Analysis
-
max time kernel
178s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2022 21:30
Static task
static1
Behavioral task
behavioral1
Sample
17d7d98d93aff88246a9836b600a0966.docm
Resource
win7-20220812-en
General
-
Target
17d7d98d93aff88246a9836b600a0966.docm
-
Size
69KB
-
MD5
17d7d98d93aff88246a9836b600a0966
-
SHA1
1ba489b334fc1c4906c4ffa6b93ba3422d99832c
-
SHA256
350bf9acd23ff9f8d05bf694bc79e0f63097c847f3eeb065709d1184255ba6df
-
SHA512
a32f061800aaa4149ae09998fdda17a5bcfb9a6b950b43c3c71e9fd7bd3c2948d91cb4ce7249a8e8d597ac3690d475e56646b917d7b92e2d76b3848faf178058
-
SSDEEP
1536:nXy14XbP2vRZsllUHipzm/TERc7Fpzkt7oCxBtix5:nXg4LPsKUCplREklrBt05
Malware Config
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
3PyqR4JWaMnp9smk9xnr9DAYW4M6HcKRnV
qpmhdv2gekpscmrv4sqed2d6njcaxmkhjyrr0rjes4
0x3F508b9ED9FDb1B8A84957257Fa44DF3A9D4B1e6
0x8C0f9B8ec99f317976F703428aC2c66F5394F474
DCwDPtUXL2XHSowck7EVZi6ipwVMQk7VR6
TPxXfNnPVcrMAma1KobjmTt5wz5y8EueeK
ltc1qp64dmhcj990z349pd2hcdqgnqyguhgky4gdfdy
rDCP4X5gV7WdPv5THD5fduUeDpaijLoD2s
t1X6HZNtFz5MspayYmse65dNig4aeYaFVGr
GBVMKZZPPMQDBFPLBOAD6LXUZKPTINWSL43AO4LUMX4QLH7YCCIFVGTA
9WACN4w69kmQpjoh8AZamNBz3vVDsNKHKpJ7BcoeYCX4
53YQHFOKWJTORJ6PSMF37KL3TRAJGIAMG7LG5VQRQFOOAZHI6QMCUFTTPI
Signatures
-
Detects Eternity clipper 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe eternity_clipper C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe eternity_clipper behavioral2/memory/1888-144-0x0000000000AC0000-0x0000000000AD0000-memory.dmp eternity_clipper -
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
certutil.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1432 3796 certutil.exe WINWORD.EXE -
Executes dropped EXE 1 IoCs
Processes:
y60fa476fe967f7bf8fdead3c133586ab6f94.exepid process 1888 y60fa476fe967f7bf8fdead3c133586ab6f94.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 33 ip-api.com -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
WINWORD.EXEy60fa476fe967f7bf8fdead3c133586ab6f94.exepid process 3796 WINWORD.EXE 3796 WINWORD.EXE 1888 y60fa476fe967f7bf8fdead3c133586ab6f94.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
y60fa476fe967f7bf8fdead3c133586ab6f94.exedescription pid process Token: SeDebugPrivilege 1888 y60fa476fe967f7bf8fdead3c133586ab6f94.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WINWORD.EXEpid process 3796 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
WINWORD.EXEpid process 3796 WINWORD.EXE 3796 WINWORD.EXE 3796 WINWORD.EXE 3796 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 3796 wrote to memory of 1432 3796 WINWORD.EXE certutil.exe PID 3796 wrote to memory of 1432 3796 WINWORD.EXE certutil.exe PID 3796 wrote to memory of 1888 3796 WINWORD.EXE y60fa476fe967f7bf8fdead3c133586ab6f94.exe PID 3796 wrote to memory of 1888 3796 WINWORD.EXE y60fa476fe967f7bf8fdead3c133586ab6f94.exe PID 3796 wrote to memory of 1888 3796 WINWORD.EXE y60fa476fe967f7bf8fdead3c133586ab6f94.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\17d7d98d93aff88246a9836b600a0966.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\certutil.exe"C:\Windows\System32\certutil.exe" -decode C:\Users\Admin\AppData\Local\Temp\Ne499c9b07b4bba5a929fd83b27c85868 C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe2⤵
