Overview

overview

10

Static

static

10

P90P_PROXY.exe

windows7-x64

10

P90P_PROXY.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-09-2024 19:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    P90P_PROXY.exe

  • Size

    905KB

  • MD5

    551cd8e5461c68ec23ec11eab941c262

  • SHA1

    bf16424415ff1562fa442981ed9f84cc167cab07

  • SHA256

    9bca0051537823f2c31bebafa453130a549599f825241423c6bc8d8c6aa49f71

  • SHA512

    52c645bbc7ab74588b3715d181f9412762f071fbc6ba5845b4b1eaf92b530f8835b4ed960f76a4b962fe3d48bd18844a79fa9557a26ae866f038526efcd40de7

  • SSDEEP

    12288:vTEYAsROAsrt/uxduo1jB0Y96q1CCgLbY/0PejVdoXvvGabyl2OswS50LHvbdu+:vwT7rC6q1CZLoLzSylbswS54T1

Score
10/10
eternitydiscoveryevasionstealertrojan

Malware Config

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detects Eternity stealer 1 IoCs
    stealer
  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Disables Task Manager via registry modification
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\P90P_PROXY.exe
    "C:\Users\Admin\AppData\Local\Temp\P90P_PROXY.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Drops startup file
    • Windows security modification
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1836
    • C:\Users\Admin\AppData\Local\Temp\dcd.exe
      "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5084
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eostisz5.er1.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\dcd.exe
    Filesize

    227KB

    MD5

    b5ac46e446cead89892628f30a253a06

    SHA1

    f4ad1044a7f77a1b02155c3a355a1bb4177076ca

    SHA256

    def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

    SHA512

    bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

    Download Submit

  • memory/1836-11-0x00007FFEAA180000-0x00007FFEAAC41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1836-12-0x00007FFEAA180000-0x00007FFEAAC41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1836-4-0x00007FFEAA180000-0x00007FFEAAC41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1836-6-0x00007FFEAA180000-0x00007FFEAAC41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1836-2-0x0000000002250000-0x00000000022A0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1836-10-0x00007FFEAA180000-0x00007FFEAAC41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1836-0-0x00007FFEAA183000-0x00007FFEAA185000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1836-3-0x0000000002200000-0x000000000223E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1836-13-0x00007FFEAA180000-0x00007FFEAAC41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1836-30-0x00007FFEAA180000-0x00007FFEAAC41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1836-1-0x0000000000060000-0x000000000014A000-memory.dmp

    Filesize

    936KB

    Download

  • memory/4540-24-0x00000191F5880000-0x00000191F58A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4540-27-0x00007FFEAA180000-0x00007FFEAAC41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4540-14-0x00007FFEAA180000-0x00007FFEAAC41000-memory.dmp

    Filesize

    10.8MB

    Download