Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 08:32
Behavioral task
behavioral1
Sample
Silviozas Premium Proxy V3.85984.exe
Resource
win7-20241010-en
General
-
Target
Silviozas Premium Proxy V3.85984.exe
-
Size
5.0MB
-
MD5
628f62f1001ff7705103ab9f5ef5ffd1
-
SHA1
6748a7dc711fdcf2787f8634a0287ea382cbd690
-
SHA256
59f927e858a8cdf2330099c7b18b3f74bc6616d67b11e174aab539bd7aff067a
-
SHA512
6eb4d989dff77528b86c866fe63c088e3c3b67bc01c5017cd9a814aebee96bfd49982d760a093371a2529ef9ee84b65194f98c3ba4f4d11a7e120725d65129c2
-
SSDEEP
98304:SrjYFpk1kqeK+h2qwqYNorcrLEtwZJJuRWpAFyFSB76Z:C9kqX+QmrcrLm4JMRuS8
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/memory/4216-1-0x0000000000310000-0x000000000080C000-memory.dmp disable_win_def -
Detects Eternity stealer 1 IoCs
resource yara_rule behavioral2/memory/4216-1-0x0000000000310000-0x000000000080C000-memory.dmp eternity_stealer -
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Eternity family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" Silviozas Premium Proxy V3.85984.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Silviozas Premium Proxy V3.85984.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Silviozas Premium Proxy V3.85984.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Silviozas Premium Proxy V3.85984.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2572 powershell.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Silviozas Premium Proxy V3.85984.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Silviozas Premium Proxy V3.85984.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Silviozas Premium Proxy V3.85984.exe Silviozas Premium Proxy V3.85984.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Silviozas Premium Proxy V3.85984.exe Silviozas Premium Proxy V3.85984.exe -
Executes dropped EXE 2 IoCs
pid Process 4080 Silviozas Premium Proxy V3.85984.exe 2480 dcd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" Silviozas Premium Proxy V3.85984.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dcd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2572 powershell.exe 2572 powershell.exe 4852 powershell.exe 4852 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4216 Silviozas Premium Proxy V3.85984.exe Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 4080 Silviozas Premium Proxy V3.85984.exe Token: SeDebugPrivilege 4852 powershell.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4216 wrote to memory of 4080 4216 Silviozas Premium Proxy V3.85984.exe 83 PID 4216 wrote to memory of 4080 4216 Silviozas Premium Proxy V3.85984.exe 83 PID 4080 wrote to memory of 1936 4080 Silviozas Premium Proxy V3.85984.exe 85 PID 4080 wrote to memory of 1936 4080 Silviozas Premium Proxy V3.85984.exe 85 PID 4080 wrote to memory of 5020 4080 Silviozas Premium Proxy V3.85984.exe 86 PID 4080 wrote to memory of 5020 4080 Silviozas Premium Proxy V3.85984.exe 86 PID 5020 wrote to memory of 2572 5020 cmd.exe 87 PID 5020 wrote to memory of 2572 5020 cmd.exe 87 PID 4080 wrote to memory of 5084 4080 Silviozas Premium Proxy V3.85984.exe 91 PID 4080 wrote to memory of 5084 4080 Silviozas Premium Proxy V3.85984.exe 91 PID 4216 wrote to memory of 2480 4216 Silviozas Premium Proxy V3.85984.exe 90 PID 4216 wrote to memory of 2480 4216 Silviozas Premium Proxy V3.85984.exe 90 PID 4216 wrote to memory of 2480 4216 Silviozas Premium Proxy V3.85984.exe 90 PID 4080 wrote to memory of 2216 4080 Silviozas Premium Proxy V3.85984.exe 92 PID 4080 wrote to memory of 2216 4080 Silviozas Premium Proxy V3.85984.exe 92 PID 2216 wrote to memory of 3952 2216 cmd.exe 93 PID 2216 wrote to memory of 3952 2216 cmd.exe 93 PID 2216 wrote to memory of 5000 2216 cmd.exe 94 PID 2216 wrote to memory of 5000 2216 cmd.exe 94 PID 2216 wrote to memory of 1372 2216 cmd.exe 95 PID 2216 wrote to memory of 1372 2216 cmd.exe 95 PID 4216 wrote to memory of 4852 4216 Silviozas Premium Proxy V3.85984.exe 97 PID 4216 wrote to memory of 4852 4216 Silviozas Premium Proxy V3.85984.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\Silviozas Premium Proxy V3.85984.exe"C:\Users\Admin\AppData\Local\Temp\Silviozas Premium Proxy V3.85984.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Drops startup file
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Users\Admin\AppData\Local\Temp\l1zc4uib.zf0\Silviozas Premium Proxy V3.85984.exe"C:\Users\Admin\AppData\Local\Temp\l1zc4uib.zf0\Silviozas Premium Proxy V3.85984.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 0A3⤵PID:1936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell "Add-MpPreference -ExclusionPath 'C:\Users\Public\Proxy_Stuff\Silviozas Premium Proxy.exe'"3⤵
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "Add-MpPreference -ExclusionPath 'C:\Users\Public\Proxy_Stuff\Silviozas Premium Proxy.exe'"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 0A3⤵PID:5084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\l1zc4uib.zf0\Silviozas Premium Proxy V3.85984.exe" MD5 | find /i /v "md5" | find /i /v "certutil"3⤵
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\l1zc4uib.zf0\Silviozas Premium Proxy V3.85984.exe" MD54⤵PID:3952
-
-
C:\Windows\system32\find.exefind /i /v "md5"4⤵PID:5000
-
-
C:\Windows\system32\find.exefind /i /v "certutil"4⤵PID:1372
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dcd.exe"C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4852
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a43e653ffb5ab07940f4bdd9cc8fade4
SHA1af43d04e3427f111b22dc891c5c7ee8a10ac4123
SHA256c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe
SHA51262a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b
-
Filesize
944B
MD5abc0988d0dac66a18b6eb7b1da4c358d
SHA1313753c3b32a15b71106353b910d87f28eac052f
SHA25632929d3d20c39a3c72780b53697b5d5b9328f09a4065a6d9392498cae93546fa
SHA512159340d084a9def5294dff575f24ff074cf8eb9ef7c811447fccad04df5c01de7d84bf3e88c43b4f11602d1559ede4ccf7120b1b2f4c59dc8d6c4b500782651e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
227KB
MD5b5ac46e446cead89892628f30a253a06
SHA1f4ad1044a7f77a1b02155c3a355a1bb4177076ca
SHA256def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669
SHA512bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87
-
Filesize
2.0MB
MD5c671cffbc1466d28212399e16035d2c3
SHA190037556b5f85796d56de164336dd25d479100f3
SHA256a01646d5fc27869bc3dc6fc0b291e7abb1915edc945eea648a9ac1d101807c89
SHA512a7a5ec98ca342b1a16e81f2af813bc6491be2cbc8e16b062ee757a362e0130579b828685551cfc42b7f5495fdd1af15841b5edb9dbd76e89353fafe58423c5a6