Analysis
-
max time kernel
92s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
17-05-2022 12:01
Static task
static1
Behavioral task
behavioral1
Sample
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe
Resource
win7-20220414-en
General
-
Target
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe
-
Size
62KB
-
MD5
c4b46a2d0898e9ba438366f878cd74bd
-
SHA1
f95a0529fbb8aa61cd3dee602fa6555b2c86dd62
-
SHA256
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3
-
SHA512
ae9cf9516ed834af320acd0d65ce58bf9b0b118228c820ee55e8db0d91b931426bdf0144f922c0d34e74f4a5b657ae5cd614179456e700f4618f0721caeb56bd
Malware Config
Signatures
-
Detects Eternity clipper 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1964-54-0x00000000011A0000-0x00000000011B6000-memory.dmp eternity_clipper C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe eternity_clipper \Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe eternity_clipper C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe eternity_clipper behavioral1/memory/2008-64-0x0000000000250000-0x0000000000266000-memory.dmp eternity_clipper C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe eternity_clipper C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe eternity_clipper -
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
suricata: ET MALWARE Eternity Stealer CnC Domain in DNS Lookup (wasabiwallet .online)
suricata: ET MALWARE Eternity Stealer CnC Domain in DNS Lookup (wasabiwallet .online)
-
Executes dropped EXE 3 IoCs
Processes:
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exepid process 2008 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe 1268 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe 1540 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1016 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1016 cmd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exepid process 2008 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exedescription pid process Token: SeDebugPrivilege 2008 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.execmd.exetaskeng.exedescription pid process target process PID 1964 wrote to memory of 1016 1964 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe cmd.exe PID 1964 wrote to memory of 1016 1964 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe cmd.exe PID 1964 wrote to memory of 1016 1964 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe cmd.exe PID 1964 wrote to memory of 1016 1964 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe cmd.exe PID 1016 wrote to memory of 1720 1016 cmd.exe chcp.com PID 1016 wrote to memory of 1720 1016 cmd.exe chcp.com PID 1016 wrote to memory of 1720 1016 cmd.exe chcp.com PID 1016 wrote to memory of 1720 1016 cmd.exe chcp.com PID 1016 wrote to memory of 2040 1016 cmd.exe PING.EXE PID 1016 wrote to memory of 2040 1016 cmd.exe PING.EXE PID 1016 wrote to memory of 2040 1016 cmd.exe PING.EXE PID 1016 wrote to memory of 2040 1016 cmd.exe PING.EXE PID 1016 wrote to memory of 1736 1016 cmd.exe schtasks.exe PID 1016 wrote to memory of 1736 1016 cmd.exe schtasks.exe PID 1016 wrote to memory of 1736 1016 cmd.exe schtasks.exe PID 1016 wrote to memory of 1736 1016 cmd.exe schtasks.exe PID 1016 wrote to memory of 2008 1016 cmd.exe 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe PID 1016 wrote to memory of 2008 1016 cmd.exe 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe PID 1016 wrote to memory of 2008 1016 cmd.exe 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe PID 1016 wrote to memory of 2008 1016 cmd.exe 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe PID 1980 wrote to memory of 1268 1980 taskeng.exe 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe PID 1980 wrote to memory of 1268 1980 taskeng.exe 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe PID 1980 wrote to memory of 1268 1980 taskeng.exe 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe PID 1980 wrote to memory of 1268 1980 taskeng.exe 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe PID 1980 wrote to memory of 1540 1980 taskeng.exe 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe PID 1980 wrote to memory of 1540 1980 taskeng.exe 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe PID 1980 wrote to memory of 1540 1980 taskeng.exe 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe PID 1980 wrote to memory of 1540 1980 taskeng.exe 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe"C:\Users\Admin\AppData\Local\Temp\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe"2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe"C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {98EE2885-9776-48B8-AF1D-F5D00874A9A1} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exeC:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exeC:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exeFilesize
62KB
MD5c4b46a2d0898e9ba438366f878cd74bd
SHA1f95a0529fbb8aa61cd3dee602fa6555b2c86dd62
SHA256025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3
SHA512ae9cf9516ed834af320acd0d65ce58bf9b0b118228c820ee55e8db0d91b931426bdf0144f922c0d34e74f4a5b657ae5cd614179456e700f4618f0721caeb56bd
-
C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exeFilesize
62KB
MD5c4b46a2d0898e9ba438366f878cd74bd
SHA1f95a0529fbb8aa61cd3dee602fa6555b2c86dd62
SHA256025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3
SHA512ae9cf9516ed834af320acd0d65ce58bf9b0b118228c820ee55e8db0d91b931426bdf0144f922c0d34e74f4a5b657ae5cd614179456e700f4618f0721caeb56bd
-
C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exeFilesize
62KB
MD5c4b46a2d0898e9ba438366f878cd74bd
SHA1f95a0529fbb8aa61cd3dee602fa6555b2c86dd62
SHA256025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3
SHA512ae9cf9516ed834af320acd0d65ce58bf9b0b118228c820ee55e8db0d91b931426bdf0144f922c0d34e74f4a5b657ae5cd614179456e700f4618f0721caeb56bd
-
C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exeFilesize
62KB
MD5c4b46a2d0898e9ba438366f878cd74bd
SHA1f95a0529fbb8aa61cd3dee602fa6555b2c86dd62
SHA256025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3
SHA512ae9cf9516ed834af320acd0d65ce58bf9b0b118228c820ee55e8db0d91b931426bdf0144f922c0d34e74f4a5b657ae5cd614179456e700f4618f0721caeb56bd
-
\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exeFilesize
62KB
MD5c4b46a2d0898e9ba438366f878cd74bd
SHA1f95a0529fbb8aa61cd3dee602fa6555b2c86dd62
SHA256025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3
SHA512ae9cf9516ed834af320acd0d65ce58bf9b0b118228c820ee55e8db0d91b931426bdf0144f922c0d34e74f4a5b657ae5cd614179456e700f4618f0721caeb56bd
-
memory/1016-56-0x0000000000000000-mapping.dmp
-
memory/1268-66-0x0000000000000000-mapping.dmp
-
memory/1540-68-0x0000000000000000-mapping.dmp
-
memory/1720-57-0x0000000000000000-mapping.dmp
-
memory/1736-59-0x0000000000000000-mapping.dmp
-
memory/1964-55-0x0000000075401000-0x0000000075403000-memory.dmpFilesize
8KB
-
memory/1964-54-0x00000000011A0000-0x00000000011B6000-memory.dmpFilesize
88KB
-
memory/2008-62-0x0000000000000000-mapping.dmp
-
memory/2008-64-0x0000000000250000-0x0000000000266000-memory.dmpFilesize
88KB
-
memory/2040-58-0x0000000000000000-mapping.dmp