Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    03-02-2024 21:23

General

  • Target

    8d611985cb8101c86c2808c5977781287846a2ed0b4f196de61ac632c1f46ed7.exe

  • Size

    932KB

  • MD5

    515544fb6f33abfff7b83f4c3589c3d9

  • SHA1

    53aa5502a94a12326b3f2799a28b2782c38e6168

  • SHA256

    8d611985cb8101c86c2808c5977781287846a2ed0b4f196de61ac632c1f46ed7

  • SHA512

    60b760308b41a2deaac615d78865fa893d6721652044f6b05a950fd9535eabef1e6613ce9b2e1265d83d48121d3c97a051c9e9f4d11d60e0c7cf6e35a3168ca8

  • SSDEEP

    24576:WwT7rC6qb3RhaoHAOk+UFenpumfuiEkZJ8:PrC6qb3NAOUSuMu/d

Malware Config

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detects Eternity stealer 1 IoCs
  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Disables Task Manager via registry modification
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d611985cb8101c86c2808c5977781287846a2ed0b4f196de61ac632c1f46ed7.exe
    "C:\Users\Admin\AppData\Local\Temp\8d611985cb8101c86c2808c5977781287846a2ed0b4f196de61ac632c1f46ed7.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Drops startup file
    • Windows security modification
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Users\Admin\AppData\Local\Temp\dcd.exe
      "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
      2⤵
      • Executes dropped EXE
      PID:2540
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2336
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1840 -s 1576
      2⤵
        PID:2028

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      242B

      MD5

      dadfafcd1dc9fe98f74e728787b021e1

      SHA1

      2501ea4fb6492f1c262f780fce1a114aaade3d30

      SHA256

      cdef4b6b1443afd38f4df18f87027be1fb24af42ee71bbcdda720993de2087e9

      SHA512

      71386ff2db25436c34d1b82f722f7d65a75c126fb7f7edc7d3aa9ca6fda98c8dbc494e2c88dad04bd51bb9f28619703909d0a50ef3af9e830a9f69ef8e754438

    • C:\Users\Admin\AppData\Local\Temp\Tar32B9.tmp

      Filesize

      171KB

      MD5

      9c0c641c06238516f27941aa1166d427

      SHA1

      64cd549fb8cf014fcd9312aa7a5b023847b6c977

      SHA256

      4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

      SHA512

      936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    • C:\Users\Admin\AppData\Local\Temp\dcd.exe

      Filesize

      227KB

      MD5

      b5ac46e446cead89892628f30a253a06

      SHA1

      f4ad1044a7f77a1b02155c3a355a1bb4177076ca

      SHA256

      def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

      SHA512

      bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

    • memory/1840-7-0x000000001AEA0000-0x000000001AF20000-memory.dmp

      Filesize

      512KB

    • memory/1840-98-0x000007FEF5120000-0x000007FEF5B0C000-memory.dmp

      Filesize

      9.9MB

    • memory/1840-0-0x00000000009F0000-0x0000000000ADE000-memory.dmp

      Filesize

      952KB

    • memory/1840-8-0x000000001AEA0000-0x000000001AF20000-memory.dmp

      Filesize

      512KB

    • memory/1840-5-0x000000001AEA0000-0x000000001AF20000-memory.dmp

      Filesize

      512KB

    • memory/1840-14-0x000000001AEA0000-0x000000001AF20000-memory.dmp

      Filesize

      512KB

    • memory/1840-4-0x00000000003C0000-0x00000000003C1000-memory.dmp

      Filesize

      4KB

    • memory/1840-3-0x000007FEF5120000-0x000007FEF5B0C000-memory.dmp

      Filesize

      9.9MB

    • memory/1840-2-0x000007FEF5120000-0x000007FEF5B0C000-memory.dmp

      Filesize

      9.9MB

    • memory/1840-1-0x000007FEF5120000-0x000007FEF5B0C000-memory.dmp

      Filesize

      9.9MB

    • memory/1840-107-0x000000001AEA0000-0x000000001AF20000-memory.dmp

      Filesize

      512KB

    • memory/1840-106-0x000000001AEA0000-0x000000001AF20000-memory.dmp

      Filesize

      512KB

    • memory/1840-105-0x000000001AEA0000-0x000000001AF20000-memory.dmp

      Filesize

      512KB

    • memory/1840-104-0x00000000003C0000-0x00000000003C1000-memory.dmp

      Filesize

      4KB

    • memory/1840-6-0x00000000003D0000-0x000000000040E000-memory.dmp

      Filesize

      248KB

    • memory/2336-97-0x0000000002A70000-0x0000000002AF0000-memory.dmp

      Filesize

      512KB

    • memory/2336-96-0x000007FEEED40000-0x000007FEEF6DD000-memory.dmp

      Filesize

      9.6MB

    • memory/2336-99-0x0000000002A74000-0x0000000002A77000-memory.dmp

      Filesize

      12KB

    • memory/2336-100-0x0000000002A7B000-0x0000000002AE2000-memory.dmp

      Filesize

      412KB

    • memory/2336-101-0x000007FEEED40000-0x000007FEEF6DD000-memory.dmp

      Filesize

      9.6MB

    • memory/2336-95-0x0000000002A70000-0x0000000002AF0000-memory.dmp

      Filesize

      512KB

    • memory/2336-94-0x000007FEEED40000-0x000007FEEF6DD000-memory.dmp

      Filesize

      9.6MB

    • memory/2336-93-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

      Filesize

      32KB

    • memory/2336-92-0x000000001B690000-0x000000001B972000-memory.dmp

      Filesize

      2.9MB