Analysis
-
max time kernel
147s -
max time network
85s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
17-05-2022 12:01
General
-
Target
05479690e83e9e152800933003e1f4e70b70e4b49798f4968daf9caea9b90bdb.exe
-
Size
62KB
-
MD5
ffdaf2a866979b05e198d2b38c83c8bc
-
SHA1
c9b292181fad9c693f010426140ae180e7314fd5
-
SHA256
05479690e83e9e152800933003e1f4e70b70e4b49798f4968daf9caea9b90bdb
-
SHA512
446429011690720aa50c85de323092a775a08c6c64956c2979216fef27ef3b4c0f8891685e93685b2f03ab2a17f9b5143dfd869cc23a3ad4e10de088e49cd40e
Malware Config
Signatures
-
Detects Eternity clipper 8 IoCs
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
suricata: ET MALWARE Eternity Stealer CnC Domain in DNS Lookup (wasabiwallet .online)
suricata: ET MALWARE Eternity Stealer CnC Domain in DNS Lookup (wasabiwallet .online)
-
Executes dropped EXE 4 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\05479690e83e9e152800933003e1f4e70b70e4b49798f4968daf9caea9b90bdb.exe"C:\Users\Admin\AppData\Local\Temp\05479690e83e9e152800933003e1f4e70b70e4b49798f4968daf9caea9b90bdb.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "05479690e83e9e152800933003e1f4e70b70e4b49798f4968daf9caea9b90bdb" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\05479690e83e9e152800933003e1f4e70b70e4b49798f4968daf9caea9b90bdb.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\05479690e83e9e152800933003e1f4e70b70e4b49798f4968daf9caea9b90bdb.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\05479690e83e9e152800933003e1f4e70b70e4b49798f4968daf9caea9b90bdb.exe"2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "05479690e83e9e152800933003e1f4e70b70e4b49798f4968daf9caea9b90bdb" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\05479690e83e9e152800933003e1f4e70b70e4b49798f4968daf9caea9b90bdb.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\ServiceHub\05479690e83e9e152800933003e1f4e70b70e4b49798f4968daf9caea9b90bdb.exe"C:\Users\Admin\AppData\Local\ServiceHub\05479690e83e9e152800933003e1f4e70b70e4b49798f4968daf9caea9b90bdb.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {865F6440-8692-4C6A-A703-65DD65B76008} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\ServiceHub\05479690e83e9e152800933003e1f4e70b70e4b49798f4968daf9caea9b90bdb.exeC:\Users\Admin\AppData\Local\ServiceHub\05479690e83e9e152800933003e1f4e70b70e4b49798f4968daf9caea9b90bdb.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\ServiceHub\05479690e83e9e152800933003e1f4e70b70e4b49798f4968daf9caea9b90bdb.exeC:\Users\Admin\AppData\Local\ServiceHub\05479690e83e9e152800933003e1f4e70b70e4b49798f4968daf9caea9b90bdb.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\ServiceHub\05479690e83e9e152800933003e1f4e70b70e4b49798f4968daf9caea9b90bdb.exeC:\Users\Admin\AppData\Local\ServiceHub\05479690e83e9e152800933003e1f4e70b70e4b49798f4968daf9caea9b90bdb.exe2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5ffdaf2a866979b05e198d2b38c83c8bc
SHA1c9b292181fad9c693f010426140ae180e7314fd5
SHA25605479690e83e9e152800933003e1f4e70b70e4b49798f4968daf9caea9b90bdb
SHA512446429011690720aa50c85de323092a775a08c6c64956c2979216fef27ef3b4c0f8891685e93685b2f03ab2a17f9b5143dfd869cc23a3ad4e10de088e49cd40e
-
Filesize
62KB
MD5ffdaf2a866979b05e198d2b38c83c8bc
SHA1c9b292181fad9c693f010426140ae180e7314fd5
SHA25605479690e83e9e152800933003e1f4e70b70e4b49798f4968daf9caea9b90bdb
SHA512446429011690720aa50c85de323092a775a08c6c64956c2979216fef27ef3b4c0f8891685e93685b2f03ab2a17f9b5143dfd869cc23a3ad4e10de088e49cd40e
-
Filesize
62KB
MD5ffdaf2a866979b05e198d2b38c83c8bc
SHA1c9b292181fad9c693f010426140ae180e7314fd5
SHA25605479690e83e9e152800933003e1f4e70b70e4b49798f4968daf9caea9b90bdb
SHA512446429011690720aa50c85de323092a775a08c6c64956c2979216fef27ef3b4c0f8891685e93685b2f03ab2a17f9b5143dfd869cc23a3ad4e10de088e49cd40e
-
Filesize
62KB
MD5ffdaf2a866979b05e198d2b38c83c8bc
SHA1c9b292181fad9c693f010426140ae180e7314fd5
SHA25605479690e83e9e152800933003e1f4e70b70e4b49798f4968daf9caea9b90bdb
SHA512446429011690720aa50c85de323092a775a08c6c64956c2979216fef27ef3b4c0f8891685e93685b2f03ab2a17f9b5143dfd869cc23a3ad4e10de088e49cd40e
-
Filesize
62KB
MD5ffdaf2a866979b05e198d2b38c83c8bc
SHA1c9b292181fad9c693f010426140ae180e7314fd5
SHA25605479690e83e9e152800933003e1f4e70b70e4b49798f4968daf9caea9b90bdb
SHA512446429011690720aa50c85de323092a775a08c6c64956c2979216fef27ef3b4c0f8891685e93685b2f03ab2a17f9b5143dfd869cc23a3ad4e10de088e49cd40e
-
Filesize
62KB
MD5ffdaf2a866979b05e198d2b38c83c8bc
SHA1c9b292181fad9c693f010426140ae180e7314fd5
SHA25605479690e83e9e152800933003e1f4e70b70e4b49798f4968daf9caea9b90bdb
SHA512446429011690720aa50c85de323092a775a08c6c64956c2979216fef27ef3b4c0f8891685e93685b2f03ab2a17f9b5143dfd869cc23a3ad4e10de088e49cd40e
-
-
Filesize
8KB
-
Filesize
88KB
-
-
-
-
-
-
Filesize
88KB
-
-