eternity | 0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4

General

Target

0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe
Size

1.5MB
MD5

a3556fe22b3cadaea5bad8d67b63e16a
SHA1

d8442ca998329eafbf7419a6126443195948d0ea
SHA256

0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4
SHA512

0cee4e20c9f57747f0436ca2bd2f7eec43fba27200c7d62c8303e0d248d87566df377568d68dd4ca7640a2f5a03702b7b4f17bd5984933fc926327889072c06c

Score

10^/10

eternity worm

Malware Config

Extracted

Family

eternity

C2

http://lightnogu5owjjllyo4tj2sfos6fchnmcidlgo6c7e6fz2hgryhfhoyd.onion

Attributes

payload_urls
http://soapbeginshops.com/kingz.exe

http://lightnogu5owjjllyo4tj2sfos6fchnmcidlgo6c7e6fz2hgryhfhoyd.onion/shared/telegram.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

GLTYDMDUST.exe

pid process

1116 GLTYDMDUST.exe
Loads dropped DLL 1 IoCs

Processes:

0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe

pid process

1852 0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

GLTYDMDUST.exe

description pid process

Token: SeDebugPrivilege 1116 GLTYDMDUST.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

1484 AcroRd32.exe
1484 AcroRd32.exe
1484 AcroRd32.exe

pid	process
1116	GLTYDMDUST.exe

pid	process
1852	0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe

description	pid	process
Token: SeDebugPrivilege	1116	GLTYDMDUST.exe

pid	process
1484	AcroRd32.exe
1484	AcroRd32.exe
1484	AcroRd32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe

description	pid	process	target process
PID 1852 wrote to memory of 1484	1852	0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe	AcroRd32.exe
PID 1852 wrote to memory of 1484	1852	0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe	AcroRd32.exe
PID 1852 wrote to memory of 1484	1852	0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe	AcroRd32.exe
PID 1852 wrote to memory of 1484	1852	0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe	AcroRd32.exe
PID 1852 wrote to memory of 1116	1852	0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe	GLTYDMDUST.exe
PID 1852 wrote to memory of 1116	1852	0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe	GLTYDMDUST.exe
PID 1852 wrote to memory of 1116	1852	0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe	GLTYDMDUST.exe
PID 1852 wrote to memory of 1116	1852	0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe	GLTYDMDUST.exe

C:\Users\Admin\AppData\Local\Temp\0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe
"C:\Users\Admin\AppData\Local\Temp\0a6e2af27039d17fc07f815b64fe9279b14d8d051902eb588807433cd9d272e4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\GLTYDMDUST.pdf"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1484
- C:\Users\Admin\AppData\Local\Temp\GLTYDMDUST.exe
  "C:\Users\Admin\AppData\Local\Temp\GLTYDMDUST.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GLTYDMDUST.exe

Filesize
1.3MB

MD5
6b2cc742a70103fb88177699844efe65

SHA1
cf293bf98f40f75b3b3067cbc1949527bf80f107

SHA256
ca69bdf49dcd67c38d04867609ee4bb0fd48589a4adba56323bb714e1a195947

SHA512
f560eabb29d0c63a9d3cf4484e70825c4a1ed231e345d58bb10e59931b419f38ba38d76389eb515055ebea3e7eacdf58caf8d54a1e47a9d779ac4832759a1201

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLTYDMDUST.exe

Filesize
1.3MB

MD5
6b2cc742a70103fb88177699844efe65

SHA1
cf293bf98f40f75b3b3067cbc1949527bf80f107

SHA256
ca69bdf49dcd67c38d04867609ee4bb0fd48589a4adba56323bb714e1a195947

SHA512
f560eabb29d0c63a9d3cf4484e70825c4a1ed231e345d58bb10e59931b419f38ba38d76389eb515055ebea3e7eacdf58caf8d54a1e47a9d779ac4832759a1201

