Overview

overview

10

Static

static

10

Silviozas ...84.exe

windows7-x64

10

Silviozas ...84.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 08:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Silviozas Premium Proxy V3.85984.exe

  • Size

    5.0MB

  • MD5

    628f62f1001ff7705103ab9f5ef5ffd1

  • SHA1

    6748a7dc711fdcf2787f8634a0287ea382cbd690

  • SHA256

    59f927e858a8cdf2330099c7b18b3f74bc6616d67b11e174aab539bd7aff067a

  • SHA512

    6eb4d989dff77528b86c866fe63c088e3c3b67bc01c5017cd9a814aebee96bfd49982d760a093371a2529ef9ee84b65194f98c3ba4f4d11a7e120725d65129c2

  • SSDEEP

    98304:SrjYFpk1kqeK+h2qwqYNorcrLEtwZJJuRWpAFyFSB76Z:C9kqX+QmrcrLm4JMRuS8

Score
10/10
eternitydiscoveryevasionexecutionspywarestealertrojan

Malware Config

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detects Eternity stealer 1 IoCs
    stealer
  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • Eternity family
    eternity
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Silviozas Premium Proxy V3.85984.exe
    "C:\Users\Admin\AppData\Local\Temp\Silviozas Premium Proxy V3.85984.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Checks computer location settings
    • Drops startup file
    • Windows security modification
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\Users\Admin\AppData\Local\Temp\l1zc4uib.zf0\Silviozas Premium Proxy V3.85984.exe
      "C:\Users\Admin\AppData\Local\Temp\l1zc4uib.zf0\Silviozas Premium Proxy V3.85984.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4080
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c color 0A
        3⤵
          PID:1936
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell "Add-MpPreference -ExclusionPath 'C:\Users\Public\Proxy_Stuff\Silviozas Premium Proxy.exe'"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5020
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell "Add-MpPreference -ExclusionPath 'C:\Users\Public\Proxy_Stuff\Silviozas Premium Proxy.exe'"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2572
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c color 0A
          3⤵
            PID:5084
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\l1zc4uib.zf0\Silviozas Premium Proxy V3.85984.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2216
            • C:\Windows\system32\certutil.exe
              certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\l1zc4uib.zf0\Silviozas Premium Proxy V3.85984.exe" MD5
              4⤵
                PID:3952
              • C:\Windows\system32\find.exe
                find /i /v "md5"
                4⤵
                  PID:5000
                • C:\Windows\system32\find.exe
                  find /i /v "certutil"
                  4⤵
                    PID:1372
              • C:\Users\Admin\AppData\Local\Temp\dcd.exe
                "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
                2⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2480
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" Get-MpPreference -verbose
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4852

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              a43e653ffb5ab07940f4bdd9cc8fade4

              SHA1

              af43d04e3427f111b22dc891c5c7ee8a10ac4123

              SHA256

              c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

              SHA512

              62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              abc0988d0dac66a18b6eb7b1da4c358d

              SHA1

              313753c3b32a15b71106353b910d87f28eac052f

              SHA256

              32929d3d20c39a3c72780b53697b5d5b9328f09a4065a6d9392498cae93546fa

              SHA512

              159340d084a9def5294dff575f24ff074cf8eb9ef7c811447fccad04df5c01de7d84bf3e88c43b4f11602d1559ede4ccf7120b1b2f4c59dc8d6c4b500782651e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ogq250nz.xrz.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\dcd.exe
              Filesize

              227KB

              MD5

              b5ac46e446cead89892628f30a253a06

              SHA1

              f4ad1044a7f77a1b02155c3a355a1bb4177076ca

              SHA256

              def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

              SHA512

              bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\l1zc4uib.zf0\Silviozas Premium Proxy V3.85984.exe
              Filesize

              2.0MB

              MD5

              c671cffbc1466d28212399e16035d2c3

              SHA1

              90037556b5f85796d56de164336dd25d479100f3

              SHA256

              a01646d5fc27869bc3dc6fc0b291e7abb1915edc945eea648a9ac1d101807c89

              SHA512

              a7a5ec98ca342b1a16e81f2af813bc6491be2cbc8e16b062ee757a362e0130579b828685551cfc42b7f5495fdd1af15841b5edb9dbd76e89353fafe58423c5a6

              Download Submit

            • memory/2572-30-0x0000021024090000-0x00000210240B2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4080-54-0x00007FF6A8AB0000-0x00007FF6A934E000-memory.dmp

              Filesize

              8.6MB

              Download

            • memory/4080-67-0x00007FF6A8AB0000-0x00007FF6A934E000-memory.dmp

              Filesize

              8.6MB

              Download

            • memory/4080-62-0x00007FF6A8AB0000-0x00007FF6A934E000-memory.dmp

              Filesize

              8.6MB

              Download

            • memory/4080-57-0x00007FF6A8AB0000-0x00007FF6A934E000-memory.dmp

              Filesize

              8.6MB

              Download

            • memory/4080-56-0x00007FF6A8AB0000-0x00007FF6A934E000-memory.dmp

              Filesize

              8.6MB

              Download

            • memory/4080-55-0x00007FF6A8AB0000-0x00007FF6A934E000-memory.dmp

              Filesize

              8.6MB

              Download

            • memory/4080-31-0x00007FF6A8AB0000-0x00007FF6A934E000-memory.dmp

              Filesize

              8.6MB

              Download

            • memory/4216-0-0x00007FFFADC13000-0x00007FFFADC15000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4216-2-0x000000001B340000-0x000000001B390000-memory.dmp

              Filesize

              320KB

              Download

            • memory/4216-1-0x0000000000310000-0x000000000080C000-memory.dmp

              Filesize

              5.0MB

              Download

            • memory/4216-53-0x00007FFFADC10000-0x00007FFFAE6D1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4216-3-0x00007FFFADC10000-0x00007FFFAE6D1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4216-4-0x000000001B6D0000-0x000000001B912000-memory.dmp

              Filesize

              2.3MB

              Download

            • memory/4216-7-0x00007FFFADC10000-0x00007FFFAE6D1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4216-19-0x00007FFFADC10000-0x00007FFFAE6D1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4216-18-0x00007FFFADC10000-0x00007FFFAE6D1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4216-6-0x00007FFFADC10000-0x00007FFFAE6D1000-memory.dmp

              Filesize

              10.8MB

              Download