Overview

overview

10

Static

static

3

869395ac2a...d9.exe

windows7-x64

10

869395ac2a...d9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-02-2024 09:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    869395ac2a88f6de036daf942d0b86d9.exe

  • Size

    913KB

  • MD5

    869395ac2a88f6de036daf942d0b86d9

  • SHA1

    42fbe6f668153bcb850c13677efe924e835c229f

  • SHA256

    cd72f8f3af6f9d098b3da55db5f7869ab75ec679e0c302f790faffc0fa6c47b5

  • SHA512

    e2e8492442edcfec16553def0cae3361f744bc8f095b4863dbc745ac3e72c75e1be83bbb0bb69da4f74fcaaba2b35123222706508c0d1f0e05e22cbcb75390d9

  • SSDEEP

    24576:rMYtHtnX4mHxjdibimBr4aOCZv4NPjgcwmIlSklG9:dtHtnX4mHObiMr4HCZvRzlJl

Score
10/10
eternityevasionstealertrojan

Malware Config

Signatures

  • Contains code to disable Windows Defender 3 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detects Eternity stealer 3 IoCs
    stealer
  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\869395ac2a88f6de036daf942d0b86d9.exe
    "C:\Users\Admin\AppData\Local\Temp\869395ac2a88f6de036daf942d0b86d9.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3424
    • C:\Users\Admin\AppData\Local\Temp\tmp635D.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp635D.tmp.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4044
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3456

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vx4dubqg.mgm.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp635D.tmp.exe
    Filesize

    773KB

    MD5

    dc5192329dc71958f460193835310ed9

    SHA1

    6f171f7ef734e280153b56978cabb9604b8294a8

    SHA256

    69ce5992d02bacc6455145b67c0acf42cda7860d2f309f7273dc8b7d8e63b83f

    SHA512

    39f908d160bc36c114c49806fb4ba46c359479347a24ab86e906530ef65a5258ee07a82879a8041f7cc3d7f2eecacfef2468fc40686eb29661a74f844d8dde7b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp635D.tmp.exe
    Filesize

    904KB

    MD5

    5bc9eac8653703bf899d63f49466773e

    SHA1

    49fc8ed3bf850f9f4f59dba04dd7a2ae453334b1

    SHA256

    02c72fe8fc25c0069b619cbfe9bd223af3b791db1ceff2b37dbb0b5697c2306d

    SHA512

    0709490737c0b3fc46f107a74e2a9f62705006c596280af31b23fe6ec20a0e411af294af569f0204ea20111152c47de2f13fab4f0f724f36c90ebd78ba05d352

    Download Submit

  • memory/3424-1-0x000000001B600000-0x000000001B6A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/3424-2-0x0000000000F90000-0x0000000000FA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3424-4-0x00007FFA500D0000-0x00007FFA50A71000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3424-17-0x00007FFA500D0000-0x00007FFA50A71000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3424-0-0x00007FFA500D0000-0x00007FFA50A71000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3456-36-0x00007FFA4DCD0000-0x00007FFA4E791000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3456-37-0x00000138EF370000-0x00000138EF380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3456-41-0x00007FFA4DCD0000-0x00007FFA4E791000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3456-32-0x00000138EF480000-0x00000138EF4A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3456-38-0x00000138EF370000-0x00000138EF380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4044-23-0x0000000002E90000-0x0000000002EA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4044-25-0x0000000002E90000-0x0000000002EA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4044-19-0x0000000002E30000-0x0000000002E80000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4044-18-0x00007FFA4DCD0000-0x00007FFA4E791000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4044-24-0x0000000002E90000-0x0000000002EA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4044-16-0x0000000000C60000-0x0000000000D4A000-memory.dmp

    Filesize

    936KB

    Download

  • memory/4044-22-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4044-21-0x0000000002DF0000-0x0000000002E2E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4044-20-0x00007FFA4DCD0000-0x00007FFA4E791000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4044-42-0x00007FFA4DCD0000-0x00007FFA4E791000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4044-43-0x00007FFA4DCD0000-0x00007FFA4E791000-memory.dmp

    Filesize

    10.8MB

    Download