- Process spawned unexpected child process
-
C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe"C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Ne499c9b07b4bba5a929fd83b27c85868Filesize
50KB
MD5218b860af96baab0353d79acc1e1223d
SHA1e9f3219ed9cbf9d119b144b49fca825855e206d7
SHA2564811feb999aa02b1cf739698e898200ec7baae809caf2a250ef1be60a09abebc
SHA5122cb1c10a1fb5a4156b521789d110f773d889ae947c18ba981a4ab0143f63dba3d9c8e38412a09ec470ce83c5320b832df49ac9568b8d10308c84fc66df30d48a
-
C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exeFilesize
37KB
MD5e80c189549c3c02c2848c731518b32d5
SHA1eb6d0dffc42b1adf0c5e85540376f5f1d376c7d5
SHA256e088ae318fc5f90e564010517437b26c697a7a5d96a9da35596207ca2cc251f9
SHA5121a34297dcb9ef7d8178523863d48f7bfa2f1e1ae408029dceaacef3f8e592d1531d82911e0c468ae315ad8a003bcdc0a4dc4af1c1d23d8233cfd0c9ef84ff141
-
C:\Users\Admin\AppData\Local\Temp\y60fa476fe967f7bf8fdead3c133586ab6f94.exeFilesize
37KB
MD5e80c189549c3c02c2848c731518b32d5
SHA1eb6d0dffc42b1adf0c5e85540376f5f1d376c7d5
SHA256e088ae318fc5f90e564010517437b26c697a7a5d96a9da35596207ca2cc251f9
SHA5121a34297dcb9ef7d8178523863d48f7bfa2f1e1ae408029dceaacef3f8e592d1531d82911e0c468ae315ad8a003bcdc0a4dc4af1c1d23d8233cfd0c9ef84ff141
-
memory/1432-139-0x0000000000000000-mapping.dmp
-
memory/1888-147-0x0000000006EB0000-0x0000000006EBA000-memory.dmpFilesize
40KB
-
memory/1888-142-0x0000000000000000-mapping.dmp
-
memory/1888-146-0x00000000064B0000-0x0000000006542000-memory.dmpFilesize
584KB
-
memory/1888-145-0x00000000059E0000-0x0000000005F84000-memory.dmpFilesize
5.6MB
-
memory/1888-144-0x0000000000AC0000-0x0000000000AD0000-memory.dmpFilesize
64KB
-
memory/3796-135-0x00007FFD55B10000-0x00007FFD55B20000-memory.dmpFilesize
64KB
-
memory/3796-134-0x00007FFD55B10000-0x00007FFD55B20000-memory.dmpFilesize
64KB
-
memory/3796-133-0x00007FFD55B10000-0x00007FFD55B20000-memory.dmpFilesize
64KB
-
memory/3796-137-0x00007FFD531B0000-0x00007FFD531C0000-memory.dmpFilesize
64KB
-
memory/3796-136-0x00007FFD55B10000-0x00007FFD55B20000-memory.dmpFilesize
64KB
-
memory/3796-138-0x00007FFD531B0000-0x00007FFD531C0000-memory.dmpFilesize
64KB
-
memory/3796-132-0x00007FFD55B10000-0x00007FFD55B20000-memory.dmpFilesize
64KB
-
memory/3796-149-0x00007FFD55B10000-0x00007FFD55B20000-memory.dmpFilesize
64KB
-
memory/3796-150-0x00007FFD55B10000-0x00007FFD55B20000-memory.dmpFilesize
64KB
-
memory/3796-151-0x00007FFD55B10000-0x00007FFD55B20000-memory.dmpFilesize
64KB
-
memory/3796-152-0x00007FFD55B10000-0x00007FFD55B20000-memory.dmpFilesize
64KB