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLTYDMDUST.pdf

Filesize
1KB

MD5
ca404bea65d84f58838af73b2dc67e02

SHA1
56ede3a3bf70705b1d42a2ae13f6605057c1e5f6

SHA256
4a28c898df5967827c26fd633cd56275159ef4c4c0193e484e8e8f3e9ecc66b9

SHA512
10c144317cdb5a368733346eb8440a986a377916f98be0e8232e668a8c5e107e06829adf575751b94d0b0aa37f4cac48dbd7bc64ffe8dcb140fb033c00cec721

Download Submit
\Users\Admin\AppData\Local\Temp\GLTYDMDUST.exe

Filesize
1.3MB

MD5
6b2cc742a70103fb88177699844efe65

SHA1
cf293bf98f40f75b3b3067cbc1949527bf80f107

SHA256
ca69bdf49dcd67c38d04867609ee4bb0fd48589a4adba56323bb714e1a195947

SHA512
f560eabb29d0c63a9d3cf4484e70825c4a1ed231e345d58bb10e59931b419f38ba38d76389eb515055ebea3e7eacdf58caf8d54a1e47a9d779ac4832759a1201

Download Submit
memory/1116-77-0x000000006D571000-0x000000006D573000-memory.dmp

Filesize
8KB

Download
memory/1116-79-0x0000000072530000-0x00000000738BF000-memory.dmp

Filesize
19.6MB

Download
memory/1116-85-0x000000006D570000-0x000000006D63F000-memory.dmp

Filesize
828KB

Download
memory/1116-61-0x0000000000000000-mapping.dmp

Download
memory/1116-84-0x0000000073AC0000-0x00000000742A0000-memory.dmp

Filesize
7.9MB

Download
memory/1116-64-0x00000000013B0000-0x000000000150A000-memory.dmp

Filesize
1.4MB

Download
memory/1116-83-0x0000000071B20000-0x0000000072530000-memory.dmp

Filesize
10.1MB

Download
memory/1116-82-0x0000000072530000-0x00000000738BF000-memory.dmp

Filesize
19.6MB

Download
memory/1116-67-0x000000006EF80000-0x000000006F114000-memory.dmp

Filesize
1.6MB

Download
memory/1116-70-0x0000000073AC0000-0x00000000742A0000-memory.dmp

Filesize
7.9MB

Download
memory/1116-81-0x0000000005E70000-0x0000000005FBA000-memory.dmp

Filesize
1.3MB

Download
memory/1116-80-0x0000000071B20000-0x0000000072530000-memory.dmp

Filesize
10.1MB

Download
memory/1116-72-0x000000006DA20000-0x000000006E15E000-memory.dmp

Filesize
7.2MB

Download
memory/1116-73-0x0000000072530000-0x00000000738BF000-memory.dmp

Filesize
19.6MB

Download
memory/1116-74-0x0000000071B20000-0x0000000072530000-memory.dmp

Filesize
10.1MB

Download
memory/1116-75-0x000000006E260000-0x000000006EF7D000-memory.dmp

Filesize
13.1MB

Download
memory/1116-76-0x000000006E160000-0x000000006E25C000-memory.dmp

Filesize
1008KB

Download
memory/1116-78-0x000000006EF80000-0x000000006F114000-memory.dmp

Filesize
1.6MB

Download
memory/1484-56-0x0000000000000000-mapping.dmp

Download
memory/1852-54-0x0000000000360000-0x00000000004E0000-memory.dmp

Filesize
1.5MB

Download
memory/1852-59-0x0000000072530000-0x00000000738BF000-memory.dmp

Filesize
19.6MB

Download
memory/1852-71-0x0000000071B20000-0x0000000072530000-memory.dmp

Filesize
10.1MB

Download
memory/1852-69-0x0000000073AC0000-0x00000000742A0000-memory.dmp

Filesize
7.9MB

Download
memory/1852-66-0x0000000071B20000-0x0000000072530000-memory.dmp

Filesize
10.1MB

Download
memory/1852-65-0x0000000072530000-0x00000000738BF000-memory.dmp

Filesize
19.6MB

Download
memory/1852-55-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing