eternity | 002f33f2dc005b1f1162b27707aa2877c9d11b2e118ed0b82c711ee2e4491c1f

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-05-2022 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

002f33f2dc005b1f1162b27707aa2877c9d11b2e118ed0b82c711ee2e4491c1f.exe
Size

1.3MB
MD5

57d27e1d68368a93633d6ea1162a50b6
SHA1

2b69f4f6e52fb85589508e711161adc7c79da469
SHA256

002f33f2dc005b1f1162b27707aa2877c9d11b2e118ed0b82c711ee2e4491c1f
SHA512

adbd3f6bec1aed98fe4f911b57eb3fdeb4872ce7908aae752db8c3aa467016a340edc1e503522e3396adad73adb65c06b0e6f96faba6a425fcb75e34e77113e7

Score

10^/10

eternity spyware stealer worm

Malware Config

Signatures

Detects Eternity worm 13 IoCs

worm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DVWHKMNFNN.exe	eternity_worm
\Users\Admin\AppData\Local\Temp\DVWHKMNFNN.exe	eternity_worm
C:\Users\Admin\AppData\Local\Temp\DVWHKMNFNN.exe	eternity_worm
behavioral1/memory/1676-62-0x0000000001320000-0x0000000001476000-memory.dmp	eternity_worm
\Users\Admin\AppData\Local\ServiceHub\DVWHKMNFNN.exe	eternity_worm
C:\Users\Admin\AppData\Local\ServiceHub\DVWHKMNFNN.exe	eternity_worm
C:\Users\Admin\AppData\Local\ServiceHub\DVWHKMNFNN.exe	eternity_worm
behavioral1/memory/1044-73-0x0000000000880000-0x00000000009D6000-memory.dmp	eternity_worm
C:\Users\Admin\AppData\Local\ServiceHub\DVWHKMNFNN.exe	eternity_worm
C:\Users\Admin\AppData\Local\ServiceHub\DVWHKMNFNN.exe	eternity_worm
behavioral1/memory/1420-79-0x00000000003C0000-0x0000000000516000-memory.dmp	eternity_worm
C:\Users\Admin\AppData\Local\ServiceHub\DVWHKMNFNN.exe	eternity_worm
behavioral1/memory/1936-83-0x00000000003D0000-0x0000000000526000-memory.dmp	eternity_worm

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Executes dropped EXE 5 IoCs

Processes:

DVWHKMNFNN.exeDVWHKMNFNN.exeDVWHKMNFNN.exeDVWHKMNFNN.exeDVWHKMNFNN.exe

pid process

1676 DVWHKMNFNN.exe
1044 DVWHKMNFNN.exe
1884 DVWHKMNFNN.exe
1420 DVWHKMNFNN.exe
1936 DVWHKMNFNN.exe
Loads dropped DLL 2 IoCs

Processes:

002f33f2dc005b1f1162b27707aa2877c9d11b2e118ed0b82c711ee2e4491c1f.execmd.exe

pid process

1464 002f33f2dc005b1f1162b27707aa2877c9d11b2e118ed0b82c711ee2e4491c1f.exe
1284 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

780 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1616 PING.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

DVWHKMNFNN.exeDVWHKMNFNN.exeDVWHKMNFNN.exe

description pid process

Token: SeDebugPrivilege 1044 DVWHKMNFNN.exe
Token: SeDebugPrivilege 1420 DVWHKMNFNN.exe
Token: SeDebugPrivilege 1936 DVWHKMNFNN.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

940 AcroRd32.exe
940 AcroRd32.exe
940 AcroRd32.exe

pid	process
1676	DVWHKMNFNN.exe
1044	DVWHKMNFNN.exe
1884	DVWHKMNFNN.exe
1420	DVWHKMNFNN.exe
1936	DVWHKMNFNN.exe

pid	process
1464	002f33f2dc005b1f1162b27707aa2877c9d11b2e118ed0b82c711ee2e4491c1f.exe
1284	cmd.exe

pid	process
780	schtasks.exe

pid	process
1616	PING.EXE

description	pid	process
Token: SeDebugPrivilege	1044	DVWHKMNFNN.exe
Token: SeDebugPrivilege	1420	DVWHKMNFNN.exe
Token: SeDebugPrivilege	1936	DVWHKMNFNN.exe

pid	process
940	AcroRd32.exe
940	AcroRd32.exe
940	AcroRd32.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

