Analysis

  • max time kernel
    144s
  • max time network
    203s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-en
  • resource tags

    arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
  • submitted
    12/09/2022, 10:18

General

  • Target

    789630c437ccf2d7df712ce174ba2336792977a27d203431957c79163f9b9a05.exe

  • Size

    2.6MB

  • MD5

    0c717a4d5c7c6a0716fa3d788f0b2cdd

  • SHA1

    ccebe3bfbd0f46942c27e898b67dcd56c2dd7e27

  • SHA256

    789630c437ccf2d7df712ce174ba2336792977a27d203431957c79163f9b9a05

  • SHA512

    314e1c5b4569f7ca2db449f4fe5d86dd56972ae59c08ce82618d889c2c311b5d744cb4d52fd7f89411afc30c7e185d8ef46274e2b205076b584bb74a9dd997af

  • SSDEEP

    49152:DmVRGHUBcBLZ3K5va9tNCyK4Vs9mOpLbO88y8kiaAm3EmB5hwVjrrkxCP3RcdlsG:DmVRbO5Za5voN2aso4bOKiaB3Em1wht5

Malware Config

Signatures

  • Detects Eternity clipper 2 IoCs
  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\789630c437ccf2d7df712ce174ba2336792977a27d203431957c79163f9b9a05.exe
    "C:\Users\Admin\AppData\Local\Temp\789630c437ccf2d7df712ce174ba2336792977a27d203431957c79163f9b9a05.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "SteamsService" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Microsoft\SteamsService.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "SteamsService" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Microsoft\SteamsService.exe"
        3⤵
        • Adds Run key to start application
        PID:4024
    • C:\Users\Admin\AppData\Local\Microsoft\SteamsService.exe
      "C:\Users\Admin\AppData\Local\Microsoft\SteamsService.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4892
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
          PID:2052
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          3⤵
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          PID:2248

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\SteamsService.exe

            Filesize

            2.6MB

            MD5

            0c717a4d5c7c6a0716fa3d788f0b2cdd

            SHA1

            ccebe3bfbd0f46942c27e898b67dcd56c2dd7e27

            SHA256

            789630c437ccf2d7df712ce174ba2336792977a27d203431957c79163f9b9a05

            SHA512

            314e1c5b4569f7ca2db449f4fe5d86dd56972ae59c08ce82618d889c2c311b5d744cb4d52fd7f89411afc30c7e185d8ef46274e2b205076b584bb74a9dd997af

          • C:\Users\Admin\AppData\Local\Microsoft\SteamsService.exe

            Filesize

            2.6MB

            MD5

            0c717a4d5c7c6a0716fa3d788f0b2cdd

            SHA1

            ccebe3bfbd0f46942c27e898b67dcd56c2dd7e27

            SHA256

            789630c437ccf2d7df712ce174ba2336792977a27d203431957c79163f9b9a05

            SHA512

            314e1c5b4569f7ca2db449f4fe5d86dd56972ae59c08ce82618d889c2c311b5d744cb4d52fd7f89411afc30c7e185d8ef46274e2b205076b584bb74a9dd997af

          • memory/2248-375-0x0000000000400000-0x0000000000410000-memory.dmp

            Filesize

            64KB

          • memory/4892-348-0x0000000001290000-0x0000000001CBC000-memory.dmp

            Filesize

            10.2MB

          • memory/4892-339-0x000000000C040000-0x000000000C046000-memory.dmp

            Filesize

            24KB

          • memory/4892-338-0x000000000C010000-0x000000000C02A000-memory.dmp

            Filesize

            104KB

          • memory/4892-332-0x0000000001290000-0x0000000001CBC000-memory.dmp

            Filesize

            10.2MB

          • memory/4892-294-0x000000007EEC0000-0x000000007F291000-memory.dmp

            Filesize

            3.8MB

          • memory/4892-293-0x0000000001290000-0x0000000001CBC000-memory.dmp

            Filesize

            10.2MB

          • memory/4892-264-0x0000000001290000-0x0000000001CBC000-memory.dmp

            Filesize

            10.2MB

          • memory/4944-159-0x0000000001170000-0x0000000001172000-memory.dmp

            Filesize

            8KB

          • memory/4944-166-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-132-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-128-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-134-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-135-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-133-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-137-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-139-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-140-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-141-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-143-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-142-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-145-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-147-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-148-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-151-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-152-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-153-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-150-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-149-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-146-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-144-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-138-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-136-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-154-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-155-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-156-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-158-0x000000007F760000-0x000000007FB31000-memory.dmp

            Filesize

            3.8MB

          • memory/4944-157-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-130-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-160-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-161-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-162-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-163-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-164-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-165-0x0000000001170000-0x0000000001B9C000-memory.dmp

            Filesize

            10.2MB

          • memory/4944-131-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-167-0x0000000004FE0000-0x000000000507C000-memory.dmp

            Filesize

            624KB

          • memory/4944-168-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-169-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-170-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-171-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-172-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-173-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-174-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-175-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-176-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-177-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-178-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-179-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-180-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-181-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-182-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-183-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-184-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-185-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-186-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-187-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-202-0x0000000001170000-0x0000000001B9C000-memory.dmp

            Filesize

            10.2MB

          • memory/4944-203-0x000000007F760000-0x000000007FB31000-memory.dmp

            Filesize

            3.8MB

          • memory/4944-206-0x0000000004660000-0x000000000469C000-memory.dmp

            Filesize

            240KB

          • memory/4944-207-0x00000000046D0000-0x00000000046D6000-memory.dmp

            Filesize

            24KB

          • memory/4944-208-0x000000000C390000-0x000000000C88E000-memory.dmp

            Filesize

            5.0MB

          • memory/4944-209-0x000000000BE90000-0x000000000BF22000-memory.dmp

            Filesize

            584KB

          • memory/4944-211-0x0000000008B80000-0x0000000008B8A000-memory.dmp

            Filesize

            40KB

          • memory/4944-129-0x0000000001170000-0x0000000001B9C000-memory.dmp

            Filesize

            10.2MB

          • memory/4944-127-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-126-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-125-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-124-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-123-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-122-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-121-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-120-0x0000000077D50000-0x0000000077EDE000-memory.dmp

            Filesize

            1.6MB

          • memory/4944-255-0x0000000001170000-0x0000000001B9C000-memory.dmp

            Filesize

            10.2MB