Resubmissions
11-12-2023 22:31
231211-2fln2sadgr 1011-12-2023 22:31
231211-2ffsssbgd8 1010-01-2023 13:23
230110-qmt38agb55 10Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
11-12-2023 22:31
Static task
static1
Behavioral task
behavioral1
Sample
37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe
Resource
win10v2004-20231127-en
General
-
Target
37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe
-
Size
272.5MB
-
MD5
288f11cbc24d805ab059c0fd18b0beb3
-
SHA1
88a529879a7726a6a4ea96c02f5e49ab884e3f1f
-
SHA256
37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe
-
SHA512
422892f79e37b9786ba0883b9e060b5cdefaf6e137dda2efd9ad10de0e211f53e8a076810bd89b9ee40d5f6c4cb85d20ef8711492e43f2adf67aec58607d06f1
-
SSDEEP
6144:qkE/XiFlYwesDZ9qBP9xjWUxA1eW+qKbLxn604WwMDu9XzQMat/dfJE3aaTRSaGf:z7Fbmd2Msc/WEPjTLTiXpFPZe
Malware Config
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exedescription pid process target process PID 2232 set thread context of 2284 2232 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1888 2232 WerFault.exe 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier vbc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
vbc.exepid process 2284 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exepid process 2232 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 2284 vbc.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exevbc.execmd.execmd.exedescription pid process target process PID 2232 wrote to memory of 2284 2232 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe vbc.exe PID 2232 wrote to memory of 2284 2232 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe vbc.exe PID 2232 wrote to memory of 2284 2232 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe vbc.exe PID 2232 wrote to memory of 2284 2232 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe vbc.exe PID 2232 wrote to memory of 2284 2232 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe vbc.exe PID 2232 wrote to memory of 2284 2232 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe vbc.exe PID 2232 wrote to memory of 1888 2232 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe WerFault.exe PID 2232 wrote to memory of 1888 2232 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe WerFault.exe PID 2232 wrote to memory of 1888 2232 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe WerFault.exe PID 2232 wrote to memory of 1888 2232 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe WerFault.exe PID 2284 wrote to memory of 2968 2284 vbc.exe cmd.exe PID 2284 wrote to memory of 2968 2284 vbc.exe cmd.exe PID 2284 wrote to memory of 2968 2284 vbc.exe cmd.exe PID 2284 wrote to memory of 2968 2284 vbc.exe cmd.exe PID 2968 wrote to memory of 2552 2968 cmd.exe chcp.com PID 2968 wrote to memory of 2552 2968 cmd.exe chcp.com PID 2968 wrote to memory of 2552 2968 cmd.exe chcp.com PID 2968 wrote to memory of 2552 2968 cmd.exe chcp.com PID 2968 wrote to memory of 2496 2968 cmd.exe netsh.exe PID 2968 wrote to memory of 2496 2968 cmd.exe netsh.exe PID 2968 wrote to memory of 2496 2968 cmd.exe netsh.exe PID 2968 wrote to memory of 2496 2968 cmd.exe netsh.exe PID 2968 wrote to memory of 2508 2968 cmd.exe findstr.exe PID 2968 wrote to memory of 2508 2968 cmd.exe findstr.exe PID 2968 wrote to memory of 2508 2968 cmd.exe findstr.exe PID 2968 wrote to memory of 2508 2968 cmd.exe findstr.exe PID 2284 wrote to memory of 2576 2284 vbc.exe cmd.exe PID 2284 wrote to memory of 2576 2284 vbc.exe cmd.exe PID 2284 wrote to memory of 2576 2284 vbc.exe cmd.exe PID 2284 wrote to memory of 2576 2284 vbc.exe cmd.exe PID 2576 wrote to memory of 2928 2576 cmd.exe chcp.com PID 2576 wrote to memory of 2928 2576 cmd.exe chcp.com PID 2576 wrote to memory of 2928 2576 cmd.exe chcp.com PID 2576 wrote to memory of 2928 2576 cmd.exe chcp.com PID 2576 wrote to memory of 2556 2576 cmd.exe netsh.exe PID 2576 wrote to memory of 2556 2576 cmd.exe netsh.exe PID 2576 wrote to memory of 2556 2576 cmd.exe netsh.exe PID 2576 wrote to memory of 2556 2576 cmd.exe netsh.exe PID 2576 wrote to memory of 1300 2576 cmd.exe findstr.exe PID 2576 wrote to memory of 1300 2576 cmd.exe findstr.exe PID 2576 wrote to memory of 1300 2576 cmd.exe findstr.exe PID 2576 wrote to memory of 1300 2576 cmd.exe findstr.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe"C:\Users\Admin\AppData\Local\Temp\37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2284 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:2552
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵PID:2496
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵PID:2508
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key3⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:2928
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile name="65001" key=clear4⤵PID:2556
-
C:\Windows\SysWOW64\findstr.exefindstr Key4⤵PID:1300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1242⤵
- Program crash
PID:1888