Analysis
-
max time kernel
233s -
max time network
241s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26/08/2022, 06:00
Static task
static1
Behavioral task
behavioral1
Sample
a18b2b6648a6e116fb85974ed5b174eb.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a18b2b6648a6e116fb85974ed5b174eb.exe
Resource
win10v2004-20220812-en
General
-
Target
a18b2b6648a6e116fb85974ed5b174eb.exe
-
Size
532KB
-
MD5
a18b2b6648a6e116fb85974ed5b174eb
-
SHA1
2335736ebb5b727dd221adaaf4a6e319d54650c1
-
SHA256
7f69f2fe22dfaa47d7fdb7dd3a78b6feae38ea490dc2b81b7d044cd64836429b
-
SHA512
179c9a08696e37c4d5b46b8e5195edee16d93098f2f400cd4312a2879edc149fb3472b1bb6e50bd3022cd88074950fea369c93a54d25e2d05842add78e9ade9e
-
SSDEEP
12288:J7EaM88A/SFXR2i8u+kkXdXoDzXQfYw4wunnq:lP/KpR2pL5XtoDDQf4bq
Malware Config
Extracted
eternity
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
Signatures
-
Detects Eternity clipper 3 IoCs
resource yara_rule behavioral2/files/0x0006000000022e75-142.dat eternity_clipper behavioral2/files/0x0006000000022e75-143.dat eternity_clipper behavioral2/memory/2180-144-0x0000000000820000-0x0000000000830000-memory.dmp eternity_clipper -
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Executes dropped EXE 2 IoCs
pid Process 4728 Stealer.exe 2180 Clipper.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation a18b2b6648a6e116fb85974ed5b174eb.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Stealer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Stealer.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Stealer.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Stealer.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 45 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2932 1664 WerFault.exe 79 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Stealer.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Stealer.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 1292 PING.EXE 4684 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2180 Clipper.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4728 Stealer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1664 a18b2b6648a6e116fb85974ed5b174eb.exe Token: SeDebugPrivilege 4728 Stealer.exe Token: SeDebugPrivilege 2180 Clipper.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1664 wrote to memory of 4728 1664 a18b2b6648a6e116fb85974ed5b174eb.exe 82 PID 1664 wrote to memory of 4728 1664 a18b2b6648a6e116fb85974ed5b174eb.exe 82 PID 1664 wrote to memory of 2180 1664 a18b2b6648a6e116fb85974ed5b174eb.exe 83 PID 1664 wrote to memory of 2180 1664 a18b2b6648a6e116fb85974ed5b174eb.exe 83 PID 1664 wrote to memory of 2180 1664 a18b2b6648a6e116fb85974ed5b174eb.exe 83 PID 4728 wrote to memory of 5056 4728 Stealer.exe 90 PID 4728 wrote to memory of 5056 4728 Stealer.exe 90 PID 5056 wrote to memory of 1860 5056 cmd.exe 92 PID 5056 wrote to memory of 1860 5056 cmd.exe 92 PID 5056 wrote to memory of 3356 5056 cmd.exe 93 PID 5056 wrote to memory of 3356 5056 cmd.exe 93 PID 5056 wrote to memory of 424 5056 cmd.exe 94 PID 5056 wrote to memory of 424 5056 cmd.exe 94 PID 4728 wrote to memory of 432 4728 Stealer.exe 95 PID 4728 wrote to memory of 432 4728 Stealer.exe 95 PID 432 wrote to memory of 4628 432 cmd.exe 97 PID 432 wrote to memory of 4628 432 cmd.exe 97 PID 432 wrote to memory of 4328 432 cmd.exe 98 PID 432 wrote to memory of 4328 432 cmd.exe 98 PID 432 wrote to memory of 4004 432 cmd.exe 99 PID 432 wrote to memory of 4004 432 cmd.exe 99 PID 4728 wrote to memory of 5100 4728 Stealer.exe 101 PID 4728 wrote to memory of 5100 4728 Stealer.exe 101 PID 4728 wrote to memory of 4084 4728 Stealer.exe 103 PID 4728 wrote to memory of 4084 4728 Stealer.exe 103 PID 5100 wrote to memory of 2164 5100 cmd.exe 105 PID 5100 wrote to memory of 2164 5100 cmd.exe 105 PID 4084 wrote to memory of 2208 4084 cmd.exe 106 PID 4084 wrote to memory of 2208 4084 cmd.exe 106 PID 4084 wrote to memory of 4684 4084 cmd.exe 108 PID 4084 wrote to memory of 4684 4084 cmd.exe 108 PID 5100 wrote to memory of 1292 5100 cmd.exe 107 PID 5100 wrote to memory of 1292 5100 cmd.exe 107 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Stealer.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Stealer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe"C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\Stealer.exe"C:\Users\Admin\AppData\Local\Temp\Stealer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4728 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:1860
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵PID:3356
-
-
C:\Windows\system32\findstr.exefindstr All4⤵PID:424
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key3⤵
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4628
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile name="65001" key=clear4⤵PID:4328
-
-
C:\Windows\system32\findstr.exefindstr Key4⤵PID:4004
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Stealer.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2164
-
-
C:\Windows\system32\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
PID:1292
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Stealer.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2208
-
-
C:\Windows\system32\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
PID:4684
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Clipper.exe"C:\Users\Admin\AppData\Local\Temp\Clipper.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 14082⤵
- Program crash
PID:2932
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1664 -ip 16641⤵PID:2432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD58ca91deb0b495906ddcb1baf997dedf7
SHA1cdfe17d5ab94cfc7ed67b1ece1013e74be060ef4
SHA256bcb1c93cfd5eae7f95a20b426bec5b7151734a4eba469a1caaf6b8cb665b9890
SHA512b76b633fe9f1ae3f196541b41bcb8ff8d63865b6285c3a3672dc9141269df3d0dde7dc83589d7f69936d772f74a340be6141d30d22b3522c72c1a91b8be1ddec
-
Filesize
38KB
MD58ca91deb0b495906ddcb1baf997dedf7
SHA1cdfe17d5ab94cfc7ed67b1ece1013e74be060ef4
SHA256bcb1c93cfd5eae7f95a20b426bec5b7151734a4eba469a1caaf6b8cb665b9890
SHA512b76b633fe9f1ae3f196541b41bcb8ff8d63865b6285c3a3672dc9141269df3d0dde7dc83589d7f69936d772f74a340be6141d30d22b3522c72c1a91b8be1ddec
-
Filesize
336KB
MD5d1cdefb0ed7a84fdb2aba99ec065d2e2
SHA19cad12bc5214a118e72424b6d7799d362383f8f5
SHA25680b855a33f26827638ffe23996eab1ee83c1582c207c9c76ed7b94856040268e
SHA512a92a29a92e3835b5a9d4325227239b14b18f9e493645d7598178f6f195b28511996bbc615b461b369f1d070cddff1732fd4d1adc8ce646c2aac5e429756a1b3e
-
Filesize
336KB
MD5d1cdefb0ed7a84fdb2aba99ec065d2e2
SHA19cad12bc5214a118e72424b6d7799d362383f8f5
SHA25680b855a33f26827638ffe23996eab1ee83c1582c207c9c76ed7b94856040268e
SHA512a92a29a92e3835b5a9d4325227239b14b18f9e493645d7598178f6f195b28511996bbc615b461b369f1d070cddff1732fd4d1adc8ce646c2aac5e429756a1b3e