Resubmissions
11-12-2023 22:31
231211-2fln2sadgr 1011-12-2023 22:31
231211-2ffsssbgd8 1010-01-2023 13:23
230110-qmt38agb55 10Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
11-12-2023 22:31
Static task
static1
Behavioral task
behavioral1
Sample
37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe
Resource
win10v2004-20231127-en
General
-
Target
37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe
-
Size
272.5MB
-
MD5
288f11cbc24d805ab059c0fd18b0beb3
-
SHA1
88a529879a7726a6a4ea96c02f5e49ab884e3f1f
-
SHA256
37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe
-
SHA512
422892f79e37b9786ba0883b9e060b5cdefaf6e137dda2efd9ad10de0e211f53e8a076810bd89b9ee40d5f6c4cb85d20ef8711492e43f2adf67aec58607d06f1
-
SSDEEP
6144:qkE/XiFlYwesDZ9qBP9xjWUxA1eW+qKbLxn604WwMDu9XzQMat/dfJE3aaTRSaGf:z7Fbmd2Msc/WEPjTLTiXpFPZe
Malware Config
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exedescription pid process target process PID 1180 set thread context of 2836 1180 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2212 1180 WerFault.exe 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier vbc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
vbc.exepid process 2836 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exepid process 1180 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 2836 vbc.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exevbc.execmd.execmd.exedescription pid process target process PID 1180 wrote to memory of 2836 1180 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe vbc.exe PID 1180 wrote to memory of 2836 1180 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe vbc.exe PID 1180 wrote to memory of 2836 1180 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe vbc.exe PID 1180 wrote to memory of 2836 1180 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe vbc.exe PID 1180 wrote to memory of 2836 1180 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe vbc.exe PID 1180 wrote to memory of 2836 1180 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe vbc.exe PID 1180 wrote to memory of 2212 1180 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe WerFault.exe PID 1180 wrote to memory of 2212 1180 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe WerFault.exe PID 1180 wrote to memory of 2212 1180 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe WerFault.exe PID 1180 wrote to memory of 2212 1180 37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe WerFault.exe PID 2836 wrote to memory of 2572 2836 vbc.exe cmd.exe PID 2836 wrote to memory of 2572 2836 vbc.exe cmd.exe PID 2836 wrote to memory of 2572 2836 vbc.exe cmd.exe PID 2836 wrote to memory of 2572 2836 vbc.exe cmd.exe PID 2572 wrote to memory of 2636 2572 cmd.exe chcp.com PID 2572 wrote to memory of 2636 2572 cmd.exe chcp.com PID 2572 wrote to memory of 2636 2572 cmd.exe chcp.com PID 2572 wrote to memory of 2636 2572 cmd.exe chcp.com PID 2572 wrote to memory of 2680 2572 cmd.exe netsh.exe PID 2572 wrote to memory of 2680 2572 cmd.exe netsh.exe PID 2572 wrote to memory of 2680 2572 cmd.exe netsh.exe PID 2572 wrote to memory of 2680 2572 cmd.exe netsh.exe PID 2572 wrote to memory of 1932 2572 cmd.exe findstr.exe PID 2572 wrote to memory of 1932 2572 cmd.exe findstr.exe PID 2572 wrote to memory of 1932 2572 cmd.exe findstr.exe PID 2572 wrote to memory of 1932 2572 cmd.exe findstr.exe PID 2836 wrote to memory of 2728 2836 vbc.exe cmd.exe PID 2836 wrote to memory of 2728 2836 vbc.exe cmd.exe PID 2836 wrote to memory of 2728 2836 vbc.exe cmd.exe PID 2836 wrote to memory of 2728 2836 vbc.exe cmd.exe PID 2728 wrote to memory of 2536 2728 cmd.exe chcp.com PID 2728 wrote to memory of 2536 2728 cmd.exe chcp.com PID 2728 wrote to memory of 2536 2728 cmd.exe chcp.com PID 2728 wrote to memory of 2536 2728 cmd.exe chcp.com PID 2728 wrote to memory of 1372 2728 cmd.exe netsh.exe PID 2728 wrote to memory of 1372 2728 cmd.exe netsh.exe PID 2728 wrote to memory of 1372 2728 cmd.exe netsh.exe PID 2728 wrote to memory of 1372 2728 cmd.exe netsh.exe PID 2728 wrote to memory of 524 2728 cmd.exe findstr.exe PID 2728 wrote to memory of 524 2728 cmd.exe findstr.exe PID 2728 wrote to memory of 524 2728 cmd.exe findstr.exe PID 2728 wrote to memory of 524 2728 cmd.exe findstr.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe"C:\Users\Admin\AppData\Local\Temp\37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2836 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:2636
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵PID:2680
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵PID:1932
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key3⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:2536
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile name="65001" key=clear4⤵PID:1372
-
C:\Windows\SysWOW64\findstr.exefindstr Key4⤵PID:524
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1242⤵
- Program crash
PID:2212