Analysis
-
max time kernel
143s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
22-11-2022 21:30
Static task
static1
Behavioral task
behavioral1
Sample
17d7d98d93aff88246a9836b600a0966.docm
Resource
win7-20220812-en
General
-
Target
17d7d98d93aff88246a9836b600a0966.docm
-
Size
69KB
-
MD5
17d7d98d93aff88246a9836b600a0966
-
SHA1
1ba489b334fc1c4906c4ffa6b93ba3422d99832c
-
SHA256
350bf9acd23ff9f8d05bf694bc79e0f63097c847f3eeb065709d1184255ba6df
-
SHA512
a32f061800aaa4149ae09998fdda17a5bcfb9a6b950b43c3c71e9fd7bd3c2948d91cb4ce7249a8e8d597ac3690d475e56646b917d7b92e2d76b3848faf178058
-
SSDEEP
1536:nXy14XbP2vRZsllUHipzm/TERc7Fpzkt7oCxBtix5:nXg4LPsKUCplREklrBt05
Malware Config
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
3PyqR4JWaMnp9smk9xnr9DAYW4M6HcKRnV
qpmhdv2gekpscmrv4sqed2d6njcaxmkhjyrr0rjes4
0x3F508b9ED9FDb1B8A84957257Fa44DF3A9D4B1e6
0x8C0f9B8ec99f317976F703428aC2c66F5394F474
DCwDPtUXL2XHSowck7EVZi6ipwVMQk7VR6
TPxXfNnPVcrMAma1KobjmTt5wz5y8EueeK
ltc1qp64dmhcj990z349pd2hcdqgnqyguhgky4gdfdy
rDCP4X5gV7WdPv5THD5fduUeDpaijLoD2s
t1X6HZNtFz5MspayYmse65dNig4aeYaFVGr
GBVMKZZPPMQDBFPLBOAD6LXUZKPTINWSL43AO4LUMX4QLH7YCCIFVGTA
9WACN4w69kmQpjoh8AZamNBz3vVDsNKHKpJ7BcoeYCX4
53YQHFOKWJTORJ6PSMF37KL3TRAJGIAMG7LG5VQRQFOOAZHI6QMCUFTTPI
Signatures
-
Detects Eternity clipper 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe eternity_clipper \Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe eternity_clipper C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe eternity_clipper behavioral1/memory/924-66-0x0000000000C30000-0x0000000000C40000-memory.dmp eternity_clipper -
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
certutil.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1424 1980 certutil.exe WINWORD.EXE -
Executes dropped EXE 1 IoCs
Processes:
y60fa476fe967f7bf8fdead3c133586ab6f94.exepid process 924 y60fa476fe967f7bf8fdead3c133586ab6f94.exe -
Loads dropped DLL 1 IoCs
Processes:
WINWORD.EXEpid process 1980 WINWORD.EXE -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEy60fa476fe967f7bf8fdead3c133586ab6f94.exepid process 1980 WINWORD.EXE 924 y60fa476fe967f7bf8fdead3c133586ab6f94.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
y60fa476fe967f7bf8fdead3c133586ab6f94.exedescription pid process Token: SeDebugPrivilege 924 y60fa476fe967f7bf8fdead3c133586ab6f94.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1980 WINWORD.EXE 1980 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1980 wrote to memory of 1424 1980 WINWORD.EXE certutil.exe PID 1980 wrote to memory of 1424 1980 WINWORD.EXE certutil.exe PID 1980 wrote to memory of 1424 1980 WINWORD.EXE certutil.exe PID 1980 wrote to memory of 1424 1980 WINWORD.EXE certutil.exe PID 1980 wrote to memory of 924 1980 WINWORD.EXE y60fa476fe967f7bf8fdead3c133586ab6f94.exe PID 1980 wrote to memory of 924 1980 WINWORD.EXE y60fa476fe967f7bf8fdead3c133586ab6f94.exe PID 1980 wrote to memory of 924 1980 WINWORD.EXE y60fa476fe967f7bf8fdead3c133586ab6f94.exe PID 1980 wrote to memory of 924 1980 WINWORD.EXE y60fa476fe967f7bf8fdead3c133586ab6f94.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\17d7d98d93aff88246a9836b600a0966.docm"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\certutil.exe"C:\Windows\System32\certutil.exe" -decode C:\Users\Admin\AppData\Local\Temp\Ne499c9b07b4bba5a929fd83b27c85868 C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe2⤵
- Process spawned unexpected child process
-
C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe"C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Ne499c9b07b4bba5a929fd83b27c85868Filesize
50KB
MD5218b860af96baab0353d79acc1e1223d
SHA1e9f3219ed9cbf9d119b144b49fca825855e206d7
SHA2564811feb999aa02b1cf739698e898200ec7baae809caf2a250ef1be60a09abebc
SHA5122cb1c10a1fb5a4156b521789d110f773d889ae947c18ba981a4ab0143f63dba3d9c8e38412a09ec470ce83c5320b832df49ac9568b8d10308c84fc66df30d48a
-
C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exeFilesize
37KB
MD5e80c189549c3c02c2848c731518b32d5
SHA1eb6d0dffc42b1adf0c5e85540376f5f1d376c7d5
SHA256e088ae318fc5f90e564010517437b26c697a7a5d96a9da35596207ca2cc251f9
SHA5121a34297dcb9ef7d8178523863d48f7bfa2f1e1ae408029dceaacef3f8e592d1531d82911e0c468ae315ad8a003bcdc0a4dc4af1c1d23d8233cfd0c9ef84ff141
-
C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exeFilesize
37KB
MD5e80c189549c3c02c2848c731518b32d5
SHA1eb6d0dffc42b1adf0c5e85540376f5f1d376c7d5
SHA256e088ae318fc5f90e564010517437b26c697a7a5d96a9da35596207ca2cc251f9
SHA5121a34297dcb9ef7d8178523863d48f7bfa2f1e1ae408029dceaacef3f8e592d1531d82911e0c468ae315ad8a003bcdc0a4dc4af1c1d23d8233cfd0c9ef84ff141
-
\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exeFilesize
37KB
MD5e80c189549c3c02c2848c731518b32d5
SHA1eb6d0dffc42b1adf0c5e85540376f5f1d376c7d5
SHA256e088ae318fc5f90e564010517437b26c697a7a5d96a9da35596207ca2cc251f9
SHA5121a34297dcb9ef7d8178523863d48f7bfa2f1e1ae408029dceaacef3f8e592d1531d82911e0c468ae315ad8a003bcdc0a4dc4af1c1d23d8233cfd0c9ef84ff141
-
memory/924-64-0x0000000000000000-mapping.dmp
-
memory/924-66-0x0000000000C30000-0x0000000000C40000-memory.dmpFilesize
64KB
-
memory/1424-59-0x0000000000000000-mapping.dmp
-
memory/1980-58-0x00000000711FD000-0x0000000071208000-memory.dmpFilesize
44KB
-
memory/1980-57-0x00000000764D1000-0x00000000764D3000-memory.dmpFilesize
8KB
-
memory/1980-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1980-54-0x0000000072791000-0x0000000072794000-memory.dmpFilesize
12KB
-
memory/1980-55-0x0000000070211000-0x0000000070213000-memory.dmpFilesize
8KB
-
memory/1980-68-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1980-69-0x00000000711FD000-0x0000000071208000-memory.dmpFilesize
44KB