Overview

overview

10

Static

static

3

f50ddcaf5b...ad.exe

windows7-x64

1

f50ddcaf5b...ad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-01-2024 10:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f50ddcaf5bc8b56906d6f2241ca0ebad.exe

  • Size

    1000KB

  • MD5

    f50ddcaf5bc8b56906d6f2241ca0ebad

  • SHA1

    c9b9fa042cf45faf7e5d3dc33e351696379fb814

  • SHA256

    a7ffba3e41ce82350677836a511daec0e105d77cc722bafc77007235eab2f1d4

  • SHA512

    ace5a42f2d9c5ca196ffe6c8c87a5234a313f4ed3fba2d495d479b702b12f973478d21211f095b6c159d07d30069a19527b624426d2fd9475c534bb3fb14e42a

  • SSDEEP

    12288:Q3kDGEKq16IT82UhlTlP/cG+TgtX7y08TISFSBa+ltGdElfkMJVqUra/6p6O:9fTzSt9wISgBa6tGal8MGcaSf

Score
10/10
eternitycollection

Malware Config

Extracted

Family

eternity

C2

http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion

Signatures

  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • Blocklisted process makes network request 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f50ddcaf5bc8b56906d6f2241ca0ebad.exe
    "C:\Users\Admin\AppData\Local\Temp\f50ddcaf5bc8b56906d6f2241ca0ebad.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3480
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4144
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        3⤵
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:2140
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5036
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            5⤵
              PID:4928
            • C:\Windows\SysWOW64\netsh.exe
              netsh wlan show profile
              5⤵
                PID:3116
              • C:\Windows\SysWOW64\findstr.exe
                findstr All
                5⤵
                  PID:1200
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3604
                • C:\Windows\SysWOW64\chcp.com
                  chcp 65001
                  5⤵
                    PID:700
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh wlan show profile name="65001" key=clear
                    5⤵
                      PID:4612
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr Key
                      5⤵
                        PID:972

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4i3saszj.zrg.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • memory/2140-46-0x0000000016ED0000-0x0000000016EE0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2140-48-0x0000000016ED0000-0x0000000016EE0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2140-44-0x0000000016D00000-0x0000000016D5A000-memory.dmp

                Filesize

                360KB

                Download

              • memory/2140-55-0x00000000748F0000-0x00000000750A0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/2140-47-0x0000000016ED0000-0x0000000016EE0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2140-43-0x0000000000700000-0x0000000000759000-memory.dmp

                Filesize

                356KB

                Download

              • memory/2140-49-0x0000000016ED0000-0x0000000016EE0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2140-50-0x0000000018330000-0x0000000018380000-memory.dmp

                Filesize

                320KB

                Download

              • memory/2140-45-0x00000000748F0000-0x00000000750A0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/3480-0-0x00000000748F0000-0x00000000750A0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/3480-8-0x0000000005760000-0x00000000057FC000-memory.dmp

                Filesize

                624KB

                Download

              • memory/3480-53-0x00000000748F0000-0x00000000750A0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/3480-7-0x0000000005660000-0x0000000005670000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3480-2-0x0000000005A20000-0x0000000005FC4000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/3480-6-0x00000000748F0000-0x00000000750A0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/3480-1-0x0000000000970000-0x0000000000A70000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/3480-5-0x00000000054B0000-0x00000000054BA000-memory.dmp

                Filesize

                40KB

                Download

              • memory/3480-4-0x0000000005660000-0x0000000005670000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3480-3-0x0000000005510000-0x00000000055A2000-memory.dmp

                Filesize

                584KB

                Download

              • memory/3480-9-0x0000000005940000-0x00000000059A6000-memory.dmp

                Filesize

                408KB

                Download

              • memory/4144-28-0x0000000006AD0000-0x0000000006B1C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/4144-29-0x0000000006EC0000-0x0000000006F04000-memory.dmp

                Filesize

                272KB

                Download

              • memory/4144-31-0x0000000007BF0000-0x0000000007C66000-memory.dmp

                Filesize

                472KB

                Download

              • memory/4144-32-0x0000000008330000-0x00000000089AA000-memory.dmp

                Filesize

                6.5MB

                Download

              • memory/4144-33-0x0000000007BB0000-0x0000000007BCA000-memory.dmp

                Filesize

                104KB

                Download

              • memory/4144-34-0x00000000748F0000-0x00000000750A0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4144-35-0x0000000005490000-0x00000000054A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4144-37-0x0000000005490000-0x00000000054A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4144-38-0x0000000008060000-0x0000000008192000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/4144-39-0x0000000005490000-0x00000000054A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4144-40-0x000000001B9E0000-0x000000001BA02000-memory.dmp

                Filesize

                136KB

                Download

              • memory/4144-30-0x0000000005490000-0x00000000054A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4144-27-0x0000000006950000-0x000000000696E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/4144-26-0x0000000006380000-0x00000000066D4000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/4144-21-0x0000000006230000-0x0000000006296000-memory.dmp

                Filesize

                408KB

                Download

              • memory/4144-15-0x0000000005A60000-0x0000000005A82000-memory.dmp

                Filesize

                136KB

                Download

              • memory/4144-14-0x0000000005AD0000-0x00000000060F8000-memory.dmp

                Filesize

                6.2MB

                Download

              • memory/4144-11-0x00000000748F0000-0x00000000750A0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4144-12-0x0000000005490000-0x00000000054A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4144-51-0x00000000748F0000-0x00000000750A0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4144-13-0x0000000005490000-0x00000000054A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4144-10-0x0000000005380000-0x00000000053B6000-memory.dmp

                Filesize

                216KB

                Download