Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

PowerKuy4.57.exe

windows7-x64

10

PowerKuy4.57.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/12/2024, 22:17 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PowerKuy4.57.exe

  • Size

    886KB

  • MD5

    0cbf8ddcb4c1e9697f61c0644e1af778

  • SHA1

    8f37ed33b93199ca6c811a180cc5c8d9f4e8acdb

  • SHA256

    674ed0aeb9e02db2378da6923dc34c18c67840e0ab9c2b2b4267684a84201745

  • SHA512

    ea6f0658a7935da4549d9ddb696e8a9d9fd16bc180920345d16b06359cd7528fe4806a6c33f03e528e080ab0249609ec27330fdb9cff9eae9d27f0cded667430

  • SSDEEP

    24576:rwT7rC6qMqZ8Xt6i6/ZgkOp9v+1g8i/2Ad45C:CrC6qFWo3/Zu3oFgP6U

Score
10/10
eternitydiscoverystealer

Malware Config

Signatures

  • Detects Eternity stealer 1 IoCs
    stealer
  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • Eternity family
    eternity
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PowerKuy4.57.exe
    "C:\Users\Admin\AppData\Local\Temp\PowerKuy4.57.exe"
    1⤵
    • Drops startup file
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Users\Admin\AppData\Local\Temp\dcd.exe
      "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4796

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    google.com
    PowerKuy4.57.exe
    Remote address:
    8.8.8.8:53
    Request
    google.com
    IN A
    Response
    google.com
    IN A
    216.58.214.174
  • flag-fr
    GET
    http://google.com/generate_204
    PowerKuy4.57.exe
    Remote address:
    216.58.214.174:80
    Request
    GET /generate_204 HTTP/1.1
    Host: google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 204 No Content
    Content-Length: 0
    Cross-Origin-Resource-Policy: cross-origin
    Date: Fri, 20 Dec 2024 22:17:25 GMT
  • flag-us
    DNS
    api.imgbb.com
    PowerKuy4.57.exe
    Remote address:
    8.8.8.8:53
    Request
    api.imgbb.com
    IN A
    Response
    api.imgbb.com
    IN A
    104.21.20.64
    api.imgbb.com
    IN A
    172.67.191.214
  • flag-us
    POST
    https://api.imgbb.com/1/upload?key=78adae1bfa0e608b56435fa339987449
    PowerKuy4.57.exe
    Remote address:
    104.21.20.64:443
    Request
    POST /1/upload?key=78adae1bfa0e608b56435fa339987449 HTTP/1.1
    Accept: application/json
    Content-Type: application/x-www-form-urlencoded
    Host: api.imgbb.com
    Content-Length: 657148
    Connection: Keep-Alive
    Response
    HTTP/1.1 400 Bad Request
    Date: Fri, 20 Dec 2024 22:17:27 GMT
    Content-Type: application/json; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    access-control-allow-origin: *
    access-control-allow-headers: Cache-Control, X-Requested-With, Content-Type
    access-control-allow-methods: POST, GET, OPTIONS
    last-modified: Fri, 20 Dec 2024 22:17:27GMT
    Cache-Control: no-cache, must-revalidate
    pragma: no-cache
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aief3yupX8RnNw6Bmp4QgfYd%2BHciqzXLK81qjlaeUP8m5oNlW1gGY4FGaA%2FNN%2B5BF3Knd9cypAmrtg%2F5TXeA0h2zWvx46kwUS2m3C%2Fze0gtOfXynULl1pizU2%2FnMMPAL"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8f5300a34d9dd1f9-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=32031&min_rtt=29109&rtt_var=9753&sent=178&recv=498&lost=0&retrans=0&sent_bytes=2978&recv_bytes=658842&delivery_rate=127262&cwnd=253&unsent_bytes=0&cid=17b6746b011e31fc&ts=1069&x=0"
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    174.214.58.216.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    174.214.58.216.in-addr.arpa
    IN PTR
    Response
    174.214.58.216.in-addr.arpa
    IN PTR
    mad01s26-in-f1741e100net
    174.214.58.216.in-addr.arpa
    IN PTR
    par10s42-in-f14�J
    174.214.58.216.in-addr.arpa
    IN PTR
    mad01s26-in-f14�J
  • flag-us
    DNS
    eterprx.net
    PowerKuy4.57.exe
    Remote address:
    8.8.8.8:53
    Request
    eterprx.net
    IN A
    Response
    eterprx.net
    IN A
    172.67.194.181
    eterprx.net
    IN A
    104.21.20.223
  • flag-us
    POST
    https://eterprx.net/api/accounts
    PowerKuy4.57.exe
    Remote address:
    172.67.194.181:443
    Request
    POST /api/accounts HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: eterprx.net
    Content-Length: 209
    Connection: Keep-Alive
    Response
    HTTP/1.1 400 Bad Request
    Date: Fri, 20 Dec 2024 22:17:27 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-powered-by: PHP/7.2.34
    cache-control: no-cache, private
    x-ratelimit-limit: 30
    x-ratelimit-remaining: 29
    vary: Accept-Encoding,User-Agent
    x-turbo-charged-by: LiteSpeed
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kU75T5FUcSy3pDOB85osqQRhgBCVqjAIom3Dfg59ul6A5G1cKKei8pFnE4oJuq4an5AgbuzfMNgFnlFMpK3FRSAdQaYt6ah6g4YM2LrwjxHhPztOfG7UWGiMy8VZ4w%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8f5300aacd756379-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=32159&min_rtt=32003&rtt_var=6959&sent=7&recv=7&lost=0&retrans=0&sent_bytes=2984&recv_bytes=677&delivery_rate=124640&cwnd=242&unsent_bytes=0&cid=401b2360c7d69941&ts=259&x=0"
  • flag-us
    DNS
    64.20.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    64.20.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    181.194.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    181.194.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    eternitypr.net
    PowerKuy4.57.exe
    Remote address:
    8.8.8.8:53
    Request
    eternitypr.net
    IN A
    Response
    eternitypr.net
    IN A
    104.21.21.142
    eternitypr.net
    IN A
    172.67.199.29
  • flag-us
    POST
    https://eternitypr.net/api/accounts
    PowerKuy4.57.exe
    Remote address:
    104.21.21.142:443
    Request
    POST /api/accounts HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: eternitypr.net
    Content-Length: 209
    Connection: Keep-Alive
    Response
    HTTP/1.1 400 Bad Request
    Date: Fri, 20 Dec 2024 22:17:28 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-powered-by: PHP/7.2.34
    cache-control: no-cache, private
    x-ratelimit-limit: 30
    x-ratelimit-remaining: 29
    vary: Accept-Encoding,User-Agent
    x-turbo-charged-by: LiteSpeed
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nBFY3bB1yTsg0y8%2BLhgszN5jsotHK4NkVWx8IUZKwqUpgDlTGLkQgBOuK3XgcUEQ%2FokHq5n9SGVBX99Ny0i8qY1p71jFDKQtW7t8luCn1P80CBmzrOMyuy%2FiRYZwSQGYDA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8f5300acee13770d-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=28321&min_rtt=27377&rtt_var=6695&sent=7&recv=7&lost=0&retrans=0&sent_bytes=2997&recv_bytes=683&delivery_rate=133217&cwnd=230&unsent_bytes=0&cid=cfd1c1d1208a4318&ts=300&x=0"
  • flag-us
    DNS
    142.21.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    142.21.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    72.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    212.20.149.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.20.149.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.144.22.2.in-addr.arpa
    IN PTR
    Response
    73.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 216.58.214.174:80
    http://google.com/generate_204
    http
    PowerKuy4.57.exe
    302 B
     259 B
     5
    3

    HTTP Request

    GET http://google.com/generate_204

    HTTP Response

    204
  • 104.21.20.64:443
    https://api.imgbb.com/1/upload?key=78adae1bfa0e608b56435fa339987449
    tls, http
    PowerKuy4.57.exe
    813.0kB
     12.4kB
     598
    181

    HTTP Request

    POST https://api.imgbb.com/1/upload?key=78adae1bfa0e608b56435fa339987449

    HTTP Response

    400
  • 172.67.194.181:443
    https://eterprx.net/api/accounts
    tls, http
    PowerKuy4.57.exe
    1.1kB
     4.5kB
     9
    10

    HTTP Request

    POST https://eterprx.net/api/accounts

    HTTP Response

    400
  • 104.21.21.142:443
    https://eternitypr.net/api/accounts
    tls, http
    PowerKuy4.57.exe
    1.1kB
     4.5kB
     9
    10

    HTTP Request

    POST https://eternitypr.net/api/accounts

    HTTP Response

    400
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    google.com
    dns
    PowerKuy4.57.exe
    56 B
     72 B
     1
    1

    DNS Request

    google.com

    DNS Response

    216.58.214.174

  • 8.8.8.8:53
    api.imgbb.com
    dns
    PowerKuy4.57.exe
    59 B
     91 B
     1
    1

    DNS Request

    api.imgbb.com

    DNS Response

    104.21.20.64
    172.67.191.214

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    174.214.58.216.in-addr.arpa
    dns
    73 B
     173 B
     1
    1

    DNS Request

    174.214.58.216.in-addr.arpa

  • 8.8.8.8:53
    eterprx.net
    dns
    PowerKuy4.57.exe
    57 B
     89 B
     1
    1

    DNS Request

    eterprx.net

    DNS Response

    172.67.194.181
    104.21.20.223

  • 8.8.8.8:53
    64.20.21.104.in-addr.arpa
    dns
    71 B
     133 B
     1
    1

    DNS Request

    64.20.21.104.in-addr.arpa

  • 8.8.8.8:53
    181.194.67.172.in-addr.arpa
    dns
    73 B
     135 B
     1
    1

    DNS Request

    181.194.67.172.in-addr.arpa

  • 8.8.8.8:53
    eternitypr.net
    dns
    PowerKuy4.57.exe
    60 B
     92 B
     1
    1

    DNS Request

    eternitypr.net

    DNS Response

    104.21.21.142
    172.67.199.29

  • 8.8.8.8:53
    142.21.21.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    142.21.21.104.in-addr.arpa

  • 8.8.8.8:53
    72.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    72.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    212.20.149.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    212.20.149.52.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    73.144.22.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    73.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\dcd.exe
    Filesize

    227KB

    MD5

    b5ac46e446cead89892628f30a253a06

    SHA1

    f4ad1044a7f77a1b02155c3a355a1bb4177076ca

    SHA256

    def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

    SHA512

    bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

    Download Submit

  • memory/1660-3-0x00000000031A0000-0x00000000031DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1660-2-0x0000000003150000-0x00000000031A0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1660-0-0x00007FFD22063000-0x00007FFD22065000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1660-4-0x00007FFD22060000-0x00007FFD22B21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1660-5-0x00007FFD22060000-0x00007FFD22B21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1660-1-0x0000000000EC0000-0x0000000000FA6000-memory.dmp

    Filesize

    920KB

    Download

  • memory/1660-10-0x00007FFD22060000-0x00007FFD22B21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1660-11-0x00007FFD22060000-0x00007FFD22B21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1660-12-0x00007FFD22060000-0x00007FFD22B21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1660-13-0x00007FFD22060000-0x00007FFD22B21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1660-15-0x000000001C510000-0x000000001C6B9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1660-16-0x00007FFD22060000-0x00007FFD22B21000-memory.dmp

    Filesize

    10.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.