Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    261s
  • max time network
    308s
  • platform
    windows10-1703_x64
  • resource
    win10-20231023-en
  • resource tags

    arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
  • submitted
    26/11/2023, 22:33

General

  • Target

    bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe

  • Size

    1.6MB

  • MD5

    3ff60bb00b635f8d94673252138c1319

  • SHA1

    a41e71b7583d5b49f82b6afaab70f9d89c77e4d5

  • SHA256

    bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169

  • SHA512

    2d1da58a7021c9932a37f9be4569c19483b4a2dc169ccf0f978d21aa7720bb4bb7b822de693deebf2bedd0c12e370fc43ff7f0498cfa85d0ba0bf6da36d64d26

  • SSDEEP

    49152:5ojy+A3cPEDkG+4LNl1R0FuWrDn74Vy6cewVs0B1H0:5ojyUMDVBr0FnrDTVtZ

Score
10/10

Malware Config

Extracted

Family

eternity

C2

http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion

Signatures

  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

  • Executes dropped EXE 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe
    "C:\Users\Admin\AppData\Local\Temp\bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:696
    • C:\Users\Admin\AppData\Roaming\ms_update.exe
      "C:\Users\Admin\AppData\Roaming\ms_update.exe"
      2⤵
      • Executes dropped EXE
      PID:5000
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 148
        3⤵
        • Program crash
        PID:2420
    • C:\Users\Admin\AppData\Roaming\ms_updater.exe
      "C:\Users\Admin\AppData\Roaming\ms_updater.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4996
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:2508
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
          • Accesses Microsoft Outlook profiles
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:2840
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4984
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
                PID:4448
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show profile
                5⤵
                  PID:4200
                • C:\Windows\SysWOW64\findstr.exe
                  findstr All
                  5⤵
                    PID:2864
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1316
                  • C:\Windows\SysWOW64\chcp.com
                    chcp 65001
                    5⤵
                      PID:2996
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh wlan show profile name="65001" key=clear
                      5⤵
                        PID:3688
                      • C:\Windows\SysWOW64\findstr.exe
                        findstr Key
                        5⤵
                          PID:4164

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\ms_update.exe

                  Filesize

                  917KB

                  MD5

                  752e7cc2c62a2e72bf3fb831587a3ec8

                  SHA1

                  99cf461ed01e827cc563046e3521e396b74b1499

                  SHA256

                  460454df164ddab147f172549c39ff33a3f54ec09f49f809119eb69a67698731

                  SHA512

                  c688c424e81be011db52312148be14ce4836657916dfed270b445b74682488fdb63b583e1c1124a14c2ddb049486182dff599faa8c41b2d1eced1e2d2e25e318

                • C:\Users\Admin\AppData\Roaming\ms_updater.exe

                  Filesize

                  443KB

                  MD5

                  8a2c454b6571e226223f0f0ffc03f58b

                  SHA1

                  c5c83e9769d35c7ac5efa45d228117453b87621e

                  SHA256

                  7aa42d31e48e600a2f7edcc4ce96fbd0336548b72dcc82227acbe3cc46600d36

                  SHA512

                  c96f423e960ec72e6a22f17250e8fa1b656d436c4d056009344ec50c2494da939558f0930ed6c93851fce7068f77d00b56efd3a25841a9d8c2a55e283a660e09

                • C:\Users\Admin\AppData\Roaming\ms_updater.exe

                  Filesize

                  443KB

                  MD5

                  8a2c454b6571e226223f0f0ffc03f58b

                  SHA1

                  c5c83e9769d35c7ac5efa45d228117453b87621e

                  SHA256

                  7aa42d31e48e600a2f7edcc4ce96fbd0336548b72dcc82227acbe3cc46600d36

                  SHA512

                  c96f423e960ec72e6a22f17250e8fa1b656d436c4d056009344ec50c2494da939558f0930ed6c93851fce7068f77d00b56efd3a25841a9d8c2a55e283a660e09

                • memory/2840-9-0x0000000000400000-0x000000000045A000-memory.dmp

                  Filesize

                  360KB

                • memory/2840-12-0x00000000732C0000-0x00000000739AE000-memory.dmp

                  Filesize

                  6.9MB

                • memory/2840-13-0x00000000099E0000-0x0000000009EDE000-memory.dmp

                  Filesize

                  5.0MB

                • memory/2840-14-0x0000000009550000-0x00000000095B6000-memory.dmp

                  Filesize

                  408KB

                • memory/2840-15-0x0000000009940000-0x0000000009950000-memory.dmp

                  Filesize

                  64KB

                • memory/2840-16-0x000000000A2F0000-0x000000000A382000-memory.dmp

                  Filesize

                  584KB

                • memory/2840-20-0x000000000AAF0000-0x000000000AB40000-memory.dmp

                  Filesize

                  320KB

                • memory/2840-23-0x000000000ADE0000-0x000000000AE7C000-memory.dmp

                  Filesize

                  624KB

                • memory/2840-31-0x00000000732C0000-0x00000000739AE000-memory.dmp

                  Filesize

                  6.9MB