eternity | 350bf9acd23ff9f8d05bf694bc79e0f63097c847f3eeb065709d1184255ba6df

General

Target

17d7d98d93aff88246a9836b600a0966.docm
Size

69KB
MD5

17d7d98d93aff88246a9836b600a0966
SHA1

1ba489b334fc1c4906c4ffa6b93ba3422d99832c
SHA256

350bf9acd23ff9f8d05bf694bc79e0f63097c847f3eeb065709d1184255ba6df
SHA512

a32f061800aaa4149ae09998fdda17a5bcfb9a6b950b43c3c71e9fd7bd3c2948d91cb4ce7249a8e8d597ac3690d475e56646b917d7b92e2d76b3848faf178058
SSDEEP

1536:nXy14XbP2vRZsllUHipzm/TERc7Fpzkt7oCxBtix5:nXg4LPsKUCplREklrBt05

Score

10^/10

eternity clipper

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Wallets

3PyqR4JWaMnp9smk9xnr9DAYW4M6HcKRnV

qpmhdv2gekpscmrv4sqed2d6njcaxmkhjyrr0rjes4

0x3F508b9ED9FDb1B8A84957257Fa44DF3A9D4B1e6

0x8C0f9B8ec99f317976F703428aC2c66F5394F474

DCwDPtUXL2XHSowck7EVZi6ipwVMQk7VR6

TPxXfNnPVcrMAma1KobjmTt5wz5y8EueeK

ltc1qp64dmhcj990z349pd2hcdqgnqyguhgky4gdfdy

rDCP4X5gV7WdPv5THD5fduUeDpaijLoD2s

t1X6HZNtFz5MspayYmse65dNig4aeYaFVGr

GBVMKZZPPMQDBFPLBOAD6LXUZKPTINWSL43AO4LUMX4QLH7YCCIFVGTA

9WACN4w69kmQpjoh8AZamNBz3vVDsNKHKpJ7BcoeYCX4

53YQHFOKWJTORJ6PSMF37KL3TRAJGIAMG7LG5VQRQFOOAZHI6QMCUFTTPI

Signatures

Detects Eternity clipper 4 IoCs

clipper

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe	eternity_clipper
\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe	eternity_clipper
C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe	eternity_clipper
behavioral1/memory/924-66-0x0000000000C30000-0x0000000000C40000-memory.dmp	eternity_clipper

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

certutil.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1424	1980	certutil.exe	WINWORD.EXE

Executes dropped EXE 1 IoCs

Processes:

y60fa476fe967f7bf8fdead3c133586ab6f94.exe

pid process

924 y60fa476fe967f7bf8fdead3c133586ab6f94.exe
Loads dropped DLL 1 IoCs

Processes:

WINWORD.EXE

pid process

1980 WINWORD.EXE
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

pid	process
924	y60fa476fe967f7bf8fdead3c133586ab6f94.exe

pid	process
1980	WINWORD.EXE

flow	ioc
4	ip-api.com

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXEy60fa476fe967f7bf8fdead3c133586ab6f94.exe

pid process

1980 WINWORD.EXE
924 y60fa476fe967f7bf8fdead3c133586ab6f94.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

y60fa476fe967f7bf8fdead3c133586ab6f94.exe

description pid process

Token: SeDebugPrivilege 924 y60fa476fe967f7bf8fdead3c133586ab6f94.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1980 WINWORD.EXE
1980 WINWORD.EXE

pid	process
1980	WINWORD.EXE
924	y60fa476fe967f7bf8fdead3c133586ab6f94.exe

description	pid	process
Token: SeDebugPrivilege	924	y60fa476fe967f7bf8fdead3c133586ab6f94.exe

