Overview

overview

10

Static

static

10

MegaDUP.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    29s
  • max time network
    7s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    06-04-2024 11:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MegaDUP.exe

  • Size

    907KB

  • MD5

    30a11f18ff51c28962b610c64159cb13

  • SHA1

    27f8e093479cd15a9b3e44967a81dada4331307b

  • SHA256

    23da6246fcd9a93ea5a3e2e320c4a6cfa27173e42a9a8215f537bb660ad0702a

  • SHA512

    8170174a270db4089c879805f4b9569c04504d59698d05081db25d31754bbf7f8b63399ecdd5b3fc54b43c230bd3886b4eeadccdd4e53a69bf168f4a4cbe9408

  • SSDEEP

    12288:xTEYAsROAsrt/uxduo1jB0Y96qvqAMnSy/SQ0TxvesHunNxujYcTkaeSPsL:xwT7rC6qvqAyN/ZgxvFHunNkjYcYssL

Score
10/10
eternityevasionspywarestealertrojan

Malware Config

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detects Eternity stealer 1 IoCs
    stealer
  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Disables Task Manager via registry modification
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MegaDUP.exe
    "C:\Users\Admin\AppData\Local\Temp\MegaDUP.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Drops startup file
    • Windows security modification
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Users\Admin\AppData\Local\Temp\dcd.exe
      "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
      2⤵
      • Executes dropped EXE
      PID:3000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3604
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
    Filesize

    10KB

    MD5

    28d32a16ce87d488acc7632092f7d566

    SHA1

    325dd247e49113dd987531ffe7ca26c22ce08c31

    SHA256

    ba6d4f09117c098bd27508a14d44822f13399ebe16d5d2539ad2844157fa4907

    SHA512

    8159021f9d0e28d370faddf7fa41aa9d4bdf7a1aee71779706e43c30486526a0636568d8f90c580da543f8393f546090f71f87382f99e3e0a2b227b04670af57

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
    Filesize

    10KB

    MD5

    82678367fa4297a26727ccc84e0b2f60

    SHA1

    0c65ab90390566f7d2f5b4751b9027f6bac1d22a

    SHA256

    fbf7356b28e05edc871dda40b318b147e6d07ece028da3d67c3cfbd30bfa0f29

    SHA512

    e5474444eecac25a06fe26a22dce9aa9311740dca264de1c824a36a7bc55216f301e934667fe0b9c3c7b062694f8a37e45ecce6b3889cb33bb47ecb9bd198db5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ldgddb3.uud.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\dcd.exe
    Filesize

    227KB

    MD5

    b5ac46e446cead89892628f30a253a06

    SHA1

    f4ad1044a7f77a1b02155c3a355a1bb4177076ca

    SHA256

    def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

    SHA512

    bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

    Download Submit

  • memory/864-7-0x000000001B250000-0x000000001B260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/864-5-0x0000000002450000-0x0000000002451000-memory.dmp

    Filesize

    4KB

    Download

  • memory/864-32-0x00007FF901FC0000-0x00007FF902A82000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/864-4-0x00007FF901FC0000-0x00007FF902A82000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/864-11-0x000000001B250000-0x000000001B260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/864-12-0x000000001B250000-0x000000001B260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/864-0-0x0000000000260000-0x000000000034A000-memory.dmp

    Filesize

    936KB

    Download

  • memory/864-3-0x0000000002460000-0x000000000249E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/864-2-0x00007FF901FC0000-0x00007FF902A82000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/864-1-0x00000000024A0000-0x00000000024F0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3604-13-0x000001B9849E0000-0x000001B984A02000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3604-25-0x000001B99CF30000-0x000001B99CF40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3604-26-0x000001B99CF30000-0x000001B99CF40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3604-29-0x00007FF901FC0000-0x00007FF902A82000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3604-24-0x000001B99CF30000-0x000001B99CF40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3604-23-0x000001B99CF30000-0x000001B99CF40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3604-14-0x00007FF901FC0000-0x00007FF902A82000-memory.dmp

    Filesize

    10.8MB

    Download