Analysis Overview
SHA256
98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502
Threat Level: Known bad
The file 98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502 was found to be: Known bad.
Malicious Activity Summary
Eternity
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-11 05:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-11 05:06
Reported
2023-12-11 05:11
Platform
win7-20231130-en
Max time kernel
267s
Max time network
119s
Command Line
Signatures
Eternity
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1592 set thread context of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe
"C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
"C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {6E3F2B18-516D-47AA-9ACE-49314C8732E6} S-1-5-21-2185821622-4133679102-1697169727-1000:QHCIVBOB\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
Network
Files
memory/2856-9-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2856-7-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2856-10-0x0000000074690000-0x0000000074D7E000-memory.dmp
memory/2856-5-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2856-13-0x0000000074690000-0x0000000074D7E000-memory.dmp
memory/2856-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2856-3-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2856-2-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2856-1-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2856-0-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
| MD5 | e2f9a535272624448b55d22e2b72807c |
| SHA1 | 315c8f99b76ef56516c7103911e41cc20cd3ea8c |
| SHA256 | 6b52dbed28ab00086be6e3689bd25707c51ce9db321b74936880a73d1d508262 |
| SHA512 | 768c3091d5bf0aa36d98a61979a6f11a37556572aed136cff01b1afc54ccf9296105f2d223009d115394c95ef1d0fdc88adb1f4fe555627c0466d274e50ee4e6 |
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
| MD5 | 8671e933e69cd86f974b94b4b509e843 |
| SHA1 | 5ee42b668c9d8bcc03e1e62be37e5e19537a1f4c |
| SHA256 | a79c48734b00c4288867d6ace73696ab84212242eca79c45ac449a3d2e9d980c |
| SHA512 | 5d7bd38a93aabb36d2b424ceadb0c68ff22eefac53881fde5c0b642a75d52c7af47faaab4f616b0deaf5ec3ab8fe88941c9dc1311b85fc2ae8845d6b05d854b4 |
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
| MD5 | 7825cad99621dd288da81d8d8ae13cf5 |
| SHA1 | f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c |
| SHA256 | 529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5 |
| SHA512 | 2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-11 05:06
Reported
2023-12-11 05:11
Platform
win10-20231129-en
Max time kernel
297s
Max time network
298s
Command Line
Signatures
Eternity
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2308 set thread context of 756 | N/A | C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe
"C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
"C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
Files
memory/756-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/756-4-0x0000000009DD0000-0x000000000A2CE000-memory.dmp
memory/756-3-0x0000000073830000-0x0000000073F1E000-memory.dmp
memory/756-13-0x0000000073830000-0x0000000073F1E000-memory.dmp
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
| MD5 | ed16817fec0f4d0be6e124524cf23147 |
| SHA1 | 7922d0f21680a0ab51c87c0a9ed9082badccbb30 |
| SHA256 | 048fa9794227c010cf6d685a834963409e3853e6a3d51356d8ea8df6ccdc2976 |
| SHA512 | e51e9168ae787a2698ceed22334b7e5e8965ef830273eca32bf72473f6365e89c52f17da03f38692edb13b83b6cf46ffdfa0ad63039c20780039b3356d41cae6 |
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
| MD5 | 8671e933e69cd86f974b94b4b509e843 |
| SHA1 | 5ee42b668c9d8bcc03e1e62be37e5e19537a1f4c |
| SHA256 | a79c48734b00c4288867d6ace73696ab84212242eca79c45ac449a3d2e9d980c |
| SHA512 | 5d7bd38a93aabb36d2b424ceadb0c68ff22eefac53881fde5c0b642a75d52c7af47faaab4f616b0deaf5ec3ab8fe88941c9dc1311b85fc2ae8845d6b05d854b4 |
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
| MD5 | 7825cad99621dd288da81d8d8ae13cf5 |
| SHA1 | f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c |
| SHA256 | 529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5 |
| SHA512 | 2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4 |