002f33f2dc005b1f1162b27707aa2877c9d11b2e118ed0b82c711ee2e4491c1f.exeDVWHKMNFNN.execmd.exetaskeng.exe

description	pid	process	target process
PID 1464 wrote to memory of 940	1464	002f33f2dc005b1f1162b27707aa2877c9d11b2e118ed0b82c711ee2e4491c1f.exe	AcroRd32.exe
PID 1464 wrote to memory of 940	1464	002f33f2dc005b1f1162b27707aa2877c9d11b2e118ed0b82c711ee2e4491c1f.exe	AcroRd32.exe
PID 1464 wrote to memory of 940	1464	002f33f2dc005b1f1162b27707aa2877c9d11b2e118ed0b82c711ee2e4491c1f.exe	AcroRd32.exe
PID 1464 wrote to memory of 940	1464	002f33f2dc005b1f1162b27707aa2877c9d11b2e118ed0b82c711ee2e4491c1f.exe	AcroRd32.exe
PID 1464 wrote to memory of 1676	1464	002f33f2dc005b1f1162b27707aa2877c9d11b2e118ed0b82c711ee2e4491c1f.exe	DVWHKMNFNN.exe
PID 1464 wrote to memory of 1676	1464	002f33f2dc005b1f1162b27707aa2877c9d11b2e118ed0b82c711ee2e4491c1f.exe	DVWHKMNFNN.exe
PID 1464 wrote to memory of 1676	1464	002f33f2dc005b1f1162b27707aa2877c9d11b2e118ed0b82c711ee2e4491c1f.exe	DVWHKMNFNN.exe
PID 1464 wrote to memory of 1676	1464	002f33f2dc005b1f1162b27707aa2877c9d11b2e118ed0b82c711ee2e4491c1f.exe	DVWHKMNFNN.exe
PID 1676 wrote to memory of 1284	1676	DVWHKMNFNN.exe	cmd.exe
PID 1676 wrote to memory of 1284	1676	DVWHKMNFNN.exe	cmd.exe
PID 1676 wrote to memory of 1284	1676	DVWHKMNFNN.exe	cmd.exe
PID 1676 wrote to memory of 1284	1676	DVWHKMNFNN.exe	cmd.exe
PID 1284 wrote to memory of 568	1284	cmd.exe	chcp.com
PID 1284 wrote to memory of 568	1284	cmd.exe	chcp.com
PID 1284 wrote to memory of 568	1284	cmd.exe	chcp.com
PID 1284 wrote to memory of 568	1284	cmd.exe	chcp.com
PID 1284 wrote to memory of 1616	1284	cmd.exe	PING.EXE
PID 1284 wrote to memory of 1616	1284	cmd.exe	PING.EXE
PID 1284 wrote to memory of 1616	1284	cmd.exe	PING.EXE
PID 1284 wrote to memory of 1616	1284	cmd.exe	PING.EXE
PID 1284 wrote to memory of 780	1284	cmd.exe	schtasks.exe
PID 1284 wrote to memory of 780	1284	cmd.exe	schtasks.exe
PID 1284 wrote to memory of 780	1284	cmd.exe	schtasks.exe
PID 1284 wrote to memory of 780	1284	cmd.exe	schtasks.exe
PID 1284 wrote to memory of 1044	1284	cmd.exe	DVWHKMNFNN.exe
PID 1284 wrote to memory of 1044	1284	cmd.exe	DVWHKMNFNN.exe
PID 1284 wrote to memory of 1044	1284	cmd.exe	DVWHKMNFNN.exe
PID 1284 wrote to memory of 1044	1284	cmd.exe	DVWHKMNFNN.exe
PID 1180 wrote to memory of 1884	1180	taskeng.exe	DVWHKMNFNN.exe
PID 1180 wrote to memory of 1884	1180	taskeng.exe	DVWHKMNFNN.exe
PID 1180 wrote to memory of 1884	1180	taskeng.exe	DVWHKMNFNN.exe
PID 1180 wrote to memory of 1884	1180	taskeng.exe	DVWHKMNFNN.exe
PID 1180 wrote to memory of 1420	1180	taskeng.exe	DVWHKMNFNN.exe
PID 1180 wrote to memory of 1420	1180	taskeng.exe	DVWHKMNFNN.exe
PID 1180 wrote to memory of 1420	1180	taskeng.exe	DVWHKMNFNN.exe
PID 1180 wrote to memory of 1420	1180	taskeng.exe	DVWHKMNFNN.exe
PID 1180 wrote to memory of 1936	1180	taskeng.exe	DVWHKMNFNN.exe
PID 1180 wrote to memory of 1936	1180	taskeng.exe	DVWHKMNFNN.exe
PID 1180 wrote to memory of 1936	1180	taskeng.exe	DVWHKMNFNN.exe
PID 1180 wrote to memory of 1936	1180	taskeng.exe	DVWHKMNFNN.exe