pid	process
1980	WINWORD.EXE
1980	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1980 wrote to memory of 1424	1980	WINWORD.EXE	certutil.exe
PID 1980 wrote to memory of 1424	1980	WINWORD.EXE	certutil.exe
PID 1980 wrote to memory of 1424	1980	WINWORD.EXE	certutil.exe
PID 1980 wrote to memory of 1424	1980	WINWORD.EXE	certutil.exe
PID 1980 wrote to memory of 924	1980	WINWORD.EXE	y60fa476fe967f7bf8fdead3c133586ab6f94.exe
PID 1980 wrote to memory of 924	1980	WINWORD.EXE	y60fa476fe967f7bf8fdead3c133586ab6f94.exe
PID 1980 wrote to memory of 924	1980	WINWORD.EXE	y60fa476fe967f7bf8fdead3c133586ab6f94.exe
PID 1980 wrote to memory of 924	1980	WINWORD.EXE	y60fa476fe967f7bf8fdead3c133586ab6f94.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\17d7d98d93aff88246a9836b600a0966.docm"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\certutil.exe
"C:\Windows\System32\certutil.exe" -decode C:\Users\Admin\AppData\Local\Temp\Ne499c9b07b4bba5a929fd83b27c85868 C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe
2⤵
- Process spawned unexpected child process
PID:1424

C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe
"C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ne499c9b07b4bba5a929fd83b27c85868
Filesize
50KB

MD5
218b860af96baab0353d79acc1e1223d

SHA1
e9f3219ed9cbf9d119b144b49fca825855e206d7

SHA256
4811feb999aa02b1cf739698e898200ec7baae809caf2a250ef1be60a09abebc

SHA512
2cb1c10a1fb5a4156b521789d110f773d889ae947c18ba981a4ab0143f63dba3d9c8e38412a09ec470ce83c5320b832df49ac9568b8d10308c84fc66df30d48a

Download Submit
C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe
Filesize
37KB

MD5
e80c189549c3c02c2848c731518b32d5

SHA1
eb6d0dffc42b1adf0c5e85540376f5f1d376c7d5

SHA256
e088ae318fc5f90e564010517437b26c697a7a5d96a9da35596207ca2cc251f9

SHA512
1a34297dcb9ef7d8178523863d48f7bfa2f1e1ae408029dceaacef3f8e592d1531d82911e0c468ae315ad8a003bcdc0a4dc4af1c1d23d8233cfd0c9ef84ff141

Download Submit
C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe
Filesize
37KB

MD5
e80c189549c3c02c2848c731518b32d5

SHA1
eb6d0dffc42b1adf0c5e85540376f5f1d376c7d5

SHA256
e088ae318fc5f90e564010517437b26c697a7a5d96a9da35596207ca2cc251f9

SHA512
1a34297dcb9ef7d8178523863d48f7bfa2f1e1ae408029dceaacef3f8e592d1531d82911e0c468ae315ad8a003bcdc0a4dc4af1c1d23d8233cfd0c9ef84ff141

Download Submit
\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe
Filesize
37KB

MD5
e80c189549c3c02c2848c731518b32d5

SHA1
eb6d0dffc42b1adf0c5e85540376f5f1d376c7d5

SHA256
e088ae318fc5f90e564010517437b26c697a7a5d96a9da35596207ca2cc251f9

SHA512
1a34297dcb9ef7d8178523863d48f7bfa2f1e1ae408029dceaacef3f8e592d1531d82911e0c468ae315ad8a003bcdc0a4dc4af1c1d23d8233cfd0c9ef84ff141

Download Submit
memory/924-64-0x0000000000000000-mapping.dmp

Download
memory/924-66-0x0000000000C30000-0x0000000000C40000-memory.dmp

Filesize
64KB

Download
memory/1424-59-0x0000000000000000-mapping.dmp

Download
memory/1980-58-0x00000000711FD000-0x0000000071208000-memory.dmp

Filesize
44KB

Download
memory/1980-57-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download
memory/1980-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1980-54-0x0000000072791000-0x0000000072794000-memory.dmp

Filesize
12KB

Download
memory/1980-55-0x0000000070211000-0x0000000070213000-memory.dmp

Filesize
8KB

Download
memory/1980-68-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1980-69-0x00000000711FD000-0x0000000071208000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads