eternity | 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3

Analysis

max time kernel
92s
max time network
120s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-05-2022 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe
Size

62KB
MD5

c4b46a2d0898e9ba438366f878cd74bd
SHA1

f95a0529fbb8aa61cd3dee602fa6555b2c86dd62
SHA256

025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3
SHA512

ae9cf9516ed834af320acd0d65ce58bf9b0b118228c820ee55e8db0d91b931426bdf0144f922c0d34e74f4a5b657ae5cd614179456e700f4618f0721caeb56bd

Score

10^/10

eternity clipper suricata

Malware Config

Signatures

Detects Eternity clipper 7 IoCs

clipper

Processes:

resource	yara_rule
behavioral1/memory/1964-54-0x00000000011A0000-0x00000000011B6000-memory.dmp	eternity_clipper
behavioral1/files/0x000a000000012323-61.dat	eternity_clipper
behavioral1/files/0x000a000000012323-60.dat	eternity_clipper
behavioral1/files/0x000a000000012323-63.dat	eternity_clipper
behavioral1/memory/2008-64-0x0000000000250000-0x0000000000266000-memory.dmp	eternity_clipper
behavioral1/files/0x000a000000012323-67.dat	eternity_clipper
behavioral1/files/0x000a000000012323-69.dat	eternity_clipper

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
suricata: ET MALWARE Eternity Stealer CnC Domain in DNS Lookup (wasabiwallet .online)
suricata: ET MALWARE Eternity Stealer CnC Domain in DNS Lookup (wasabiwallet .online)
suricata

Executes dropped EXE 3 IoCs

Processes:

025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe

pid	Process
2008	025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe
1268	025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe
1540	025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1016	cmd.exe

Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid	Process
1016	cmd.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exe

pid	Process
1736	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2040	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe

pid	Process
2008	025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe

description	pid	Process
Token: SeDebugPrivilege	2008	025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.execmd.exetaskeng.exe

description	pid	Process	procid_target
PID 1964 wrote to memory of 1016	1964	025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe	27
PID 1964 wrote to memory of 1016	1964	025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe	27
PID 1964 wrote to memory of 1016	1964	025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe	27
PID 1964 wrote to memory of 1016	1964	025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe	27
PID 1016 wrote to memory of 1720	1016	cmd.exe	29
PID 1016 wrote to memory of 1720	1016	cmd.exe	29
PID 1016 wrote to memory of 1720	1016	cmd.exe	29
PID 1016 wrote to memory of 1720	1016	cmd.exe	29
PID 1016 wrote to memory of 2040	1016	cmd.exe	30
PID 1016 wrote to memory of 2040	1016	cmd.exe	30
PID 1016 wrote to memory of 2040	1016	cmd.exe	30
PID 1016 wrote to memory of 2040	1016	cmd.exe	30
PID 1016 wrote to memory of 1736	1016	cmd.exe	31
PID 1016 wrote to memory of 1736	1016	cmd.exe	31
PID 1016 wrote to memory of 1736	1016	cmd.exe	31
PID 1016 wrote to memory of 1736	1016	cmd.exe	31
PID 1016 wrote to memory of 2008	1016	cmd.exe	32
PID 1016 wrote to memory of 2008	1016	cmd.exe	32
PID 1016 wrote to memory of 2008	1016	cmd.exe	32
PID 1016 wrote to memory of 2008	1016	cmd.exe	32
PID 1980 wrote to memory of 1268	1980	taskeng.exe	34
PID 1980 wrote to memory of 1268	1980	taskeng.exe	34
PID 1980 wrote to memory of 1268	1980	taskeng.exe	34
PID 1980 wrote to memory of 1268	1980	taskeng.exe	34
PID 1980 wrote to memory of 1540	1980	taskeng.exe	35
PID 1980 wrote to memory of 1540	1980	taskeng.exe	35
PID 1980 wrote to memory of 1540	1980	taskeng.exe	35
PID 1980 wrote to memory of 1540	1980	taskeng.exe	35

C:\Users\Admin\AppData\Local\Temp\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe
"C:\Users\Admin\AppData\Local\Temp\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe"
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2040
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1736
- - C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe
    "C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    PID:2008

C:\Windows\system32\taskeng.exe
taskeng.exe {98EE2885-9776-48B8-AF1D-F5D00874A9A1} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe
  C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe
  C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe
  2⤵
  - Executes dropped EXE
  PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe

Filesize
62KB

MD5
c4b46a2d0898e9ba438366f878cd74bd

SHA1
f95a0529fbb8aa61cd3dee602fa6555b2c86dd62

SHA256
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3

SHA512
ae9cf9516ed834af320acd0d65ce58bf9b0b118228c820ee55e8db0d91b931426bdf0144f922c0d34e74f4a5b657ae5cd614179456e700f4618f0721caeb56bd

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe

Filesize
62KB

MD5
c4b46a2d0898e9ba438366f878cd74bd

SHA1
f95a0529fbb8aa61cd3dee602fa6555b2c86dd62

SHA256
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3

SHA512
ae9cf9516ed834af320acd0d65ce58bf9b0b118228c820ee55e8db0d91b931426bdf0144f922c0d34e74f4a5b657ae5cd614179456e700f4618f0721caeb56bd

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe

Filesize
62KB

MD5
c4b46a2d0898e9ba438366f878cd74bd

SHA1
f95a0529fbb8aa61cd3dee602fa6555b2c86dd62

SHA256
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3

SHA512
ae9cf9516ed834af320acd0d65ce58bf9b0b118228c820ee55e8db0d91b931426bdf0144f922c0d34e74f4a5b657ae5cd614179456e700f4618f0721caeb56bd

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe

Filesize
62KB

MD5
c4b46a2d0898e9ba438366f878cd74bd

SHA1
f95a0529fbb8aa61cd3dee602fa6555b2c86dd62

SHA256
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3

SHA512
ae9cf9516ed834af320acd0d65ce58bf9b0b118228c820ee55e8db0d91b931426bdf0144f922c0d34e74f4a5b657ae5cd614179456e700f4618f0721caeb56bd

Download Submit
\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe

Filesize
62KB

MD5
c4b46a2d0898e9ba438366f878cd74bd

SHA1
f95a0529fbb8aa61cd3dee602fa6555b2c86dd62

SHA256
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3

SHA512
ae9cf9516ed834af320acd0d65ce58bf9b0b118228c820ee55e8db0d91b931426bdf0144f922c0d34e74f4a5b657ae5cd614179456e700f4618f0721caeb56bd

Download Submit
memory/1016-56-0x0000000000000000-mapping.dmp

Download
memory/1268-66-0x0000000000000000-mapping.dmp

Download
memory/1540-68-0x0000000000000000-mapping.dmp

Download
memory/1720-57-0x0000000000000000-mapping.dmp

Download
memory/1736-59-0x0000000000000000-mapping.dmp

Download
memory/1964-55-0x0000000075401000-0x0000000075403000-memory.dmp

Filesize
8KB

Download
memory/1964-54-0x00000000011A0000-0x00000000011B6000-memory.dmp

Filesize
88KB

Download
memory/2008-62-0x0000000000000000-mapping.dmp

Download
memory/2008-64-0x0000000000250000-0x0000000000266000-memory.dmp

Filesize
88KB

Download
memory/2040-58-0x0000000000000000-mapping.dmp

Download