Overview

overview

10

Static

static

10

Silviozas ...84.exe

windows7-x64

10

Silviozas ...84.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 08:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Silviozas Premium Proxy V3.85984.exe

  • Size

    5.0MB

  • MD5

    628f62f1001ff7705103ab9f5ef5ffd1

  • SHA1

    6748a7dc711fdcf2787f8634a0287ea382cbd690

  • SHA256

    59f927e858a8cdf2330099c7b18b3f74bc6616d67b11e174aab539bd7aff067a

  • SHA512

    6eb4d989dff77528b86c866fe63c088e3c3b67bc01c5017cd9a814aebee96bfd49982d760a093371a2529ef9ee84b65194f98c3ba4f4d11a7e120725d65129c2

  • SSDEEP

    98304:SrjYFpk1kqeK+h2qwqYNorcrLEtwZJJuRWpAFyFSB76Z:C9kqX+QmrcrLm4JMRuS8

Score
10/10
eternityevasionexecutionspywarestealertrojan

Malware Config

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detects Eternity stealer 1 IoCs
    stealer
  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • Eternity family
    eternity
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Silviozas Premium Proxy V3.85984.exe
    "C:\Users\Admin\AppData\Local\Temp\Silviozas Premium Proxy V3.85984.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Drops startup file
    • Loads dropped DLL
    • Windows security modification
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Users\Admin\AppData\Local\Temp\hhh504pj.izl\Silviozas Premium Proxy V3.85984.exe
      "C:\Users\Admin\AppData\Local\Temp\hhh504pj.izl\Silviozas Premium Proxy V3.85984.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c color 0A
        3⤵
          PID:2396
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell "Add-MpPreference -ExclusionPath 'C:\Users\Public\Proxy_Stuff\Silviozas Premium Proxy.exe'"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2784
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell "Add-MpPreference -ExclusionPath 'C:\Users\Public\Proxy_Stuff\Silviozas Premium Proxy.exe'"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2780
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c color 0A
          3⤵
            PID:2196
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\hhh504pj.izl\Silviozas Premium Proxy V3.85984.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2676
            • C:\Windows\system32\certutil.exe
              certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\hhh504pj.izl\Silviozas Premium Proxy V3.85984.exe" MD5
              4⤵
                PID:1276
              • C:\Windows\system32\find.exe
                find /i /v "md5"
                4⤵
                  PID:2800
                • C:\Windows\system32\find.exe
                  find /i /v "certutil"
                  4⤵
                    PID:2816
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2340
                  • C:\Windows\system32\cmd.exe
                    cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1600
                    • C:\Windows\system32\timeout.exe
                      timeout /t 5
                      5⤵
                      • Delays execution with timeout.exe
                      PID:1196
                • C:\Windows\system32\WerFault.exe
                  C:\Windows\system32\WerFault.exe -u -p 1980 -s 696
                  3⤵
                    PID:2112
                • C:\Users\Admin\AppData\Local\Temp\dcd.exe
                  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
                  2⤵
                  • Executes dropped EXE
                  PID:2744
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" Get-MpPreference -verbose
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2412
                • C:\Windows\system32\WerFault.exe
                  C:\Windows\system32\WerFault.exe -u -p 2380 -s 780
                  2⤵
                    PID:932

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\dcd.exe
                  Filesize

                  227KB

                  MD5

                  b5ac46e446cead89892628f30a253a06

                  SHA1

                  f4ad1044a7f77a1b02155c3a355a1bb4177076ca

                  SHA256

                  def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

                  SHA512

                  bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\hhh504pj.izl\Silviozas Premium Proxy V3.85984.exe
                  Filesize

                  2.0MB

                  MD5

                  c671cffbc1466d28212399e16035d2c3

                  SHA1

                  90037556b5f85796d56de164336dd25d479100f3

                  SHA256

                  a01646d5fc27869bc3dc6fc0b291e7abb1915edc945eea648a9ac1d101807c89

                  SHA512

                  a7a5ec98ca342b1a16e81f2af813bc6491be2cbc8e16b062ee757a362e0130579b828685551cfc42b7f5495fdd1af15841b5edb9dbd76e89353fafe58423c5a6

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                  Filesize

                  7KB

                  MD5

                  fba3f969a0b9431e0f353555ddfe4f88

                  SHA1

                  02d3dfdd89395fb0979141f697f951f458d64d42

                  SHA256

                  20be8a194e3cba730c91988f1395886e6618fbd77e1cc1a79d691a9d18c91401

                  SHA512

                  9e862c6781cbda05d1475157d9fccba84b58198e0790e89d00cbf535c513c2260118dbaabc3bf7c8bb45951d71723308fc6586345b600b9e1d0015cc71f6cf47

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6G949I0BMLUR4TZ3ORG2.temp
                  Filesize

                  7KB

                  MD5

                  0f16446e09f373982787daae7ac7e6a2

                  SHA1

                  4882b573c15c35479d91d435875f45c5ea9bcec3

                  SHA256

                  2efed61cdb76ab7b459d6ec365a80727267f038426e621f5f46998ae90804208

                  SHA512

                  2f322e020408ca314729baa6ff01e2311042f079f9ef1138492bd669411d971661c085ef8acd10a0aead600fa98c5bfe54a8985844466e82c3c39ac173171afa

                  Download Submit

                • \??\PIPE\srvsvc
                  MD5

                  d41d8cd98f00b204e9800998ecf8427e

                  SHA1

                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                  SHA256

                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                  SHA512

                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                  Download Submit

                • memory/1980-14-0x000000013FBA0000-0x000000014043E000-memory.dmp

                  Filesize

                  8.6MB

                  Download

                • memory/1980-35-0x0000000002390000-0x00000000023A0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/1980-33-0x000000013FBA0000-0x000000014043E000-memory.dmp

                  Filesize

                  8.6MB

                  Download

                • memory/1980-23-0x0000000002390000-0x00000000023A0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2380-21-0x000007FEF5653000-0x000007FEF5654000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2380-3-0x000000001BD40000-0x000000001BF82000-memory.dmp

                  Filesize

                  2.3MB

                  Download

                • memory/2380-9-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/2380-0-0x000007FEF5653000-0x000007FEF5654000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2380-8-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/2380-47-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/2380-1-0x00000000011B0000-0x00000000016AC000-memory.dmp

                  Filesize

                  5.0MB

                  Download

                • memory/2380-31-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/2380-32-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/2380-34-0x000000013FBA0000-0x000000014043E000-memory.dmp

                  Filesize

                  8.6MB

                  Download

                • memory/2380-7-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/2380-5-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/2380-2-0x000007FEF5650000-0x000007FEF603C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/2380-13-0x000000013FBA0000-0x000000014043E000-memory.dmp

                  Filesize

                  8.6MB

                  Download

                • memory/2412-42-0x000000001B330000-0x000000001B612000-memory.dmp

                  Filesize

                  2.9MB

                  Download

                • memory/2412-43-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2780-29-0x0000000002530000-0x0000000002538000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2780-28-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

                  Filesize

                  2.9MB

                  Download