eternity | 2e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8

General

Target

file.exe
Size

10.0MB
MD5

71438bae518e4e312e1f6617ee0b268b
SHA1

744f042e3b251786d7d15c960b93d7da83f75773
SHA256

2e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8
SHA512

6128bcdaf3006757b3a7f13f30bb07c91ade97214807e56f15df0fc20b4d45b44a0ba5cb73140aec9c6c5f4eb596219c9e5f897cccd07de6447780a6e677adaf
SSDEEP

24576:LvtObzeG41/7E6E9h1hqmS10mSVBojjIY+SzsS:hOWVpX8V+48zsS

Score

10^/10

eternity clipper

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Wallets

41r3LwMnez561bPJdamkzFfVoUJhmJQjHXSGz2e1Cb8xBCgvvSN36REatA7Ayn2GubDXyE2SQsar4LJDTAr8DnwPSmViy7o

1NSf3HSaEVJQv82Wg1Dxwrq8vksbXk1Uz9

0x5296E7a3aBa03B60e9ab2fF31Bc4Bda5C4306E70

D8JaQ1S56v9q1PYvgiMSiJKcpr62rzNmPP

TGPdhxdT1AdFBy9ojeACoPDhGG9BJsDRcG

t1V7NEnYmdnGVMFE7nLmW9r1DxnvBdZEcuu

XpTXPMSoGXwsHWs1h9fnUTDo2HfJbXyzqk

Signatures

Detects Eternity clipper 1 IoCs

clipper

Processes:

resource	yara_rule
behavioral2/memory/4976-136-0x0000000000400000-0x0000000000410000-memory.dmp	eternity_clipper

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Executes dropped EXE 6 IoCs

Processes:

file.exefile.exefile.exefile.exefile.exefile.exe

pid process

4896 file.exe
2448 file.exe
4552 file.exe
2268 file.exe
4076 file.exe
1948 file.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

file.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation file.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ip-api.com

pid	process
4896	file.exe
2448	file.exe
4552	file.exe
2268	file.exe
4076	file.exe
1948	file.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	file.exe

flow	ioc
10	ip-api.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

file.exefile.exefile.exefile.exe

description	pid	process	target process
PID 4624 set thread context of 4976	4624	file.exe	file.exe
PID 4896 set thread context of 2448	4896	file.exe	file.exe
PID 4552 set thread context of 2268	4552	file.exe	file.exe
PID 4076 set thread context of 1948	4076	file.exe	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4716 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4924 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

file.exe

pid process

2448 file.exe

pid	process
4716	schtasks.exe

pid	process
4924	PING.EXE

pid	process
2448	file.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

file.exefile.exefile.exefile.exefile.exe

description	pid	process
Token: SeDebugPrivilege	4624	file.exe
Token: SeDebugPrivilege	4896	file.exe
Token: SeDebugPrivilege	2448	file.exe
Token: SeDebugPrivilege	4552	file.exe
Token: SeDebugPrivilege	4076	file.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

file.exefile.execmd.exefile.exefile.exefile.exe

description	pid	process	target process
PID 4624 wrote to memory of 4976	4624	file.exe	file.exe
PID 4624 wrote to memory of 4976	4624	file.exe	file.exe
PID 4624 wrote to memory of 4976	4624	file.exe	file.exe
PID 4624 wrote to memory of 4976	4624	file.exe	file.exe
PID 4624 wrote to memory of 4976	4624	file.exe	file.exe
PID 4624 wrote to memory of 4976	4624	file.exe	file.exe
PID 4624 wrote to memory of 4976	4624	file.exe	file.exe
PID 4624 wrote to memory of 4976	4624	file.exe	file.exe
PID 4976 wrote to memory of 4676	4976	file.exe	cmd.exe
PID 4976 wrote to memory of 4676	4976	file.exe	cmd.exe
PID 4976 wrote to memory of 4676	4976	file.exe	cmd.exe
PID 4676 wrote to memory of 4276	4676	cmd.exe	chcp.com
PID 4676 wrote to memory of 4276	4676	cmd.exe	chcp.com
PID 4676 wrote to memory of 4276	4676	cmd.exe	chcp.com
PID 4676 wrote to memory of 4924	4676	cmd.exe	PING.EXE
PID 4676 wrote to memory of 4924	4676	cmd.exe	PING.EXE
PID 4676 wrote to memory of 4924	4676	cmd.exe	PING.EXE
PID 4676 wrote to memory of 4716	4676	cmd.exe	schtasks.exe
PID 4676 wrote to memory of 4716	4676	cmd.exe	schtasks.exe
PID 4676 wrote to memory of 4716	4676	cmd.exe	schtasks.exe
PID 4676 wrote to memory of 4896	4676	cmd.exe	file.exe
PID 4676 wrote to memory of 4896	4676	cmd.exe	file.exe
PID 4676 wrote to memory of 4896	4676	cmd.exe	file.exe
PID 4896 wrote to memory of 2448	4896	file.exe	file.exe
PID 4896 wrote to memory of 2448	4896	file.exe	file.exe
PID 4896 wrote to memory of 2448	4896	file.exe	file.exe
PID 4896 wrote to memory of 2448	4896	file.exe	file.exe
PID 4896 wrote to memory of 2448	4896	file.exe	file.exe
PID 4896 wrote to memory of 2448	4896	file.exe	file.exe
PID 4896 wrote to memory of 2448	4896	file.exe	file.exe
PID 4896 wrote to memory of 2448	4896	file.exe	file.exe
PID 4552 wrote to memory of 2268	4552	file.exe	file.exe
PID 4552 wrote to memory of 2268	4552	file.exe	file.exe
PID 4552 wrote to memory of 2268	4552	file.exe	file.exe
PID 4552 wrote to memory of 2268	4552	file.exe	file.exe
PID 4552 wrote to memory of 2268	4552	file.exe	file.exe
PID 4552 wrote to memory of 2268	4552	file.exe	file.exe
PID 4552 wrote to memory of 2268	4552	file.exe	file.exe
PID 4552 wrote to memory of 2268	4552	file.exe	file.exe
PID 4076 wrote to memory of 1948	4076	file.exe	file.exe
PID 4076 wrote to memory of 1948	4076	file.exe	file.exe
PID 4076 wrote to memory of 1948	4076	file.exe	file.exe
PID 4076 wrote to memory of 1948	4076	file.exe	file.exe
PID 4076 wrote to memory of 1948	4076	file.exe	file.exe
PID 4076 wrote to memory of 1948	4076	file.exe	file.exe
PID 4076 wrote to memory of 1948	4076	file.exe	file.exe
PID 4076 wrote to memory of 1948	4076	file.exe	file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "file" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\file.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\file.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\file.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4276

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:4924

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "file" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\file.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:4716

C:\Users\Admin\AppData\Local\ServiceHub\file.exe
"C:\Users\Admin\AppData\Local\ServiceHub\file.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896

C:\Users\Admin\AppData\Local\ServiceHub\file.exe
"C:\Users\Admin\AppData\Local\ServiceHub\file.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Users\Admin\AppData\Local\ServiceHub\file.exe
C:\Users\Admin\AppData\Local\ServiceHub\file.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4552

C:\Users\Admin\AppData\Local\ServiceHub\file.exe
"C:\Users\Admin\AppData\Local\ServiceHub\file.exe"
2⤵
- Executes dropped EXE
PID:2268

C:\Users\Admin\AppData\Local\ServiceHub\file.exe
C:\Users\Admin\AppData\Local\ServiceHub\file.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076

C:\Users\Admin\AppData\Local\ServiceHub\file.exe
"C:\Users\Admin\AppData\Local\ServiceHub\file.exe"
2⤵
- Executes dropped EXE
PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log
Filesize
617B

MD5
806dff23883c0aa6dcb04133b1380075

SHA1
ab9c711b18ac9edbd41966b3495f837746dbc146

SHA256
b58a668ac53e656011a581a7c1ce3d763b8120487f3017a5881298a588a34e17

SHA512
42ff1897d652e4bf0467e402a9386501810db93d1e18824bb61ec231d50ae9dabed04043cd60996cd508fd3e495825bb02acb5d7619e20773f9bdc5c453017b6

