Analysis
-
max time kernel
32s -
max time network
34s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 18:48
Behavioral task
behavioral1
Sample
Lucky Proxy.exe
Resource
win7-20240221-en
General
-
Target
Lucky Proxy.exe
-
Size
10.7MB
-
MD5
f9f683c1fafc61bcccc9a44bef1f2867
-
SHA1
464183bbe171e5b07921d293f2692c517353f6e4
-
SHA256
9eca9396e9230e5d10850f535d8c08f571e73b76794f45c12bdca8a80446314d
-
SHA512
ca6481f8b1d0d2917368f3178256c2825a4de13b5d9baa720e7fa2aa3fd214b13881cb2457af1abe75345348842ad8896e8f1962d672ffb6cddf008dcd940279
-
SSDEEP
98304:FQU/ui53ANXrPQU/8rJPPGlTrMdhSzVozBjVTcZOOSaHE6+KN51dE27Kfz7ns9z:FQPi5GQ7PuqShYBDRak6+AK2OfA
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-AYYXQ8E
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
SNTiKyNYVqQR
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Detects Eternity stealer 11 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\STEALER.EXE eternity_stealer behavioral2/memory/1548-21-0x0000000000620000-0x0000000000E9A000-memory.dmp eternity_stealer C:\Windows\SysWOW64\MSDCSC\msdcsc.exe eternity_stealer behavioral2/memory/1548-76-0x000000001BE30000-0x000000001C238000-memory.dmp eternity_stealer C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe eternity_stealer behavioral2/memory/3272-97-0x0000000000400000-0x0000000000EC2000-memory.dmp eternity_stealer C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE eternity_stealer behavioral2/memory/4144-121-0x0000000000D60000-0x0000000000E46000-memory.dmp eternity_stealer behavioral2/memory/2728-182-0x0000000000400000-0x00000000007D6000-memory.dmp eternity_stealer behavioral2/memory/4224-183-0x0000000000400000-0x0000000000EC2000-memory.dmp eternity_stealer behavioral2/memory/2144-184-0x0000000000400000-0x00000000007D6000-memory.dmp eternity_stealer -
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
Lucky Proxy.exeKuloCrackedByHaci.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" Lucky Proxy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\17RYb5VUkfWF\\msdcsc.exe" KuloCrackedByHaci.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Lucky Proxy.exeSTEALER.EXEKuloCrackedByHaci.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation Lucky Proxy.exe Key value queried \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation STEALER.EXE Key value queried \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation KuloCrackedByHaci.exe -
Executes dropped EXE 7 IoCs
Processes:
LUCKY CRACKED.EXESTEALER.EXEmsdcsc.exeKuloCrackedByHaci.exeETERNITYV5.EXEKULO PROXY.EXEmsdcsc.exepid process 1248 LUCKY CRACKED.EXE 1548 STEALER.EXE 4224 msdcsc.exe 2728 KuloCrackedByHaci.exe 4144 ETERNITYV5.EXE 4472 KULO PROXY.EXE 2144 msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Lucky Proxy.exeKuloCrackedByHaci.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" Lucky Proxy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\17RYb5VUkfWF\\msdcsc.exe" KuloCrackedByHaci.exe -
Drops file in System32 directory 7 IoCs
Processes:
KuloCrackedByHaci.exeLucky Proxy.exedescription ioc process File opened for modification C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\msdcsc.exe KuloCrackedByHaci.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\ KuloCrackedByHaci.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe Lucky Proxy.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe Lucky Proxy.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ Lucky Proxy.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe KuloCrackedByHaci.exe File created C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\msdcsc.exe KuloCrackedByHaci.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
Lucky Proxy.exeKuloCrackedByHaci.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Lucky Proxy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ KuloCrackedByHaci.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Lucky Proxy.exeSTEALER.EXEmsdcsc.exeKuloCrackedByHaci.exedescription pid process Token: SeIncreaseQuotaPrivilege 3272 Lucky Proxy.exe Token: SeSecurityPrivilege 3272 Lucky Proxy.exe Token: SeTakeOwnershipPrivilege 3272 Lucky Proxy.exe Token: SeLoadDriverPrivilege 3272 Lucky Proxy.exe Token: SeSystemProfilePrivilege 3272 Lucky Proxy.exe Token: SeSystemtimePrivilege 3272 Lucky Proxy.exe Token: SeProfSingleProcessPrivilege 3272 Lucky Proxy.exe Token: SeIncBasePriorityPrivilege 3272 Lucky Proxy.exe Token: SeCreatePagefilePrivilege 3272 Lucky Proxy.exe Token: SeBackupPrivilege 3272 Lucky Proxy.exe Token: SeRestorePrivilege 3272 Lucky Proxy.exe Token: SeShutdownPrivilege 3272 Lucky Proxy.exe Token: SeDebugPrivilege 3272 Lucky Proxy.exe Token: SeSystemEnvironmentPrivilege 3272 Lucky Proxy.exe Token: SeChangeNotifyPrivilege 3272 Lucky Proxy.exe Token: SeRemoteShutdownPrivilege 3272 Lucky Proxy.exe Token: SeUndockPrivilege 3272 Lucky Proxy.exe Token: SeManageVolumePrivilege 3272 Lucky Proxy.exe Token: SeImpersonatePrivilege 3272 Lucky Proxy.exe Token: SeCreateGlobalPrivilege 3272 Lucky Proxy.exe Token: 33 3272 Lucky Proxy.exe Token: 34 3272 Lucky Proxy.exe Token: 35 3272 Lucky Proxy.exe Token: 36 3272 Lucky Proxy.exe Token: SeDebugPrivilege 1548 STEALER.EXE Token: SeIncreaseQuotaPrivilege 4224 msdcsc.exe Token: SeSecurityPrivilege 4224 msdcsc.exe Token: SeTakeOwnershipPrivilege 4224 msdcsc.exe Token: SeLoadDriverPrivilege 4224 msdcsc.exe Token: SeSystemProfilePrivilege 4224 msdcsc.exe Token: SeSystemtimePrivilege 4224 msdcsc.exe Token: SeProfSingleProcessPrivilege 4224 msdcsc.exe Token: SeIncBasePriorityPrivilege 4224 msdcsc.exe Token: SeCreatePagefilePrivilege 4224 msdcsc.exe Token: SeBackupPrivilege 4224 msdcsc.exe Token: SeRestorePrivilege 4224 msdcsc.exe Token: SeShutdownPrivilege 4224 msdcsc.exe Token: SeDebugPrivilege 4224 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4224 msdcsc.exe Token: SeChangeNotifyPrivilege 4224 msdcsc.exe Token: SeRemoteShutdownPrivilege 4224 msdcsc.exe Token: SeUndockPrivilege 4224 msdcsc.exe Token: SeManageVolumePrivilege 4224 msdcsc.exe Token: SeImpersonatePrivilege 4224 msdcsc.exe Token: SeCreateGlobalPrivilege 4224 msdcsc.exe Token: 33 4224 msdcsc.exe Token: 34 4224 msdcsc.exe Token: 35 4224 msdcsc.exe Token: 36 4224 msdcsc.exe Token: SeIncreaseQuotaPrivilege 2728 KuloCrackedByHaci.exe Token: SeSecurityPrivilege 2728 KuloCrackedByHaci.exe Token: SeTakeOwnershipPrivilege 2728 KuloCrackedByHaci.exe Token: SeLoadDriverPrivilege 2728 KuloCrackedByHaci.exe Token: SeSystemProfilePrivilege 2728 KuloCrackedByHaci.exe Token: SeSystemtimePrivilege 2728 KuloCrackedByHaci.exe Token: SeProfSingleProcessPrivilege 2728 KuloCrackedByHaci.exe Token: SeIncBasePriorityPrivilege 2728 KuloCrackedByHaci.exe Token: SeCreatePagefilePrivilege 2728 KuloCrackedByHaci.exe Token: SeBackupPrivilege 2728 KuloCrackedByHaci.exe Token: SeRestorePrivilege 2728 KuloCrackedByHaci.exe Token: SeShutdownPrivilege 2728 KuloCrackedByHaci.exe Token: SeDebugPrivilege 2728 KuloCrackedByHaci.exe Token: SeSystemEnvironmentPrivilege 2728 KuloCrackedByHaci.exe Token: SeChangeNotifyPrivilege 2728 KuloCrackedByHaci.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
msdcsc.exemsdcsc.exepid process 4224 msdcsc.exe 2144 msdcsc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Lucky Proxy.exeSTEALER.EXEKuloCrackedByHaci.exedescription pid process target process PID 3272 wrote to memory of 1248 3272 Lucky Proxy.exe LUCKY CRACKED.EXE PID 3272 wrote to memory of 1248 3272 Lucky Proxy.exe LUCKY CRACKED.EXE PID 3272 wrote to memory of 1548 3272 Lucky Proxy.exe STEALER.EXE PID 3272 wrote to memory of 1548 3272 Lucky Proxy.exe STEALER.EXE PID 3272 wrote to memory of 4224 3272 Lucky Proxy.exe msdcsc.exe PID 3272 wrote to memory of 4224 3272 Lucky Proxy.exe msdcsc.exe PID 3272 wrote to memory of 4224 3272 Lucky Proxy.exe msdcsc.exe PID 1548 wrote to memory of 2728 1548 STEALER.EXE KuloCrackedByHaci.exe PID 1548 wrote to memory of 2728 1548 STEALER.EXE KuloCrackedByHaci.exe PID 1548 wrote to memory of 2728 1548 STEALER.EXE KuloCrackedByHaci.exe PID 2728 wrote to memory of 4144 2728 KuloCrackedByHaci.exe ETERNITYV5.EXE PID 2728 wrote to memory of 4144 2728 KuloCrackedByHaci.exe ETERNITYV5.EXE PID 2728 wrote to memory of 4472 2728 KuloCrackedByHaci.exe KULO PROXY.EXE PID 2728 wrote to memory of 4472 2728 KuloCrackedByHaci.exe KULO PROXY.EXE PID 2728 wrote to memory of 2144 2728 KuloCrackedByHaci.exe msdcsc.exe PID 2728 wrote to memory of 2144 2728 KuloCrackedByHaci.exe msdcsc.exe PID 2728 wrote to memory of 2144 2728 KuloCrackedByHaci.exe msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe"C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXE"C:\Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXE"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\STEALER.EXE"C:\Users\Admin\AppData\Local\Temp\STEALER.EXE"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe"C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE"C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXE"C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXE"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\msdcsc.exe"C:\Windows\system32\MSDCSC\17RYb5VUkfWF\msdcsc.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXEFilesize
887KB
MD5656811e5b545b83c89e9172d71a31c9d
SHA194dfbaf4b72bb4a627205536db953fdfb06637f4
SHA25624e4e3268b3b2b043f1ed4ea4e564eba2b0d19824e34f4fbc077510db817eba1
SHA51266f52fc6dd64d58d5b89628cd276f1b098f6e533f3acb6e081daa3c0ce3b9b68977ac0455deef7488d5d7e58fbeedc01691cc2c535c13e5088533dcc70e2f3de
-
C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXEFilesize
2.3MB
MD55846ff38efa46576737ad1b8a9246766
SHA136586aec663d0fcc12d0924b554ea3ce65599da5
SHA256f6b7fdaa92f8551750fbd372a88efeda90dea586e01c75f9d463478d7752ac7b
SHA512097058dd94a2de214ff69f56e3be54261d75d8dd7cb7b1a5ae2184cbc4bb720d09ab29defde6246939c0401bfd1171f435a86cf280642ada2578db9d30a65820
-
C:\Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXEFilesize
1.6MB
MD5177146ba249a68fa55f0e0ba3889b1c6
SHA1994d06dd75554da0024251412c318beff740b7c7
SHA256af8ff83661fb43de992e22464533348c1aaac81e54c58357e09d0a07cd559893
SHA5121764d9372784c7428327bb6e5b9bbb339500566f90c3c784084d8319ffdd620f4fcc81506cadf3e8009ef2cf4e7731d0702e411cdff15740f404cbd3684bb1a0
-
C:\Users\Admin\AppData\Local\Temp\STEALER.EXEFilesize
8.5MB
MD5b81af4dd13f5db948ffec8b8707c2280
SHA1f7f74d80b24ff02499be0fb46f416be14b21c287
SHA25603fa8a7a7ac4dd4754f84f348737dc76f9102349bcac0ce64790bd20906ad21b
SHA5120ef93304db63b84891bc7406d1a39112463600ae1bf4cc89fdb72db32d0ce237e05c84a1d31d94295c439cb4242e083ee97d44946bae61f1b5fa7319357eedde
-
C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exeFilesize
3.8MB
MD5afaafeb9ed3224a20c008fe4e987e0fc
SHA159605cdaded8aa6b009daba59056cbdfce8171d0
SHA256f0395d96a4dae3a00181ff666507342a1b03f5e9a780d3ce8734e934eb13f90d
SHA512747b94a51b065ad3f246a3a931dcc0c4a8b8efa6f9e996fdf63fb955e97f8cbcc45c8b2062292c3c89932df8c847d0d051e240f2903774cbae81d2ac83b8bb82
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
10.7MB
MD5f9f683c1fafc61bcccc9a44bef1f2867
SHA1464183bbe171e5b07921d293f2692c517353f6e4
SHA2569eca9396e9230e5d10850f535d8c08f571e73b76794f45c12bdca8a80446314d
SHA512ca6481f8b1d0d2917368f3178256c2825a4de13b5d9baa720e7fa2aa3fd214b13881cb2457af1abe75345348842ad8896e8f1962d672ffb6cddf008dcd940279
-
memory/1548-76-0x000000001BE30000-0x000000001C238000-memory.dmpFilesize
4.0MB
-
memory/1548-23-0x00007FFFAA950000-0x00007FFFAB411000-memory.dmpFilesize
10.8MB
-
memory/1548-75-0x0000000001740000-0x0000000001750000-memory.dmpFilesize
64KB
-
memory/1548-74-0x0000000001680000-0x0000000001681000-memory.dmpFilesize
4KB
-
memory/1548-78-0x0000000001740000-0x0000000001750000-memory.dmpFilesize
64KB
-
memory/1548-77-0x0000000001740000-0x0000000001750000-memory.dmpFilesize
64KB
-
memory/1548-189-0x0000000001740000-0x0000000001750000-memory.dmpFilesize
64KB
-
memory/1548-72-0x00000000016F0000-0x0000000001740000-memory.dmpFilesize
320KB
-
memory/1548-190-0x0000000001740000-0x0000000001750000-memory.dmpFilesize
64KB
-
memory/1548-73-0x00007FFFAA950000-0x00007FFFAB411000-memory.dmpFilesize
10.8MB
-
memory/1548-21-0x0000000000620000-0x0000000000E9A000-memory.dmpFilesize
8.5MB
-
memory/1548-188-0x0000000001740000-0x0000000001750000-memory.dmpFilesize
64KB
-
memory/1548-185-0x00007FFFAA950000-0x00007FFFAB411000-memory.dmpFilesize
10.8MB
-
memory/2144-184-0x0000000000400000-0x00000000007D6000-memory.dmpFilesize
3.8MB
-
memory/2728-182-0x0000000000400000-0x00000000007D6000-memory.dmpFilesize
3.8MB
-
memory/3272-97-0x0000000000400000-0x0000000000EC2000-memory.dmpFilesize
10.8MB
-
memory/3272-0-0x00000000010A0000-0x00000000010A1000-memory.dmpFilesize
4KB
-
memory/4144-123-0x000000001B8E0000-0x000000001B91E000-memory.dmpFilesize
248KB
-
memory/4144-121-0x0000000000D60000-0x0000000000E46000-memory.dmpFilesize
920KB
-
memory/4224-183-0x0000000000400000-0x0000000000EC2000-memory.dmpFilesize
10.8MB