Analysis
-
max time kernel
90s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2024 22:26
Behavioral task
behavioral1
Sample
Silviozas-Premium-Proxy-V3.85-CRACKED.exe
Resource
win7-20231215-en
General
-
Target
Silviozas-Premium-Proxy-V3.85-CRACKED.exe
-
Size
1.4MB
-
MD5
1a60fbd63948cb13126d88c0e71f7a6b
-
SHA1
764b74a28ebd0e657fd7ba8a7f2616fd24d23fd3
-
SHA256
b0eb1abd740144014dbdc0d1c6f61bcfb5a640ae238506415bb305bafcbbb791
-
SHA512
b2f3aef0eff8934f72927dcd0b71180013a1eef5d968b3db494a7c946d36655ed6f304d50a90c1895b093c00297ce695b2eae22d0b06386945d8eeaf6c5fa1fd
-
SSDEEP
12288:WTEYAsROAsrt/uxduo1jB0Y96qIFITgJka3xFD70z0QDiBoczYSWkSX7xwyGOADu:WwT7rC6qDIptQD2Jz2JOyuQ7K
Malware Config
Signatures
-
Detects Eternity stealer 1 IoCs
resource yara_rule behavioral2/memory/1828-0-0x00000000008A0000-0x00000000009C6000-memory.dmp eternity_stealer -
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Executes dropped EXE 1 IoCs
pid Process 5116 dcd.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3536 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1828 Silviozas-Premium-Proxy-V3.85-CRACKED.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1828 wrote to memory of 5116 1828 Silviozas-Premium-Proxy-V3.85-CRACKED.exe 66 PID 1828 wrote to memory of 5116 1828 Silviozas-Premium-Proxy-V3.85-CRACKED.exe 66 PID 1828 wrote to memory of 5116 1828 Silviozas-Premium-Proxy-V3.85-CRACKED.exe 66
Processes
-
C:\Users\Admin\AppData\Local\Temp\Silviozas-Premium-Proxy-V3.85-CRACKED.exe"C:\Users\Admin\AppData\Local\Temp\Silviozas-Premium-Proxy-V3.85-CRACKED.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\dcd.exe"C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""2⤵
- Executes dropped EXE
PID:5116
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\help.txt1⤵
- Opens file in notepad (likely ransom note)
PID:3536
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
MD590db0efae28fa1ed0abff3c6299df417
SHA173923206568279905a3b3c5233c888df5672ea42
SHA256c1951338410138be38cd5ee2d7a1a9237e67c045734e5de5d767b7408986a0ec
SHA512cf5f6dfefa209d47f2cc374a68b8bdce775dc0db3a7cc8617ef7d4c11b62bc338f75e3e9cc2fa784d590fc017cf83c27e6318fa3e1229a2dcd504169431e4549
-
Filesize
176KB
MD5472dee0838dddfdd731f1ed95c3f0e01
SHA17699fa34dfb6a9a321711af4a10c98850237d269
SHA2560396b5fa30a46a1a4a98f8ec507f65bb9cfc24e2d1923d1bbc56c8af87650da1
SHA512930a9532ba739ce21f576fe8772228d891d97c13f530133dec09835072c02cec99f76596e45c76ccdb0a0636cd8d6cc18236367c86a1a0195aec4a0bfd0cd668