Analysis
-
max time kernel
110s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
15-11-2022 05:54
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
General
-
Target
tmp.exe
-
Size
5.6MB
-
MD5
c5ffb5f4c680fb5d2058b9ceb91bde35
-
SHA1
cd1e0ca1b84b046321d673b407989ffadfa594a7
-
SHA256
5cfd06074db0ce6e91f2ab7bdd8e927d283d7b828900ad130ed882d2c736903a
-
SHA512
ae52ffacb03ea319015e10a587139b4e3fed11f528027f7dab9323dc820b82e8b68ff8bdd7d657a304ceced529aef021574381ee06c7712daf0692c06d5e7d7d
-
SSDEEP
49152:nTjTA3G0ZNEfFf/u95P3HU7BHpJnbVa8ZTVs/BHywaad9sk/IRUnqnY48UzjcJ:nTeG07+FkNXUZpJnBlcywaK3Jaw
Malware Config
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
4BCCzZcSyS7L1229mxLRArhp2HPKwpBmHGDnZKnWFds856vvQcRiDSsLZWH2CjW6xigC3NSGE5Qq2gfixNyMMVc723mjiPs
bc1qn0zp2sps3zsqz2507yw7jyrjd678wct6mckeuy
qqlvllvrq5yg3cjwk4axl0unqlp2xpu6ccst2ywvp2
0xFbA9a8c4a5398585a2aF951aa2D5496dbeCdA4aE
DGWe2iVzYfpztsBFnb2KLmjwRXBD9RnJs4
TAtt7HTeBdUEZJKFfm7DUs4r6UQ6w1Y1bD
LZQHZCvWUijEASjGXW6rZu7PKHZJNJ97pf
rEBCk9SBcda7z58zS8c1PwkDVxMSk286W7
t1XzHsqCdWR8zfJ9hzWoNzPfjqeQrkU5XsZ
XyHAkGzeqQdad7edTAzk3heu4NqEbcY1cJ
AYpmFyNSzvHF5yT7pQXMXZcm1RzLBvWWEx
GD2UKPTYTMUOKZWIBYVVVE2ICH66AKBPW2HU7PS4JDDTFPPKEQUCEJOP
bnb1md0kze5z0laj8nyk2l82unccr45nmykfrfrp46
FiaNRohykfF1YiMPigDWqmKJbMCP32VpkiNC8B32nxhp
Signatures
-
Detects Eternity clipper 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4312-136-0x0000000000400000-0x0000000000410000-memory.dmp eternity_clipper -
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Executes dropped EXE 6 IoCs
Processes:
tmp.exetmp.exetmp.exetmp.exetmp.exetmp.exepid process 1848 tmp.exe 5112 tmp.exe 4756 tmp.exe 4508 tmp.exe 4280 tmp.exe 1312 tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation tmp.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ip-api.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
tmp.exetmp.exetmp.exetmp.exedescription pid process target process PID 4640 set thread context of 4312 4640 tmp.exe tmp.exe PID 1848 set thread context of 5112 1848 tmp.exe tmp.exe PID 4756 set thread context of 4508 4756 tmp.exe tmp.exe PID 4280 set thread context of 1312 4280 tmp.exe tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
tmp.exepid process 5112 tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tmp.exedescription pid process Token: SeDebugPrivilege 5112 tmp.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
tmp.exetmp.execmd.exetmp.exetmp.exetmp.exedescription pid process target process PID 4640 wrote to memory of 4312 4640 tmp.exe tmp.exe PID 4640 wrote to memory of 4312 4640 tmp.exe tmp.exe PID 4640 wrote to memory of 4312 4640 tmp.exe tmp.exe PID 4640 wrote to memory of 4312 4640 tmp.exe tmp.exe PID 4640 wrote to memory of 4312 4640 tmp.exe tmp.exe PID 4640 wrote to memory of 4312 4640 tmp.exe tmp.exe PID 4640 wrote to memory of 4312 4640 tmp.exe tmp.exe PID 4640 wrote to memory of 4312 4640 tmp.exe tmp.exe PID 4312 wrote to memory of 3604 4312 tmp.exe cmd.exe PID 4312 wrote to memory of 3604 4312 tmp.exe cmd.exe PID 4312 wrote to memory of 3604 4312 tmp.exe cmd.exe PID 3604 wrote to memory of 4716 3604 cmd.exe chcp.com PID 3604 wrote to memory of 4716 3604 cmd.exe chcp.com PID 3604 wrote to memory of 4716 3604 cmd.exe chcp.com PID 3604 wrote to memory of 3968 3604 cmd.exe PING.EXE PID 3604 wrote to memory of 3968 3604 cmd.exe PING.EXE PID 3604 wrote to memory of 3968 3604 cmd.exe PING.EXE PID 3604 wrote to memory of 4412 3604 cmd.exe schtasks.exe PID 3604 wrote to memory of 4412 3604 cmd.exe schtasks.exe PID 3604 wrote to memory of 4412 3604 cmd.exe schtasks.exe PID 3604 wrote to memory of 1848 3604 cmd.exe tmp.exe PID 3604 wrote to memory of 1848 3604 cmd.exe tmp.exe PID 3604 wrote to memory of 1848 3604 cmd.exe tmp.exe PID 1848 wrote to memory of 5112 1848 tmp.exe tmp.exe PID 1848 wrote to memory of 5112 1848 tmp.exe tmp.exe PID 1848 wrote to memory of 5112 1848 tmp.exe tmp.exe PID 1848 wrote to memory of 5112 1848 tmp.exe tmp.exe PID 1848 wrote to memory of 5112 1848 tmp.exe tmp.exe PID 1848 wrote to memory of 5112 1848 tmp.exe tmp.exe PID 1848 wrote to memory of 5112 1848 tmp.exe tmp.exe PID 1848 wrote to memory of 5112 1848 tmp.exe tmp.exe PID 4756 wrote to memory of 4508 4756 tmp.exe tmp.exe PID 4756 wrote to memory of 4508 4756 tmp.exe tmp.exe PID 4756 wrote to memory of 4508 4756 tmp.exe tmp.exe PID 4756 wrote to memory of 4508 4756 tmp.exe tmp.exe PID 4756 wrote to memory of 4508 4756 tmp.exe tmp.exe PID 4756 wrote to memory of 4508 4756 tmp.exe tmp.exe PID 4756 wrote to memory of 4508 4756 tmp.exe tmp.exe PID 4756 wrote to memory of 4508 4756 tmp.exe tmp.exe PID 4280 wrote to memory of 1312 4280 tmp.exe tmp.exe PID 4280 wrote to memory of 1312 4280 tmp.exe tmp.exe PID 4280 wrote to memory of 1312 4280 tmp.exe tmp.exe PID 4280 wrote to memory of 1312 4280 tmp.exe tmp.exe PID 4280 wrote to memory of 1312 4280 tmp.exe tmp.exe PID 4280 wrote to memory of 1312 4280 tmp.exe tmp.exe PID 4280 wrote to memory of 1312 4280 tmp.exe tmp.exe PID 4280 wrote to memory of 1312 4280 tmp.exe tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "tmp" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\tmp.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\tmp.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\tmp.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "tmp" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\tmp.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\ServiceHub\tmp.exe"C:\Users\Admin\AppData\Local\ServiceHub\tmp.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\ServiceHub\tmp.exe"C:\Users\Admin\AppData\Local\ServiceHub\tmp.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\ServiceHub\tmp.exeC:\Users\Admin\AppData\Local\ServiceHub\tmp.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\ServiceHub\tmp.exe"C:\Users\Admin\AppData\Local\ServiceHub\tmp.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\ServiceHub\tmp.exeC:\Users\Admin\AppData\Local\ServiceHub\tmp.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\ServiceHub\tmp.exe"C:\Users\Admin\AppData\Local\ServiceHub\tmp.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tmp.exe.logFilesize
410B
MD53bbb825ef1319deb378787046587112b
SHA167da95f0031be525b4cf10645632ca34d66b913b
SHA256d9c6d00fad02f7a9ef0fcddc298ffd58b17020fb12b1336d5733237cbfadb1e0
SHA5127771ae543e188d544e1bb6c65e0453a6777c1c39790a355f4cce652a815bfaf94dd426de3db910a67bd06e463ac0143d9e2ca44d2b12af7f0d84c27b4a09cc54
-
C:\Users\Admin\AppData\Local\ServiceHub\tmp.exeFilesize
5.6MB
MD5c5ffb5f4c680fb5d2058b9ceb91bde35
SHA1cd1e0ca1b84b046321d673b407989ffadfa594a7
