Overview

overview

10

Static

static

1

37c93873f3...be.exe

windows7-x64

10

37c93873f3...be.exe

windows10-2004-x64

10

Resubmissions

11-12-2023 22:31

231211-2fln2sadgr 10

11-12-2023 22:31

231211-2ffsssbgd8 10

10-01-2023 13:23

230110-qmt38agb55 10

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    11-12-2023 22:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe

  • Size

    272.5MB

  • MD5

    288f11cbc24d805ab059c0fd18b0beb3

  • SHA1

    88a529879a7726a6a4ea96c02f5e49ab884e3f1f

  • SHA256

    37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe

  • SHA512

    422892f79e37b9786ba0883b9e060b5cdefaf6e137dda2efd9ad10de0e211f53e8a076810bd89b9ee40d5f6c4cb85d20ef8711492e43f2adf67aec58607d06f1

  • SSDEEP

    6144:qkE/XiFlYwesDZ9qBP9xjWUxA1eW+qKbLxn604WwMDu9XzQMat/dfJE3aaTRSaGf:z7Fbmd2Msc/WEPjTLTiXpFPZe

Score
10/10
eternitycollection

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Signatures

  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe
    "C:\Users\Admin\AppData\Local\Temp\37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:2836
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2572
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:2636
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            4⤵
              PID:2680
            • C:\Windows\SysWOW64\findstr.exe
              findstr All
              4⤵
                PID:1932
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2728
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                4⤵
                  PID:2536
                • C:\Windows\SysWOW64\netsh.exe
                  netsh wlan show profile name="65001" key=clear
                  4⤵
                    PID:1372
                  • C:\Windows\SysWOW64\findstr.exe
                    findstr Key
                    4⤵
                      PID:524
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 124
                  2⤵
                  • Program crash
                  PID:2212

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/1180-0-0x0000000001270000-0x00000000012EB000-memory.dmp

                Filesize

                492KB

                Download

              • memory/2836-1-0x0000000000400000-0x000000000045A000-memory.dmp

                Filesize

                360KB

                Download

              • memory/2836-2-0x0000000000400000-0x000000000045A000-memory.dmp

                Filesize

                360KB

                Download

              • memory/2836-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2836-8-0x0000000000400000-0x000000000045A000-memory.dmp

                Filesize

                360KB

                Download

              • memory/2836-9-0x0000000000400000-0x000000000045A000-memory.dmp

                Filesize

                360KB

                Download

              • memory/2836-10-0x00000000744A0000-0x0000000074B8E000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/2836-11-0x0000000004890000-0x00000000048D0000-memory.dmp

                Filesize

                256KB

                Download

              • memory/2836-12-0x00000000744A0000-0x0000000074B8E000-memory.dmp

                Filesize

                6.9MB

                Download