

          Download