C:\Users\Admin\AppData\Local\Temp\002f33f2dc005b1f1162b27707aa2877c9d11b2e118ed0b82c711ee2e4491c1f.exe
"C:\Users\Admin\AppData\Local\Temp\002f33f2dc005b1f1162b27707aa2877c9d11b2e118ed0b82c711ee2e4491c1f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\DVWHKMNFNN.pdf"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:940
- C:\Users\Admin\AppData\Local\Temp\DVWHKMNFNN.exe
  "C:\Users\Admin\AppData\Local\Temp\DVWHKMNFNN.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "DVWHKMNFNN" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\DVWHKMNFNN.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\DVWHKMNFNN.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\DVWHKMNFNN.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:568
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1616
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "DVWHKMNFNN" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\DVWHKMNFNN.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:780
  - - C:\Users\Admin\AppData\Local\ServiceHub\DVWHKMNFNN.exe
      "C:\Users\Admin\AppData\Local\ServiceHub\DVWHKMNFNN.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1044

C:\Windows\system32\taskeng.exe
taskeng.exe {C80FBD0F-C53D-4C72-925A-5D4C18AA2BCE} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Users\Admin\AppData\Local\ServiceHub\DVWHKMNFNN.exe
  C:\Users\Admin\AppData\Local\ServiceHub\DVWHKMNFNN.exe
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Users\Admin\AppData\Local\ServiceHub\DVWHKMNFNN.exe
  C:\Users\Admin\AppData\Local\ServiceHub\DVWHKMNFNN.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Users\Admin\AppData\Local\ServiceHub\DVWHKMNFNN.exe
  C:\Users\Admin\AppData\Local\ServiceHub\DVWHKMNFNN.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ServiceHub\DVWHKMNFNN.exe

Filesize
1.3MB

MD5
c8d852fb1561658cae72fa498777bfbd

SHA1
ea689804b69e9e7611059d11eff2fdadd656e6fb

SHA256
757eb1dc48fc181b770984905c3ec14c7be9c8f9bdf813108417e318479051f5

SHA512
7b7df94405cb28d26993eaf1e18cec5ab2b695ae280d4c31c65c80ce19a87a3ac6187c259fa3ae8339a2c33f64c6448655b2e02c74f90ff19284f4c92485a13a

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\DVWHKMNFNN.exe

Filesize
1.3MB

MD5
c8d852fb1561658cae72fa498777bfbd

SHA1
ea689804b69e9e7611059d11eff2fdadd656e6fb

SHA256
757eb1dc48fc181b770984905c3ec14c7be9c8f9bdf813108417e318479051f5

SHA512
7b7df94405cb28d26993eaf1e18cec5ab2b695ae280d4c31c65c80ce19a87a3ac6187c259fa3ae8339a2c33f64c6448655b2e02c74f90ff19284f4c92485a13a

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\DVWHKMNFNN.exe

Filesize
1.3MB

MD5
c8d852fb1561658cae72fa498777bfbd

SHA1
ea689804b69e9e7611059d11eff2fdadd656e6fb

SHA256
757eb1dc48fc181b770984905c3ec14c7be9c8f9bdf813108417e318479051f5

SHA512
7b7df94405cb28d26993eaf1e18cec5ab2b695ae280d4c31c65c80ce19a87a3ac6187c259fa3ae8339a2c33f64c6448655b2e02c74f90ff19284f4c92485a13a

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\DVWHKMNFNN.exe

Filesize
1.3MB

MD5
c8d852fb1561658cae72fa498777bfbd

SHA1
ea689804b69e9e7611059d11eff2fdadd656e6fb

SHA256
757eb1dc48fc181b770984905c3ec14c7be9c8f9bdf813108417e318479051f5

SHA512
7b7df94405cb28d26993eaf1e18cec5ab2b695ae280d4c31c65c80ce19a87a3ac6187c259fa3ae8339a2c33f64c6448655b2e02c74f90ff19284f4c92485a13a

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\DVWHKMNFNN.exe

Filesize
1.3MB

MD5
c8d852fb1561658cae72fa498777bfbd

SHA1
ea689804b69e9e7611059d11eff2fdadd656e6fb

SHA256
757eb1dc48fc181b770984905c3ec14c7be9c8f9bdf813108417e318479051f5

SHA512
7b7df94405cb28d26993eaf1e18cec5ab2b695ae280d4c31c65c80ce19a87a3ac6187c259fa3ae8339a2c33f64c6448655b2e02c74f90ff19284f4c92485a13a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DVWHKMNFNN.exe

