eternity | 350bf9acd23ff9f8d05bf694bc79e0f63097c847f3eeb065709d1184255ba6df

General

Target

17d7d98d93aff88246a9836b600a0966.docm
Size

69KB
MD5

17d7d98d93aff88246a9836b600a0966
SHA1

1ba489b334fc1c4906c4ffa6b93ba3422d99832c
SHA256

350bf9acd23ff9f8d05bf694bc79e0f63097c847f3eeb065709d1184255ba6df
SHA512

a32f061800aaa4149ae09998fdda17a5bcfb9a6b950b43c3c71e9fd7bd3c2948d91cb4ce7249a8e8d597ac3690d475e56646b917d7b92e2d76b3848faf178058
SSDEEP

1536:nXy14XbP2vRZsllUHipzm/TERc7Fpzkt7oCxBtix5:nXg4LPsKUCplREklrBt05

Score

10^/10

eternity clipper

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Wallets

3PyqR4JWaMnp9smk9xnr9DAYW4M6HcKRnV

qpmhdv2gekpscmrv4sqed2d6njcaxmkhjyrr0rjes4

0x3F508b9ED9FDb1B8A84957257Fa44DF3A9D4B1e6

0x8C0f9B8ec99f317976F703428aC2c66F5394F474

DCwDPtUXL2XHSowck7EVZi6ipwVMQk7VR6

TPxXfNnPVcrMAma1KobjmTt5wz5y8EueeK

ltc1qp64dmhcj990z349pd2hcdqgnqyguhgky4gdfdy

rDCP4X5gV7WdPv5THD5fduUeDpaijLoD2s

t1X6HZNtFz5MspayYmse65dNig4aeYaFVGr

GBVMKZZPPMQDBFPLBOAD6LXUZKPTINWSL43AO4LUMX4QLH7YCCIFVGTA

9WACN4w69kmQpjoh8AZamNBz3vVDsNKHKpJ7BcoeYCX4

53YQHFOKWJTORJ6PSMF37KL3TRAJGIAMG7LG5VQRQFOOAZHI6QMCUFTTPI

Signatures

Detects Eternity clipper 3 IoCs

clipper

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe	eternity_clipper
C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe	eternity_clipper
behavioral2/memory/1888-144-0x0000000000AC0000-0x0000000000AD0000-memory.dmp	eternity_clipper

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

certutil.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1432	3796	certutil.exe	WINWORD.EXE

Executes dropped EXE 1 IoCs

Processes:

y60fa476fe967f7bf8fdead3c133586ab6f94.exe

pid process

1888 y60fa476fe967f7bf8fdead3c133586ab6f94.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

33 ip-api.com

pid	process
1888	y60fa476fe967f7bf8fdead3c133586ab6f94.exe

flow	ioc
33	ip-api.com

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

WINWORD.EXEy60fa476fe967f7bf8fdead3c133586ab6f94.exe

pid process

3796 WINWORD.EXE
3796 WINWORD.EXE
1888 y60fa476fe967f7bf8fdead3c133586ab6f94.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

y60fa476fe967f7bf8fdead3c133586ab6f94.exe

description pid process

Token: SeDebugPrivilege 1888 y60fa476fe967f7bf8fdead3c133586ab6f94.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WINWORD.EXE

pid process

3796 WINWORD.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE

pid process

3796 WINWORD.EXE
3796 WINWORD.EXE
3796 WINWORD.EXE
3796 WINWORD.EXE

pid	process
3796	WINWORD.EXE
3796	WINWORD.EXE
1888	y60fa476fe967f7bf8fdead3c133586ab6f94.exe

description	pid	process
Token: SeDebugPrivilege	1888	y60fa476fe967f7bf8fdead3c133586ab6f94.exe

pid	process
3796	WINWORD.EXE

pid	process
3796	WINWORD.EXE
3796	WINWORD.EXE
3796	WINWORD.EXE
3796	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 3796 wrote to memory of 1432	3796	WINWORD.EXE	certutil.exe
PID 3796 wrote to memory of 1432	3796	WINWORD.EXE	certutil.exe
PID 3796 wrote to memory of 1888	3796	WINWORD.EXE	y60fa476fe967f7bf8fdead3c133586ab6f94.exe
PID 3796 wrote to memory of 1888	3796	WINWORD.EXE	y60fa476fe967f7bf8fdead3c133586ab6f94.exe
PID 3796 wrote to memory of 1888	3796	WINWORD.EXE	y60fa476fe967f7bf8fdead3c133586ab6f94.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\17d7d98d93aff88246a9836b600a0966.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\System32\certutil.exe
"C:\Windows\System32\certutil.exe" -decode C:\Users\Admin\AppData\Local\Temp\Ne499c9b07b4bba5a929fd83b27c85868 C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe
2⤵
- Process spawned unexpected child process
PID:1432

