eternity | 07ad17755db73a41a93d25bb227e412e062721a60b0541f3510ac7cbd57aa3ed

General

Target

07ad17755db73a41a93d25bb227e412e062721a60b0541f3510ac7cbd57aa3ed.exe
Size

1.4MB
MD5

f9239135c900503cbb97d33146afe019
SHA1

dac78606808613f8c1d7274c0b56c93759cc56ee
SHA256

07ad17755db73a41a93d25bb227e412e062721a60b0541f3510ac7cbd57aa3ed
SHA512

94543d890ff45a9f2b642f0220b7b14dfbf7ab4a6d9315270a35823669ee7477e48296247417f57032aa985cfede0f654c44f2c76f1f43aeeae8ef0594d33126

Score

10^/10

eternity worm

Malware Config

Extracted

Family

eternity

C2

http://lightnogu5owjjllyo4tj2sfos6fchnmcidlgo6c7e6fz2hgryhfhoyd.onion

Attributes

payload_urls
http://soapbeginshops.com/kingz.exe

http://lightnogu5owjjllyo4tj2sfos6fchnmcidlgo6c7e6fz2hgryhfhoyd.onion/shared/telegram.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

GAOBCVIQIJ.exe

pid process

936 GAOBCVIQIJ.exe
Loads dropped DLL 1 IoCs

Processes:

07ad17755db73a41a93d25bb227e412e062721a60b0541f3510ac7cbd57aa3ed.exe

pid process

1452 07ad17755db73a41a93d25bb227e412e062721a60b0541f3510ac7cbd57aa3ed.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

GAOBCVIQIJ.exe

description pid process

Token: SeDebugPrivilege 936 GAOBCVIQIJ.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1696 DllHost.exe

pid	process
936	GAOBCVIQIJ.exe

pid	process
1452	07ad17755db73a41a93d25bb227e412e062721a60b0541f3510ac7cbd57aa3ed.exe

description	pid	process
Token: SeDebugPrivilege	936	GAOBCVIQIJ.exe

pid	process
1696	DllHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

07ad17755db73a41a93d25bb227e412e062721a60b0541f3510ac7cbd57aa3ed.exe

description	pid	process	target process
PID 1452 wrote to memory of 936	1452	07ad17755db73a41a93d25bb227e412e062721a60b0541f3510ac7cbd57aa3ed.exe	GAOBCVIQIJ.exe
PID 1452 wrote to memory of 936	1452	07ad17755db73a41a93d25bb227e412e062721a60b0541f3510ac7cbd57aa3ed.exe	GAOBCVIQIJ.exe
PID 1452 wrote to memory of 936	1452	07ad17755db73a41a93d25bb227e412e062721a60b0541f3510ac7cbd57aa3ed.exe	GAOBCVIQIJ.exe
PID 1452 wrote to memory of 936	1452	07ad17755db73a41a93d25bb227e412e062721a60b0541f3510ac7cbd57aa3ed.exe	GAOBCVIQIJ.exe

C:\Users\Admin\AppData\Local\Temp\07ad17755db73a41a93d25bb227e412e062721a60b0541f3510ac7cbd57aa3ed.exe
"C:\Users\Admin\AppData\Local\Temp\07ad17755db73a41a93d25bb227e412e062721a60b0541f3510ac7cbd57aa3ed.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\AppData\Local\Temp\GAOBCVIQIJ.exe
  "C:\Users\Admin\AppData\Local\Temp\GAOBCVIQIJ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:936

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GAOBCVIQIJ.exe

Filesize
1.3MB

MD5
a5cb23b8b71b2eec6cf53c89a166d1ca

SHA1
954152dabcfebfd04143c97eb814ffdcf9f622da

SHA256
22d656a93589f45df7c71039fe808541105dc6927bca733933b67fa4843863f3

SHA512
6281739cce2da2ddafcc2167d9f56067ee2650411d17fb30765afec33bf052e7ddc3bca62fd7328e694a0f7c0c1f316ecdade1e07f15296a185b972acc81b030

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAOBCVIQIJ.exe

Filesize
1.3MB

MD5
a5cb23b8b71b2eec6cf53c89a166d1ca

SHA1
954152dabcfebfd04143c97eb814ffdcf9f622da

SHA256
22d656a93589f45df7c71039fe808541105dc6927bca733933b67fa4843863f3

SHA512
6281739cce2da2ddafcc2167d9f56067ee2650411d17fb30765afec33bf052e7ddc3bca62fd7328e694a0f7c0c1f316ecdade1e07f15296a185b972acc81b030

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAOBCVIQIJ.png

Filesize
1KB

MD5
18a3248dc9c539ccd2c8419d200f1c4d

SHA1
3b2cee87f3426c4a08959e9861d274663420215c

SHA256
27d6bab3ffa19534ff008bdbc5ff07be94ba08c909222d5ad4802c4c9e10153e

SHA512
f8176c814016d4962693a55a84d2bcc26ee01de822e76b3d3a6b0add48382f8d76b5576742bbcad16a7779c602b435150c0ebdde1b1ecbffd6702ecefe87133b

Download Submit
\Users\Admin\AppData\Local\Temp\GAOBCVIQIJ.exe

Filesize
1.3MB

MD5
a5cb23b8b71b2eec6cf53c89a166d1ca

SHA1
954152dabcfebfd04143c97eb814ffdcf9f622da

SHA256
22d656a93589f45df7c71039fe808541105dc6927bca733933b67fa4843863f3

SHA512
6281739cce2da2ddafcc2167d9f56067ee2650411d17fb30765afec33bf052e7ddc3bca62fd7328e694a0f7c0c1f316ecdade1e07f15296a185b972acc81b030

Download Submit
memory/936-72-0x000000006F9A0000-0x00000000700DE000-memory.dmp

Filesize
7.2MB

Download
memory/936-79-0x00000000723A0000-0x000000007372F000-memory.dmp

Filesize
19.6MB

Download
memory/936-87-0x0000000073BE0000-0x00000000743C0000-memory.dmp

Filesize
7.9MB

Download
memory/936-62-0x00000000011A0000-0x00000000012FA000-memory.dmp

Filesize
1.4MB

Download
memory/936-86-0x0000000071990000-0x00000000723A0000-memory.dmp

Filesize
10.1MB

Download
memory/936-85-0x00000000723A0000-0x000000007372F000-memory.dmp

Filesize
19.6MB

Download
memory/936-84-0x0000000070F00000-0x0000000071094000-memory.dmp

Filesize
1.6MB

Download
memory/936-83-0x0000000000BA0000-0x0000000000BBA000-memory.dmp

Filesize
104KB

Download
memory/936-82-0x00000000061F0000-0x0000000006312000-memory.dmp

Filesize
1.1MB

Download
memory/936-69-0x0000000071990000-0x00000000723A0000-memory.dmp

Filesize
10.1MB

Download
memory/936-70-0x0000000073BE0000-0x00000000743C0000-memory.dmp

Filesize
7.9MB

Download
memory/936-71-0x00000000700E0000-0x00000000701DC000-memory.dmp

Filesize
1008KB

Download
memory/936-81-0x0000000005DF0000-0x0000000005F3A000-memory.dmp

Filesize
1.3MB

Download
memory/936-73-0x0000000070F00000-0x0000000071094000-memory.dmp

Filesize
1.6MB

Download
memory/936-74-0x00000000723A0000-0x000000007372F000-memory.dmp

Filesize
19.6MB

Download
memory/936-75-0x00000000701E0000-0x0000000070EFD000-memory.dmp

Filesize
13.1MB

Download
memory/936-76-0x000000006F161000-0x000000006F163000-memory.dmp

Filesize
8KB

Download
memory/936-80-0x000000006F370000-0x000000006F43F000-memory.dmp

Filesize
828KB

Download
memory/936-78-0x0000000071990000-0x00000000723A0000-memory.dmp

Filesize
10.1MB

Download
memory/936-59-0x0000000000000000-mapping.dmp

Download
memory/1452-77-0x0000000073BE0000-0x00000000743C0000-memory.dmp

Filesize
7.9MB

Download
memory/1452-54-0x0000000000DE0000-0x0000000000F44000-memory.dmp

Filesize
1.4MB

Download
memory/1452-67-0x0000000073BE0000-0x00000000743C0000-memory.dmp

Filesize
7.9MB

Download
memory/1452-55-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1452-65-0x0000000071990000-0x00000000723A0000-memory.dmp

Filesize
10.1MB

Download
memory/1452-64-0x00000000723A0000-0x000000007372F000-memory.dmp

Filesize
19.6MB

Download
memory/1452-57-0x00000000723A0000-0x000000007372F000-memory.dmp

Filesize
19.6MB

Download
memory/1452-63-0x0000000071990000-0x00000000723A0000-memory.dmp

Filesize
10.1MB

Download

Analysis

Sharing