Filesize
1.3MB

MD5
c8d852fb1561658cae72fa498777bfbd

SHA1
ea689804b69e9e7611059d11eff2fdadd656e6fb

SHA256
757eb1dc48fc181b770984905c3ec14c7be9c8f9bdf813108417e318479051f5

SHA512
7b7df94405cb28d26993eaf1e18cec5ab2b695ae280d4c31c65c80ce19a87a3ac6187c259fa3ae8339a2c33f64c6448655b2e02c74f90ff19284f4c92485a13a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DVWHKMNFNN.exe

Filesize
1.3MB

MD5
c8d852fb1561658cae72fa498777bfbd

SHA1
ea689804b69e9e7611059d11eff2fdadd656e6fb

SHA256
757eb1dc48fc181b770984905c3ec14c7be9c8f9bdf813108417e318479051f5

SHA512
7b7df94405cb28d26993eaf1e18cec5ab2b695ae280d4c31c65c80ce19a87a3ac6187c259fa3ae8339a2c33f64c6448655b2e02c74f90ff19284f4c92485a13a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DVWHKMNFNN.pdf

Filesize
1KB

MD5
c9386bc43bf8fa274422eb8ac6bae1a9

SHA1
2cbde59ada19f0389a4c482667ec370d68f51049

SHA256
f0cc9b94627f910f2a6307d911b1ddd7d1db69bad6068ef3331549f3a0877446

SHA512
7aaca07e8a4b34e0f75b16b6f30686ac3fb2d5cbdad92e5934819f969baff59385fb8f997334313ea5938fd955d6175c4548d6b1f915d652d9d9201c9418ef83

Download Submit
\Users\Admin\AppData\Local\ServiceHub\DVWHKMNFNN.exe

Filesize
1.3MB

MD5
c8d852fb1561658cae72fa498777bfbd

SHA1
ea689804b69e9e7611059d11eff2fdadd656e6fb

SHA256
757eb1dc48fc181b770984905c3ec14c7be9c8f9bdf813108417e318479051f5

SHA512
7b7df94405cb28d26993eaf1e18cec5ab2b695ae280d4c31c65c80ce19a87a3ac6187c259fa3ae8339a2c33f64c6448655b2e02c74f90ff19284f4c92485a13a

Download Submit
\Users\Admin\AppData\Local\Temp\DVWHKMNFNN.exe

Filesize
1.3MB

MD5
c8d852fb1561658cae72fa498777bfbd

SHA1
ea689804b69e9e7611059d11eff2fdadd656e6fb

SHA256
757eb1dc48fc181b770984905c3ec14c7be9c8f9bdf813108417e318479051f5

SHA512
7b7df94405cb28d26993eaf1e18cec5ab2b695ae280d4c31c65c80ce19a87a3ac6187c259fa3ae8339a2c33f64c6448655b2e02c74f90ff19284f4c92485a13a

Download Submit
memory/568-65-0x0000000000000000-mapping.dmp

Download
memory/780-68-0x0000000000000000-mapping.dmp

Download
memory/940-56-0x0000000000000000-mapping.dmp

Download
memory/1044-71-0x0000000000000000-mapping.dmp

Download
memory/1044-73-0x0000000000880000-0x00000000009D6000-memory.dmp

Filesize
1.3MB

Download
memory/1284-64-0x0000000000000000-mapping.dmp

Download
memory/1420-79-0x00000000003C0000-0x0000000000516000-memory.dmp

Filesize
1.3MB

Download
memory/1420-77-0x0000000000000000-mapping.dmp

Download
memory/1464-54-0x0000000001060000-0x00000000011BC000-memory.dmp

Filesize
1.4MB

Download
memory/1464-55-0x0000000075381000-0x0000000075383000-memory.dmp

Filesize
8KB

Download
memory/1616-66-0x0000000000000000-mapping.dmp

Download
memory/1676-62-0x0000000001320000-0x0000000001476000-memory.dmp

Filesize
1.3MB

Download
memory/1676-59-0x0000000000000000-mapping.dmp

Download
memory/1884-75-0x0000000000000000-mapping.dmp

Download
memory/1936-81-0x0000000000000000-mapping.dmp

Download
memory/1936-83-0x00000000003D0000-0x0000000000526000-memory.dmp

Filesize
1.3MB

Download