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\file.exe
Filesize
10.0MB

MD5
71438bae518e4e312e1f6617ee0b268b

SHA1
744f042e3b251786d7d15c960b93d7da83f75773

SHA256
2e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8

SHA512
6128bcdaf3006757b3a7f13f30bb07c91ade97214807e56f15df0fc20b4d45b44a0ba5cb73140aec9c6c5f4eb596219c9e5f897cccd07de6447780a6e677adaf

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\file.exe
Filesize
10.0MB

MD5
71438bae518e4e312e1f6617ee0b268b

SHA1
744f042e3b251786d7d15c960b93d7da83f75773

SHA256
2e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8

SHA512
6128bcdaf3006757b3a7f13f30bb07c91ade97214807e56f15df0fc20b4d45b44a0ba5cb73140aec9c6c5f4eb596219c9e5f897cccd07de6447780a6e677adaf

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\file.exe
Filesize
10.0MB

MD5
71438bae518e4e312e1f6617ee0b268b

SHA1
744f042e3b251786d7d15c960b93d7da83f75773

SHA256
2e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8

SHA512
6128bcdaf3006757b3a7f13f30bb07c91ade97214807e56f15df0fc20b4d45b44a0ba5cb73140aec9c6c5f4eb596219c9e5f897cccd07de6447780a6e677adaf

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\file.exe
Filesize
10.0MB

MD5
71438bae518e4e312e1f6617ee0b268b

SHA1
744f042e3b251786d7d15c960b93d7da83f75773

SHA256
2e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8

SHA512
6128bcdaf3006757b3a7f13f30bb07c91ade97214807e56f15df0fc20b4d45b44a0ba5cb73140aec9c6c5f4eb596219c9e5f897cccd07de6447780a6e677adaf

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\file.exe
Filesize
10.0MB

MD5
71438bae518e4e312e1f6617ee0b268b

SHA1
744f042e3b251786d7d15c960b93d7da83f75773

SHA256
2e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8

SHA512
6128bcdaf3006757b3a7f13f30bb07c91ade97214807e56f15df0fc20b4d45b44a0ba5cb73140aec9c6c5f4eb596219c9e5f897cccd07de6447780a6e677adaf

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\file.exe
Filesize
10.0MB

MD5
71438bae518e4e312e1f6617ee0b268b

SHA1
744f042e3b251786d7d15c960b93d7da83f75773

SHA256
2e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8

SHA512
6128bcdaf3006757b3a7f13f30bb07c91ade97214807e56f15df0fc20b4d45b44a0ba5cb73140aec9c6c5f4eb596219c9e5f897cccd07de6447780a6e677adaf

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\file.exe
Filesize
10.0MB

MD5
71438bae518e4e312e1f6617ee0b268b

SHA1
744f042e3b251786d7d15c960b93d7da83f75773

SHA256
2e0407e923bff9826e61900e5c1addaf13e226564796527e83bc0384adb16ec8

SHA512
6128bcdaf3006757b3a7f13f30bb07c91ade97214807e56f15df0fc20b4d45b44a0ba5cb73140aec9c6c5f4eb596219c9e5f897cccd07de6447780a6e677adaf

Download Submit
memory/1948-155-0x0000000000000000-mapping.dmp

Download
memory/1948-156-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2268-151-0x0000000000000000-mapping.dmp

Download
memory/2448-145-0x0000000000000000-mapping.dmp

Download
memory/2448-148-0x0000000007320000-0x00000000073B2000-memory.dmp

Filesize
584KB

Download
memory/2448-149-0x00000000084C0000-0x00000000084CA000-memory.dmp

Filesize
40KB

Download
memory/4276-139-0x0000000000000000-mapping.dmp

Download
memory/4624-134-0x0000000005EE0000-0x0000000005F7C000-memory.dmp

Filesize
624KB

Download
memory/4624-132-0x0000000000960000-0x0000000001360000-memory.dmp

Filesize
10.0MB

Download
memory/4624-133-0x0000000006370000-0x0000000006914000-memory.dmp

Filesize
5.6MB

Download
memory/4676-138-0x0000000000000000-mapping.dmp

Download
memory/4716-141-0x0000000000000000-mapping.dmp

Download
memory/4896-142-0x0000000000000000-mapping.dmp

Download
memory/4924-140-0x0000000000000000-mapping.dmp

Download
memory/4976-135-0x0000000000000000-mapping.dmp

Download
memory/4976-136-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads