eternity | 032911e0a222a0e4862c2aa023ec29907ea7fe8228b78fb36afafe991d61436b

General

Target

032911e0a222a0e4862c2aa023ec29907ea7fe8228b78fb36afafe991d61436b.exe
Size

1.4MB
MD5

90874ebf82d294580f7e47427bccb738
SHA1

00fa1a1c93da4f85b2d8cffe39e9ccbcd90d9256
SHA256

032911e0a222a0e4862c2aa023ec29907ea7fe8228b78fb36afafe991d61436b
SHA512

ec5af911b1f5be0ad2b8a10182eac760bafafb5f073ed3aa253f0298059bd9f7357745b0c9c8ab6838b65d7ad6d60d3ffc04e79076d33bf0ffadaeaa127ef56b

Score

10^/10

eternity worm

Malware Config

Extracted

Family

eternity

C2

http://lightnogu5owjjllyo4tj2sfos6fchnmcidlgo6c7e6fz2hgryhfhoyd.onion

Attributes

payload_urls
http://soapbeginshops.com/kingz.exe

http://lightnogu5owjjllyo4tj2sfos6fchnmcidlgo6c7e6fz2hgryhfhoyd.onion/shared/telegram.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

Processes:

EOWRVPQCCS.exe

pid	Process
1856	EOWRVPQCCS.exe

Loads dropped DLL 1 IoCs

Processes:

032911e0a222a0e4862c2aa023ec29907ea7fe8228b78fb36afafe991d61436b.exe

pid	Process
1700	032911e0a222a0e4862c2aa023ec29907ea7fe8228b78fb36afafe991d61436b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

EOWRVPQCCS.exe

description	pid	Process
Token: SeDebugPrivilege	1856	EOWRVPQCCS.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid	Process
1808	DllHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

032911e0a222a0e4862c2aa023ec29907ea7fe8228b78fb36afafe991d61436b.exe

description	pid	Process	procid_target
PID 1700 wrote to memory of 1856	1700	032911e0a222a0e4862c2aa023ec29907ea7fe8228b78fb36afafe991d61436b.exe	28
PID 1700 wrote to memory of 1856	1700	032911e0a222a0e4862c2aa023ec29907ea7fe8228b78fb36afafe991d61436b.exe	28
PID 1700 wrote to memory of 1856	1700	032911e0a222a0e4862c2aa023ec29907ea7fe8228b78fb36afafe991d61436b.exe	28
PID 1700 wrote to memory of 1856	1700	032911e0a222a0e4862c2aa023ec29907ea7fe8228b78fb36afafe991d61436b.exe	28

C:\Users\Admin\AppData\Local\Temp\032911e0a222a0e4862c2aa023ec29907ea7fe8228b78fb36afafe991d61436b.exe
"C:\Users\Admin\AppData\Local\Temp\032911e0a222a0e4862c2aa023ec29907ea7fe8228b78fb36afafe991d61436b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\EOWRVPQCCS.exe
  "C:\Users\Admin\AppData\Local\Temp\EOWRVPQCCS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1856

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EOWRVPQCCS.exe

Filesize
1.3MB

MD5
a5cb23b8b71b2eec6cf53c89a166d1ca

SHA1
954152dabcfebfd04143c97eb814ffdcf9f622da

SHA256
22d656a93589f45df7c71039fe808541105dc6927bca733933b67fa4843863f3

SHA512
6281739cce2da2ddafcc2167d9f56067ee2650411d17fb30765afec33bf052e7ddc3bca62fd7328e694a0f7c0c1f316ecdade1e07f15296a185b972acc81b030

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOWRVPQCCS.exe

Filesize
1.3MB

MD5
a5cb23b8b71b2eec6cf53c89a166d1ca

SHA1
954152dabcfebfd04143c97eb814ffdcf9f622da

SHA256
22d656a93589f45df7c71039fe808541105dc6927bca733933b67fa4843863f3

SHA512
6281739cce2da2ddafcc2167d9f56067ee2650411d17fb30765afec33bf052e7ddc3bca62fd7328e694a0f7c0c1f316ecdade1e07f15296a185b972acc81b030