SHA2565cfd06074db0ce6e91f2ab7bdd8e927d283d7b828900ad130ed882d2c736903a
SHA512ae52ffacb03ea319015e10a587139b4e3fed11f528027f7dab9323dc820b82e8b68ff8bdd7d657a304ceced529aef021574381ee06c7712daf0692c06d5e7d7d
-
C:\Users\Admin\AppData\Local\ServiceHub\tmp.exeFilesize
5.6MB
MD5c5ffb5f4c680fb5d2058b9ceb91bde35
SHA1cd1e0ca1b84b046321d673b407989ffadfa594a7
SHA2565cfd06074db0ce6e91f2ab7bdd8e927d283d7b828900ad130ed882d2c736903a
SHA512ae52ffacb03ea319015e10a587139b4e3fed11f528027f7dab9323dc820b82e8b68ff8bdd7d657a304ceced529aef021574381ee06c7712daf0692c06d5e7d7d
-
C:\Users\Admin\AppData\Local\ServiceHub\tmp.exeFilesize
5.6MB
MD5c5ffb5f4c680fb5d2058b9ceb91bde35
SHA1cd1e0ca1b84b046321d673b407989ffadfa594a7
SHA2565cfd06074db0ce6e91f2ab7bdd8e927d283d7b828900ad130ed882d2c736903a
SHA512ae52ffacb03ea319015e10a587139b4e3fed11f528027f7dab9323dc820b82e8b68ff8bdd7d657a304ceced529aef021574381ee06c7712daf0692c06d5e7d7d
-
C:\Users\Admin\AppData\Local\ServiceHub\tmp.exeFilesize
5.6MB
MD5c5ffb5f4c680fb5d2058b9ceb91bde35
SHA1cd1e0ca1b84b046321d673b407989ffadfa594a7
SHA2565cfd06074db0ce6e91f2ab7bdd8e927d283d7b828900ad130ed882d2c736903a
SHA512ae52ffacb03ea319015e10a587139b4e3fed11f528027f7dab9323dc820b82e8b68ff8bdd7d657a304ceced529aef021574381ee06c7712daf0692c06d5e7d7d
-
C:\Users\Admin\AppData\Local\ServiceHub\tmp.exeFilesize
5.6MB
MD5c5ffb5f4c680fb5d2058b9ceb91bde35
SHA1cd1e0ca1b84b046321d673b407989ffadfa594a7
SHA2565cfd06074db0ce6e91f2ab7bdd8e927d283d7b828900ad130ed882d2c736903a
SHA512ae52ffacb03ea319015e10a587139b4e3fed11f528027f7dab9323dc820b82e8b68ff8bdd7d657a304ceced529aef021574381ee06c7712daf0692c06d5e7d7d
-
C:\Users\Admin\AppData\Local\ServiceHub\tmp.exeFilesize
5.6MB
MD5c5ffb5f4c680fb5d2058b9ceb91bde35
SHA1cd1e0ca1b84b046321d673b407989ffadfa594a7
SHA2565cfd06074db0ce6e91f2ab7bdd8e927d283d7b828900ad130ed882d2c736903a
SHA512ae52ffacb03ea319015e10a587139b4e3fed11f528027f7dab9323dc820b82e8b68ff8bdd7d657a304ceced529aef021574381ee06c7712daf0692c06d5e7d7d
-
C:\Users\Admin\AppData\Local\ServiceHub\tmp.exeFilesize
5.6MB
MD5c5ffb5f4c680fb5d2058b9ceb91bde35
SHA1cd1e0ca1b84b046321d673b407989ffadfa594a7
SHA2565cfd06074db0ce6e91f2ab7bdd8e927d283d7b828900ad130ed882d2c736903a
SHA512ae52ffacb03ea319015e10a587139b4e3fed11f528027f7dab9323dc820b82e8b68ff8bdd7d657a304ceced529aef021574381ee06c7712daf0692c06d5e7d7d
-
memory/1312-154-0x0000000000000000-mapping.dmp
-
memory/1848-142-0x0000000000000000-mapping.dmp
-
memory/3604-138-0x0000000000000000-mapping.dmp
-
memory/3968-140-0x0000000000000000-mapping.dmp
-
memory/4312-135-0x0000000000000000-mapping.dmp
-
memory/4312-136-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/4412-141-0x0000000000000000-mapping.dmp
-
memory/4508-151-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/4508-150-0x0000000000000000-mapping.dmp
-
memory/4640-132-0x00000000002F0000-0x0000000000894000-memory.dmpFilesize
5.6MB
-
memory/4640-134-0x0000000007730000-0x00000000077C2000-memory.dmpFilesize
584KB
-
memory/4640-133-0x0000000007C00000-0x00000000081A4000-memory.dmpFilesize
5.6MB
-
memory/4716-139-0x0000000000000000-mapping.dmp
-
memory/5112-148-0x0000000007310000-0x000000000731A000-memory.dmpFilesize
40KB
-
memory/5112-146-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/5112-145-0x0000000000000000-mapping.dmp