Overview

overview

10

Static

static

1

tinytask.ini

windows7-x64

10

tinytask.ini

windows10-2004-x64

1

Resubmissions

23/02/2025, 15:05

250223-sglk1a1mbx 10

Analysis

  • max time kernel
    399s
  • max time network
    412s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    23/02/2025, 15:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tinytask.ini

  • Size

    145B

  • MD5

    ceeacd35fe5d94dbf023d3ceddbfdc9f

  • SHA1

    d7417facd69ad39d6192e75b0eb82e0b6b53a447

  • SHA256

    24f7bda2e6d6eaa5608e027d1fe70958e956e9dc9a52ae1faf18d06982036ee7

  • SHA512

    5724bc671dafbf78b643177bf8f9eb2803537c104d7cbd93878561d30d707c1346f2426465ff2592f81d1e5c701cc534b5ddd657040d285191cd6bb557b4e8dc

Score
10/10
eternitydiscoverystealer

Malware Config

Signatures

  • Detects Eternity stealer 1 IoCs
    stealer
  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    eternity
  • Eternity family
    eternity
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\tinytask.ini
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:2804
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1780 --field-trial-handle=1236,i,11302880127636587679,1511463232174066211,131072 /prefetch:2
    1⤵
      PID:2940
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=3236 --field-trial-handle=1236,i,11302880127636587679,1511463232174066211,131072 /prefetch:1
      1⤵
        PID:1388
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3452 --field-trial-handle=1236,i,11302880127636587679,1511463232174066211,131072 /prefetch:8
        1⤵
          PID:3012
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3540 --field-trial-handle=1236,i,11302880127636587679,1511463232174066211,131072 /prefetch:8
          1⤵
            PID:2428
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3372 --field-trial-handle=1236,i,11302880127636587679,1511463232174066211,131072 /prefetch:8
            1⤵
              PID:2088
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=3744 --field-trial-handle=1236,i,11302880127636587679,1511463232174066211,131072 /prefetch:1
              1⤵
                PID:1368
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --mojo-platform-channel-handle=3720 --field-trial-handle=1236,i,11302880127636587679,1511463232174066211,131072 /prefetch:1
                1⤵
                  PID:1644
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --mojo-platform-channel-handle=2572 --field-trial-handle=1236,i,11302880127636587679,1511463232174066211,131072 /prefetch:1
                  1⤵
                    PID:1460
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3232 --field-trial-handle=1236,i,11302880127636587679,1511463232174066211,131072 /prefetch:8
                    1⤵
                      PID:880
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --mojo-platform-channel-handle=2056 --field-trial-handle=1236,i,11302880127636587679,1511463232174066211,131072 /prefetch:1
                      1⤵
                        PID:1116
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 --field-trial-handle=1236,i,11302880127636587679,1511463232174066211,131072 /prefetch:8
                        1⤵
                          PID:1716
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=2824 --field-trial-handle=1236,i,11302880127636587679,1511463232174066211,131072 /prefetch:1
                          1⤵
                            PID:2792
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4304 --field-trial-handle=1236,i,11302880127636587679,1511463232174066211,131072 /prefetch:8
                            1⤵
                              PID:2692
                            • C:\Users\Admin\Downloads\GABB\GABB 2\GABB.exe
                              "C:\Users\Admin\Downloads\GABB\GABB 2\GABB.exe"
                              1⤵
                              • Drops startup file
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:1828
                              • C:\Users\Admin\AppData\Local\Temp\2yjk2hud.orl\GABB.exe
                                "C:\Users\Admin\AppData\Local\Temp\2yjk2hud.orl\GABB.exe"
                                2⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: GetForegroundWindowSpam
                                PID:2780
                              • C:\Users\Admin\AppData\Local\Temp\dcd.exe
                                "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
                                2⤵
                                • Executes dropped EXE
                                PID:1884
                              • C:\Windows\system32\WerFault.exe
                                C:\Windows\system32\WerFault.exe -u -p 1828 -s 1872
                                2⤵
                                  PID:2916

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Temp\2yjk2hud.orl\GABB.exe
                                Filesize

                                1.3MB

                                MD5

                                daf80922dea3654feab54681538310c9

                                SHA1

                                f980bd545637e3ef3827c829b99bc23ce153894a

                                SHA256

                                41b60d0cd4e76960d7e01c06bd70f01ebdcbba220602f8bf3b2645fcd485e36e

                                SHA512

                                ad6083cf94569275163324d7737fd07d71ba4d01df73817982aaf7a166dc1f3e9a30ca207631216c6d866c5c1cef8555a1f52fb4b5287dd10ba8e7b939af92ad

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\dcd.exe
                                Filesize

                                227KB

                                MD5

                                b5ac46e446cead89892628f30a253a06

                                SHA1

                                f4ad1044a7f77a1b02155c3a355a1bb4177076ca

                                SHA256

                                def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

                                SHA512

                                bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

                                Download Submit

                              • memory/1828-6-0x000007FEF3A30000-0x000007FEF441C000-memory.dmp

                                Filesize

                                9.9MB

                                Download

                              • memory/1828-3-0x000007FEF3A30000-0x000007FEF441C000-memory.dmp

                                Filesize

                                9.9MB

                                Download

                              • memory/1828-4-0x000007FEF3A30000-0x000007FEF441C000-memory.dmp

                                Filesize

                                9.9MB

                                Download

                              • memory/1828-5-0x000000001BA80000-0x000000001BC16000-memory.dmp

                                Filesize

                                1.6MB

                                Download

                              • memory/1828-0-0x000007FEF3A33000-0x000007FEF3A34000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/1828-7-0x000007FEF3A30000-0x000007FEF441C000-memory.dmp

                                Filesize

                                9.9MB

                                Download

                              • memory/1828-2-0x000007FEF3A30000-0x000007FEF441C000-memory.dmp

                                Filesize

                                9.9MB

                                Download

                              • memory/1828-1-0x0000000000220000-0x0000000000610000-memory.dmp

                                Filesize

                                3.9MB

                                Download

                              • memory/1828-20-0x000007FEF3A33000-0x000007FEF3A34000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/1828-39-0x000007FEF3A30000-0x000007FEF441C000-memory.dmp

                                Filesize

                                9.9MB

                                Download

                              • memory/1828-40-0x000007FEF3A30000-0x000007FEF441C000-memory.dmp

                                Filesize

                                9.9MB

                                Download

                              • memory/2780-14-0x0000000000EC0000-0x000000000101C000-memory.dmp

                                Filesize

                                1.4MB

                                Download