Analysis
-
max time kernel
82s -
max time network
180s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
08/09/2022, 22:16
Static task
static1
Behavioral task
behavioral1
Sample
453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe
Resource
win10-20220812-en
General
-
Target
453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe
-
Size
423KB
-
MD5
f37639060cdf9b426d38afa1a05375c6
-
SHA1
08da192b66493852158e6393e30cc23d8ff54aa2
-
SHA256
453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d
-
SHA512
143fe1a1e26b0fb8f4cc785a425c9420795af0a5eff902f8b97910d6e88c830e20397f95a07773e1a229876fbe8a569abc4b260bb56ea318bf19b37191e1053d
-
SSDEEP
6144:qq1VGlkatj2ER0u+GIIIIIIIhIIIIIIIIIIIIIIIU:d0txm5
Malware Config
Signatures
-
Detects Eternity clipper 2 IoCs
resource yara_rule behavioral2/memory/5008-327-0x000000000040AD8E-mapping.dmp eternity_clipper behavioral2/memory/5008-360-0x0000000000400000-0x0000000000410000-memory.dmp eternity_clipper -
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Executes dropped EXE 1 IoCs
pid Process 3852 SteamsService.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\SteamsService = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\SteamsService.exe" reg.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3852 set thread context of 5008 3852 SteamsService.exe 71 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5008 InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 3040 453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe 3040 453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe 3040 453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe 3040 453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe 3040 453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe 3040 453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe 3040 453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe 3040 453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe 3040 453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe 3040 453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe 3040 453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe 3040 453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe 3040 453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe 3040 453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe 3040 453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe 3852 SteamsService.exe 3852 SteamsService.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3040 453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe Token: SeDebugPrivilege 3852 SteamsService.exe Token: SeDebugPrivilege 5008 InstallUtil.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3040 wrote to memory of 4036 3040 453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe 69 PID 3040 wrote to memory of 4036 3040 453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe 69 PID 3040 wrote to memory of 4036 3040 453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe 69 PID 4036 wrote to memory of 4832 4036 cmd.exe 68 PID 4036 wrote to memory of 4832 4036 cmd.exe 68 PID 4036 wrote to memory of 4832 4036 cmd.exe 68 PID 3040 wrote to memory of 3852 3040 453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe 70 PID 3040 wrote to memory of 3852 3040 453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe 70 PID 3040 wrote to memory of 3852 3040 453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe 70 PID 3852 wrote to memory of 5008 3852 SteamsService.exe 71 PID 3852 wrote to memory of 5008 3852 SteamsService.exe 71 PID 3852 wrote to memory of 5008 3852 SteamsService.exe 71 PID 3852 wrote to memory of 5008 3852 SteamsService.exe 71 PID 3852 wrote to memory of 5008 3852 SteamsService.exe 71 PID 3852 wrote to memory of 5008 3852 SteamsService.exe 71 PID 3852 wrote to memory of 5008 3852 SteamsService.exe 71 PID 3852 wrote to memory of 5008 3852 SteamsService.exe 71
Processes
-
C:\Users\Admin\AppData\Local\Temp\453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe"C:\Users\Admin\AppData\Local\Temp\453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "SteamsService" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Microsoft\SteamsService.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4036
-
-
C:\Users\Admin\AppData\Local\Microsoft\SteamsService.exe"C:\Users\Admin\AppData\Local\Microsoft\SteamsService.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "SteamsService" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Microsoft\SteamsService.exe"1⤵
- Adds Run key to start application
PID:4832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
423KB
MD5f37639060cdf9b426d38afa1a05375c6
SHA108da192b66493852158e6393e30cc23d8ff54aa2
SHA256453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d
SHA512143fe1a1e26b0fb8f4cc785a425c9420795af0a5eff902f8b97910d6e88c830e20397f95a07773e1a229876fbe8a569abc4b260bb56ea318bf19b37191e1053d
-
Filesize
423KB
MD5f37639060cdf9b426d38afa1a05375c6
SHA108da192b66493852158e6393e30cc23d8ff54aa2
SHA256453547830b48abba823150cfadab2717f43153598dbba7595bfacc13196a7c2d
SHA512143fe1a1e26b0fb8f4cc785a425c9420795af0a5eff902f8b97910d6e88c830e20397f95a07773e1a229876fbe8a569abc4b260bb56ea318bf19b37191e1053d