Analysis
-
max time kernel
92s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
17-05-2022 12:01
Static task
static1
Behavioral task
behavioral1
Sample
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe
Resource
win7-20220414-en
General
-
Target
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe
-
Size
62KB
-
MD5
c4b46a2d0898e9ba438366f878cd74bd
-
SHA1
f95a0529fbb8aa61cd3dee602fa6555b2c86dd62
-
SHA256
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3
-
SHA512
ae9cf9516ed834af320acd0d65ce58bf9b0b118228c820ee55e8db0d91b931426bdf0144f922c0d34e74f4a5b657ae5cd614179456e700f4618f0721caeb56bd
Malware Config
Signatures
-
Detects Eternity clipper 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2124-130-0x00000000006C0000-0x00000000006D6000-memory.dmp eternity_clipper C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe eternity_clipper C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe eternity_clipper C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe eternity_clipper C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe eternity_clipper -
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
suricata: ET MALWARE Eternity Stealer CnC Domain in DNS Lookup (wasabiwallet .online)
suricata: ET MALWARE Eternity Stealer CnC Domain in DNS Lookup (wasabiwallet .online)
-
Executes dropped EXE 3 IoCs
Processes:
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exepid process 4812 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe 2316 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe 1672 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 20 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exepid process 4812 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exedescription pid process Token: SeDebugPrivilege 4812 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.execmd.exedescription pid process target process PID 2124 wrote to memory of 4688 2124 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe cmd.exe PID 2124 wrote to memory of 4688 2124 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe cmd.exe PID 2124 wrote to memory of 4688 2124 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe cmd.exe PID 4688 wrote to memory of 3292 4688 cmd.exe chcp.com PID 4688 wrote to memory of 3292 4688 cmd.exe chcp.com PID 4688 wrote to memory of 3292 4688 cmd.exe chcp.com PID 4688 wrote to memory of 3880 4688 cmd.exe PING.EXE PID 4688 wrote to memory of 3880 4688 cmd.exe PING.EXE PID 4688 wrote to memory of 3880 4688 cmd.exe PING.EXE PID 4688 wrote to memory of 3460 4688 cmd.exe schtasks.exe PID 4688 wrote to memory of 3460 4688 cmd.exe schtasks.exe PID 4688 wrote to memory of 3460 4688 cmd.exe schtasks.exe PID 4688 wrote to memory of 4812 4688 cmd.exe 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe PID 4688 wrote to memory of 4812 4688 cmd.exe 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe PID 4688 wrote to memory of 4812 4688 cmd.exe 025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe"C:\Users\Admin\AppData\Local\Temp\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe"C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exeC:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exeC:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exe.logFilesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exeFilesize
62KB
MD5c4b46a2d0898e9ba438366f878cd74bd
SHA1f95a0529fbb8aa61cd3dee602fa6555b2c86dd62
SHA256025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3
SHA512ae9cf9516ed834af320acd0d65ce58bf9b0b118228c820ee55e8db0d91b931426bdf0144f922c0d34e74f4a5b657ae5cd614179456e700f4618f0721caeb56bd
-
C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exeFilesize
62KB
MD5c4b46a2d0898e9ba438366f878cd74bd
SHA1f95a0529fbb8aa61cd3dee602fa6555b2c86dd62
SHA256025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3
SHA512ae9cf9516ed834af320acd0d65ce58bf9b0b118228c820ee55e8db0d91b931426bdf0144f922c0d34e74f4a5b657ae5cd614179456e700f4618f0721caeb56bd
-
C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exeFilesize
62KB
MD5c4b46a2d0898e9ba438366f878cd74bd
SHA1f95a0529fbb8aa61cd3dee602fa6555b2c86dd62
SHA256025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3
SHA512ae9cf9516ed834af320acd0d65ce58bf9b0b118228c820ee55e8db0d91b931426bdf0144f922c0d34e74f4a5b657ae5cd614179456e700f4618f0721caeb56bd
-
C:\Users\Admin\AppData\Local\ServiceHub\025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3.exeFilesize
62KB
MD5c4b46a2d0898e9ba438366f878cd74bd
SHA1f95a0529fbb8aa61cd3dee602fa6555b2c86dd62
SHA256025e74a98cb22aab0eb2dbff69cb5abd4f1d529925d9e456f92f5fd6ff1e11c3
SHA512ae9cf9516ed834af320acd0d65ce58bf9b0b118228c820ee55e8db0d91b931426bdf0144f922c0d34e74f4a5b657ae5cd614179456e700f4618f0721caeb56bd
-
memory/2124-130-0x00000000006C0000-0x00000000006D6000-memory.dmpFilesize
88KB
-
memory/3292-132-0x0000000000000000-mapping.dmp
-
memory/3460-134-0x0000000000000000-mapping.dmp
-
memory/3880-133-0x0000000000000000-mapping.dmp
-
memory/4688-131-0x0000000000000000-mapping.dmp
-
memory/4812-139-0x0000000005AC0000-0x0000000005B52000-memory.dmpFilesize
584KB
-
memory/4812-140-0x0000000006110000-0x00000000066B4000-memory.dmpFilesize
5.6MB
-
memory/4812-141-0x0000000005F40000-0x0000000005F4A000-memory.dmpFilesize
40KB
-
memory/4812-135-0x0000000000000000-mapping.dmp