C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe
"C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:1888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ne499c9b07b4bba5a929fd83b27c85868
Filesize
50KB

MD5
218b860af96baab0353d79acc1e1223d

SHA1
e9f3219ed9cbf9d119b144b49fca825855e206d7

SHA256
4811feb999aa02b1cf739698e898200ec7baae809caf2a250ef1be60a09abebc

SHA512
2cb1c10a1fb5a4156b521789d110f773d889ae947c18ba981a4ab0143f63dba3d9c8e38412a09ec470ce83c5320b832df49ac9568b8d10308c84fc66df30d48a

Download Submit
C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe
Filesize
37KB

MD5
e80c189549c3c02c2848c731518b32d5

SHA1
eb6d0dffc42b1adf0c5e85540376f5f1d376c7d5

SHA256
e088ae318fc5f90e564010517437b26c697a7a5d96a9da35596207ca2cc251f9

SHA512
1a34297dcb9ef7d8178523863d48f7bfa2f1e1ae408029dceaacef3f8e592d1531d82911e0c468ae315ad8a003bcdc0a4dc4af1c1d23d8233cfd0c9ef84ff141

Download Submit
C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe
Filesize
37KB

MD5
e80c189549c3c02c2848c731518b32d5

SHA1
eb6d0dffc42b1adf0c5e85540376f5f1d376c7d5

SHA256
e088ae318fc5f90e564010517437b26c697a7a5d96a9da35596207ca2cc251f9

SHA512
1a34297dcb9ef7d8178523863d48f7bfa2f1e1ae408029dceaacef3f8e592d1531d82911e0c468ae315ad8a003bcdc0a4dc4af1c1d23d8233cfd0c9ef84ff141

Download Submit
memory/1432-139-0x0000000000000000-mapping.dmp

Download
memory/1888-147-0x0000000006EB0000-0x0000000006EBA000-memory.dmp

Filesize
40KB

Download
memory/1888-142-0x0000000000000000-mapping.dmp

Download
memory/1888-146-0x00000000064B0000-0x0000000006542000-memory.dmp

Filesize
584KB

Download
memory/1888-145-0x00000000059E0000-0x0000000005F84000-memory.dmp

Filesize
5.6MB

Download
memory/1888-144-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/3796-135-0x00007FFD55B10000-0x00007FFD55B20000-memory.dmp

Filesize
64KB

Download
memory/3796-134-0x00007FFD55B10000-0x00007FFD55B20000-memory.dmp

Filesize
64KB

Download
memory/3796-133-0x00007FFD55B10000-0x00007FFD55B20000-memory.dmp

Filesize
64KB

Download
memory/3796-137-0x00007FFD531B0000-0x00007FFD531C0000-memory.dmp

Filesize
64KB

Download
memory/3796-136-0x00007FFD55B10000-0x00007FFD55B20000-memory.dmp

Filesize
64KB

Download
memory/3796-138-0x00007FFD531B0000-0x00007FFD531C0000-memory.dmp

Filesize
64KB

Download
memory/3796-132-0x00007FFD55B10000-0x00007FFD55B20000-memory.dmp

Filesize
64KB

Download
memory/3796-149-0x00007FFD55B10000-0x00007FFD55B20000-memory.dmp

Filesize
64KB

Download
memory/3796-150-0x00007FFD55B10000-0x00007FFD55B20000-memory.dmp

Filesize
64KB

Download
memory/3796-151-0x00007FFD55B10000-0x00007FFD55B20000-memory.dmp

Filesize
64KB

Download
memory/3796-152-0x00007FFD55B10000-0x00007FFD55B20000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads