Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 08:32
Behavioral task
behavioral1
Sample
Silviozas Premium Proxy V3.85984.exe
Resource
win7-20241010-en
General
-
Target
Silviozas Premium Proxy V3.85984.exe
-
Size
5.0MB
-
MD5
628f62f1001ff7705103ab9f5ef5ffd1
-
SHA1
6748a7dc711fdcf2787f8634a0287ea382cbd690
-
SHA256
59f927e858a8cdf2330099c7b18b3f74bc6616d67b11e174aab539bd7aff067a
-
SHA512
6eb4d989dff77528b86c866fe63c088e3c3b67bc01c5017cd9a814aebee96bfd49982d760a093371a2529ef9ee84b65194f98c3ba4f4d11a7e120725d65129c2
-
SSDEEP
98304:SrjYFpk1kqeK+h2qwqYNorcrLEtwZJJuRWpAFyFSB76Z:C9kqX+QmrcrLm4JMRuS8
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/2380-1-0x00000000011B0000-0x00000000016AC000-memory.dmp disable_win_def -
Detects Eternity stealer 1 IoCs
resource yara_rule behavioral1/memory/2380-1-0x00000000011B0000-0x00000000016AC000-memory.dmp eternity_stealer -
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Eternity family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Silviozas Premium Proxy V3.85984.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Silviozas Premium Proxy V3.85984.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Silviozas Premium Proxy V3.85984.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" Silviozas Premium Proxy V3.85984.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2780 powershell.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Silviozas Premium Proxy V3.85984.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Silviozas Premium Proxy V3.85984.exe Silviozas Premium Proxy V3.85984.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Silviozas Premium Proxy V3.85984.exe Silviozas Premium Proxy V3.85984.exe -
Executes dropped EXE 2 IoCs
pid Process 1980 Silviozas Premium Proxy V3.85984.exe 2744 dcd.exe -
Loads dropped DLL 1 IoCs
pid Process 2380 Silviozas Premium Proxy V3.85984.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features Silviozas Premium Proxy V3.85984.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 1196 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2780 powershell.exe 2412 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2380 Silviozas Premium Proxy V3.85984.exe Token: SeDebugPrivilege 2780 powershell.exe Token: SeDebugPrivilege 1980 Silviozas Premium Proxy V3.85984.exe Token: SeDebugPrivilege 2412 powershell.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 2380 wrote to memory of 1980 2380 Silviozas Premium Proxy V3.85984.exe 30 PID 2380 wrote to memory of 1980 2380 Silviozas Premium Proxy V3.85984.exe 30 PID 2380 wrote to memory of 1980 2380 Silviozas Premium Proxy V3.85984.exe 30 PID 1980 wrote to memory of 2396 1980 Silviozas Premium Proxy V3.85984.exe 32 PID 1980 wrote to memory of 2396 1980 Silviozas Premium Proxy V3.85984.exe 32 PID 1980 wrote to memory of 2396 1980 Silviozas Premium Proxy V3.85984.exe 32 PID 2380 wrote to memory of 2744 2380 Silviozas Premium Proxy V3.85984.exe 33 PID 2380 wrote to memory of 2744 2380 Silviozas Premium Proxy V3.85984.exe 33 PID 2380 wrote to memory of 2744 2380 Silviozas Premium Proxy V3.85984.exe 33 PID 2380 wrote to memory of 2744 2380 Silviozas Premium Proxy V3.85984.exe 33 PID 1980 wrote to memory of 2784 1980 Silviozas Premium Proxy V3.85984.exe 34 PID 1980 wrote to memory of 2784 1980 Silviozas Premium Proxy V3.85984.exe 34 PID 1980 wrote to memory of 2784 1980 Silviozas Premium Proxy V3.85984.exe 34 PID 2784 wrote to memory of 2780 2784 cmd.exe 35 PID 2784 wrote to memory of 2780 2784 cmd.exe 35 PID 2784 wrote to memory of 2780 2784 cmd.exe 35 PID 1980 wrote to memory of 2196 1980 Silviozas Premium Proxy V3.85984.exe 37 PID 1980 wrote to memory of 2196 1980 Silviozas Premium Proxy V3.85984.exe 37 PID 1980 wrote to memory of 2196 1980 Silviozas Premium Proxy V3.85984.exe 37 PID 1980 wrote to memory of 2676 1980 Silviozas Premium Proxy V3.85984.exe 38 PID 1980 wrote to memory of 2676 1980 Silviozas Premium Proxy V3.85984.exe 38 PID 1980 wrote to memory of 2676 1980 Silviozas Premium Proxy V3.85984.exe 38 PID 2676 wrote to memory of 1276 2676 cmd.exe 39 PID 2676 wrote to memory of 1276 2676 cmd.exe 39 PID 2676 wrote to memory of 1276 2676 cmd.exe 39 PID 2676 wrote to memory of 2800 2676 cmd.exe 40 PID 2676 wrote to memory of 2800 2676 cmd.exe 40 PID 2676 wrote to memory of 2800 2676 cmd.exe 40 PID 2676 wrote to memory of 2816 2676 cmd.exe 41 PID 2676 wrote to memory of 2816 2676 cmd.exe 41 PID 2676 wrote to memory of 2816 2676 cmd.exe 41 PID 2380 wrote to memory of 2412 2380 Silviozas Premium Proxy V3.85984.exe 42 PID 2380 wrote to memory of 2412 2380 Silviozas Premium Proxy V3.85984.exe 42 PID 2380 wrote to memory of 2412 2380 Silviozas Premium Proxy V3.85984.exe 42 PID 2380 wrote to memory of 932 2380 Silviozas Premium Proxy V3.85984.exe 44 PID 2380 wrote to memory of 932 2380 Silviozas Premium Proxy V3.85984.exe 44 PID 2380 wrote to memory of 932 2380 Silviozas Premium Proxy V3.85984.exe 44 PID 1980 wrote to memory of 2340 1980 Silviozas Premium Proxy V3.85984.exe 45 PID 1980 wrote to memory of 2340 1980 Silviozas Premium Proxy V3.85984.exe 45 PID 1980 wrote to memory of 2340 1980 Silviozas Premium Proxy V3.85984.exe 45 PID 2340 wrote to memory of 1600 2340 cmd.exe 46 PID 2340 wrote to memory of 1600 2340 cmd.exe 46 PID 2340 wrote to memory of 1600 2340 cmd.exe 46 PID 1980 wrote to memory of 2112 1980 Silviozas Premium Proxy V3.85984.exe 48 PID 1980 wrote to memory of 2112 1980 Silviozas Premium Proxy V3.85984.exe 48 PID 1980 wrote to memory of 2112 1980 Silviozas Premium Proxy V3.85984.exe 48 PID 1600 wrote to memory of 1196 1600 cmd.exe 49 PID 1600 wrote to memory of 1196 1600 cmd.exe 49 PID 1600 wrote to memory of 1196 1600 cmd.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\Silviozas Premium Proxy V3.85984.exe"C:\Users\Admin\AppData\Local\Temp\Silviozas Premium Proxy V3.85984.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\hhh504pj.izl\Silviozas Premium Proxy V3.85984.exe"C:\Users\Admin\AppData\Local\Temp\hhh504pj.izl\Silviozas Premium Proxy V3.85984.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 0A3⤵PID:2396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell "Add-MpPreference -ExclusionPath 'C:\Users\Public\Proxy_Stuff\Silviozas Premium Proxy.exe'"3⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "Add-MpPreference -ExclusionPath 'C:\Users\Public\Proxy_Stuff\Silviozas Premium Proxy.exe'"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 0A3⤵PID:2196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\hhh504pj.izl\Silviozas Premium Proxy V3.85984.exe" MD5 | find /i /v "md5" | find /i /v "certutil"3⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\hhh504pj.izl\Silviozas Premium Proxy V3.85984.exe" MD54⤵PID:1276
-
-
C:\Windows\system32\find.exefind /i /v "md5"4⤵PID:2800
-
-
C:\Windows\system32\find.exefind /i /v "certutil"4⤵PID:2816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"3⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\system32\cmd.execmd /C "color b && title Error && echo SSL connect error && timeout /t 5"4⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\system32\timeout.exetimeout /t 55⤵
- Delays execution with timeout.exe
PID:1196
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1980 -s 6963⤵PID:2112
-
-
-
C:\Users\Admin\AppData\Local\Temp\dcd.exe"C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""2⤵
- Executes dropped EXE
PID:2744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2380 -s 7802⤵PID:932
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
227KB
MD5b5ac46e446cead89892628f30a253a06
SHA1f4ad1044a7f77a1b02155c3a355a1bb4177076ca
SHA256def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669
SHA512bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87
-
Filesize
2.0MB
MD5c671cffbc1466d28212399e16035d2c3
SHA190037556b5f85796d56de164336dd25d479100f3
SHA256a01646d5fc27869bc3dc6fc0b291e7abb1915edc945eea648a9ac1d101807c89
SHA512a7a5ec98ca342b1a16e81f2af813bc6491be2cbc8e16b062ee757a362e0130579b828685551cfc42b7f5495fdd1af15841b5edb9dbd76e89353fafe58423c5a6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5fba3f969a0b9431e0f353555ddfe4f88
SHA102d3dfdd89395fb0979141f697f951f458d64d42
SHA25620be8a194e3cba730c91988f1395886e6618fbd77e1cc1a79d691a9d18c91401
SHA5129e862c6781cbda05d1475157d9fccba84b58198e0790e89d00cbf535c513c2260118dbaabc3bf7c8bb45951d71723308fc6586345b600b9e1d0015cc71f6cf47
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6G949I0BMLUR4TZ3ORG2.temp
Filesize7KB
MD50f16446e09f373982787daae7ac7e6a2
SHA14882b573c15c35479d91d435875f45c5ea9bcec3
SHA2562efed61cdb76ab7b459d6ec365a80727267f038426e621f5f46998ae90804208
SHA5122f322e020408ca314729baa6ff01e2311042f079f9ef1138492bd669411d971661c085ef8acd10a0aead600fa98c5bfe54a8985844466e82c3c39ac173171afa