Analysis

  • max time kernel
    233s
  • max time network
    241s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/08/2022, 06:00

General

  • Target

    a18b2b6648a6e116fb85974ed5b174eb.exe

  • Size

    532KB

  • MD5

    a18b2b6648a6e116fb85974ed5b174eb

  • SHA1

    2335736ebb5b727dd221adaaf4a6e319d54650c1

  • SHA256

    7f69f2fe22dfaa47d7fdb7dd3a78b6feae38ea490dc2b81b7d044cd64836429b

  • SHA512

    179c9a08696e37c4d5b46b8e5195edee16d93098f2f400cd4312a2879edc149fb3472b1bb6e50bd3022cd88074950fea369c93a54d25e2d05842add78e9ade9e

  • SSDEEP

    12288:J7EaM88A/SFXR2i8u+kkXdXoDzXQfYw4wunnq:lP/KpR2pL5XtoDDQf4bq

Malware Config

Extracted

Family

eternity

C2

http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion

Signatures

  • Detects Eternity clipper 3 IoCs
  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe
    "C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Users\Admin\AppData\Local\Temp\Stealer.exe
      "C:\Users\Admin\AppData\Local\Temp\Stealer.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Accesses Microsoft Outlook profiles
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:4728
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5056
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:1860
          • C:\Windows\system32\netsh.exe
            netsh wlan show profile
            4⤵
              PID:3356
            • C:\Windows\system32\findstr.exe
              findstr All
              4⤵
                PID:424
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:432
              • C:\Windows\system32\chcp.com
                chcp 65001
                4⤵
                  PID:4628
                • C:\Windows\system32\netsh.exe
                  netsh wlan show profile name="65001" key=clear
                  4⤵
                    PID:4328
                  • C:\Windows\system32\findstr.exe
                    findstr Key
                    4⤵
                      PID:4004
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Stealer.exe"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5100
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      4⤵
                        PID:2164
                      • C:\Windows\system32\PING.EXE
                        ping 127.0.0.1
                        4⤵
                        • Runs ping.exe
                        PID:1292
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Stealer.exe"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4084
                      • C:\Windows\system32\chcp.com
                        chcp 65001
                        4⤵
                          PID:2208
                        • C:\Windows\system32\PING.EXE
                          ping 127.0.0.1
                          4⤵
                          • Runs ping.exe
                          PID:4684
                    • C:\Users\Admin\AppData\Local\Temp\Clipper.exe
                      "C:\Users\Admin\AppData\Local\Temp\Clipper.exe"
                      2⤵
                      • Executes dropped EXE
                      • Suspicious behavior: AddClipboardFormatListener
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2180
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1408
                      2⤵
                      • Program crash
                      PID:2932
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1664 -ip 1664
                    1⤵
                      PID:2432

                    Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\Clipper.exe

                            Filesize

                            38KB

                            MD5

                            8ca91deb0b495906ddcb1baf997dedf7

                            SHA1

                            cdfe17d5ab94cfc7ed67b1ece1013e74be060ef4

                            SHA256

                            bcb1c93cfd5eae7f95a20b426bec5b7151734a4eba469a1caaf6b8cb665b9890

                            SHA512

                            b76b633fe9f1ae3f196541b41bcb8ff8d63865b6285c3a3672dc9141269df3d0dde7dc83589d7f69936d772f74a340be6141d30d22b3522c72c1a91b8be1ddec

                          • C:\Users\Admin\AppData\Local\Temp\Clipper.exe

                            Filesize

                            38KB

                            MD5

                            8ca91deb0b495906ddcb1baf997dedf7

                            SHA1

                            cdfe17d5ab94cfc7ed67b1ece1013e74be060ef4

                            SHA256

                            bcb1c93cfd5eae7f95a20b426bec5b7151734a4eba469a1caaf6b8cb665b9890

                            SHA512

                            b76b633fe9f1ae3f196541b41bcb8ff8d63865b6285c3a3672dc9141269df3d0dde7dc83589d7f69936d772f74a340be6141d30d22b3522c72c1a91b8be1ddec

                          • C:\Users\Admin\AppData\Local\Temp\Stealer.exe

                            Filesize

                            336KB

                            MD5

                            d1cdefb0ed7a84fdb2aba99ec065d2e2

                            SHA1

                            9cad12bc5214a118e72424b6d7799d362383f8f5

                            SHA256

                            80b855a33f26827638ffe23996eab1ee83c1582c207c9c76ed7b94856040268e

                            SHA512

                            a92a29a92e3835b5a9d4325227239b14b18f9e493645d7598178f6f195b28511996bbc615b461b369f1d070cddff1732fd4d1adc8ce646c2aac5e429756a1b3e

                          • C:\Users\Admin\AppData\Local\Temp\Stealer.exe

                            Filesize

                            336KB

                            MD5

                            d1cdefb0ed7a84fdb2aba99ec065d2e2

                            SHA1

                            9cad12bc5214a118e72424b6d7799d362383f8f5

                            SHA256

                            80b855a33f26827638ffe23996eab1ee83c1582c207c9c76ed7b94856040268e

                            SHA512

                            a92a29a92e3835b5a9d4325227239b14b18f9e493645d7598178f6f195b28511996bbc615b461b369f1d070cddff1732fd4d1adc8ce646c2aac5e429756a1b3e

                          • memory/1664-135-0x0000000004E10000-0x00000000053B4000-memory.dmp

                            Filesize

                            5.6MB

                          • memory/1664-147-0x0000000000400000-0x00000000004E6000-memory.dmp

                            Filesize

                            920KB

                          • memory/1664-134-0x0000000000400000-0x00000000004E6000-memory.dmp

                            Filesize

                            920KB

                          • memory/1664-133-0x00000000005C0000-0x000000000062C000-memory.dmp

                            Filesize

                            432KB

                          • memory/1664-132-0x00000000008F2000-0x0000000000951000-memory.dmp

                            Filesize

                            380KB

                          • memory/1664-146-0x00000000008F2000-0x0000000000951000-memory.dmp

                            Filesize

                            380KB

                          • memory/2180-144-0x0000000000820000-0x0000000000830000-memory.dmp

                            Filesize

                            64KB

                          • memory/2180-148-0x0000000006740000-0x000000000674A000-memory.dmp

                            Filesize

                            40KB

                          • memory/2180-145-0x00000000060C0000-0x0000000006152000-memory.dmp

                            Filesize

                            584KB

                          • memory/4728-151-0x00000243F8540000-0x00000243F8590000-memory.dmp

                            Filesize

                            320KB

                          • memory/4728-149-0x00007FFE80990000-0x00007FFE81451000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/4728-140-0x00007FFE80990000-0x00007FFE81451000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/4728-139-0x00000243F4CB0000-0x00000243F4D0A000-memory.dmp

                            Filesize

                            360KB

                          • memory/4728-165-0x00007FFE80990000-0x00007FFE81451000-memory.dmp

                            Filesize

                            10.8MB