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOWRVPQCCS.png

Filesize
1KB

MD5
dd71b9c0322ad45992e56a9bce43fe82

SHA1
60945b6bc3027451a2e1cfa29d263a994f50e91a

SHA256
19ac62fd471e562088365029f7b0672623511cf3e58f2ef6de1a15c14a2e94e7

SHA512
86ea2b42feb542977fcf534b4708f7a07e09f4acc413307e660b905408bc4aa9e26c50e907fa02379ea3ebfd18c532cc9dc269b6ea5994e3290082e429caae03

Download Submit
\Users\Admin\AppData\Local\Temp\EOWRVPQCCS.exe

Filesize
1.3MB

MD5
a5cb23b8b71b2eec6cf53c89a166d1ca

SHA1
954152dabcfebfd04143c97eb814ffdcf9f622da

SHA256
22d656a93589f45df7c71039fe808541105dc6927bca733933b67fa4843863f3

SHA512
6281739cce2da2ddafcc2167d9f56067ee2650411d17fb30765afec33bf052e7ddc3bca62fd7328e694a0f7c0c1f316ecdade1e07f15296a185b972acc81b030

Download Submit
memory/1700-67-0x0000000071620000-0x0000000071E00000-memory.dmp

Filesize
7.9MB

Download
memory/1700-54-0x0000000001000000-0x000000000116A000-memory.dmp

Filesize
1.4MB

Download
memory/1700-57-0x0000000072810000-0x0000000073B9F000-memory.dmp

Filesize
19.6MB

Download
memory/1700-63-0x0000000072810000-0x0000000073B9F000-memory.dmp

Filesize
19.6MB

Download
memory/1700-55-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download
memory/1700-64-0x0000000071E00000-0x0000000072810000-memory.dmp

Filesize
10.1MB

Download
memory/1700-68-0x0000000071E00000-0x0000000072810000-memory.dmp

Filesize
10.1MB

Download
memory/1856-59-0x0000000000000000-mapping.dmp

Download
memory/1856-78-0x0000000071E00000-0x0000000072810000-memory.dmp

Filesize
10.1MB

Download
memory/1856-69-0x0000000071120000-0x00000000712B4000-memory.dmp

Filesize
1.6MB

Download
memory/1856-70-0x0000000070300000-0x00000000703FC000-memory.dmp

Filesize
1008KB

Download
memory/1856-71-0x000000006FBC0000-0x00000000702FE000-memory.dmp

Filesize
7.2MB

Download
memory/1856-87-0x0000000071620000-0x0000000071E00000-memory.dmp

Filesize
7.9MB

Download
memory/1856-62-0x0000000000E50000-0x0000000000FAA000-memory.dmp

Filesize
1.4MB

Download
memory/1856-74-0x0000000071E00000-0x0000000072810000-memory.dmp

Filesize
10.1MB

Download
memory/1856-75-0x0000000070400000-0x000000007111D000-memory.dmp

Filesize
13.1MB

Download
memory/1856-76-0x000000006F421000-0x000000006F423000-memory.dmp

Filesize
8KB

Download
memory/1856-77-0x0000000072810000-0x0000000073B9F000-memory.dmp

Filesize
19.6MB

Download
memory/1856-66-0x0000000071620000-0x0000000071E00000-memory.dmp

Filesize
7.9MB

Download
memory/1856-80-0x000000006F630000-0x000000006F6FF000-memory.dmp

Filesize
828KB

Download
memory/1856-79-0x0000000005FD0000-0x000000000611A000-memory.dmp

Filesize
1.3MB

Download
memory/1856-81-0x0000000007280000-0x00000000073A2000-memory.dmp

Filesize
1.1MB

Download
memory/1856-82-0x0000000000B00000-0x0000000000B1A000-memory.dmp

Filesize
104KB

Download
memory/1856-83-0x0000000006120000-0x000000000619A000-memory.dmp

Filesize
488KB

Download
memory/1856-84-0x0000000072810000-0x0000000073B9F000-memory.dmp

Filesize
19.6MB

Download
memory/1856-85-0x0000000071E00000-0x0000000072810000-memory.dmp

Filesize
10.1MB

Download
memory/1856-86-0x0000000071120000-0x00000000712B4000-memory.dmp

Filesize
1.6MB

Download
memory/1856-73-0x0000000072810000-0x0000000073B9F000-memory.dmp

Filesize
19.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads