eternity | 3a07fecfc2d41835f93f3891ce90807895129d27487b40d00b28290753277cda

General

Target

3a07fecfc2d41835f93f3891ce90807895129d27487b40d00b28290753277cda.exe
Size

341KB
MD5

2009eaf75113479d47800afa0912bc86
SHA1

21b702e6c52961658b76c9ae2a0446763b655fe7
SHA256

3a07fecfc2d41835f93f3891ce90807895129d27487b40d00b28290753277cda
SHA512

457081954a6705f1d3d934c648219f0ea16e3dd2c7af4d843c00dad132491631e6aeb7439693c88060dda9e9143b4f9141dce8aee1a0e65bff97de991ae4017b
SSDEEP

6144:ia4VhHCa1jUcLLz60VJarxFGVKbSxps19TUtTvEXcIROt3l2+C0O9:i9VhjnzBbpsQTOOyP0

Score

10^/10

eternity collection spyware stealer

Malware Config

Extracted

Family

eternity

C2

http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Executes dropped EXE 1 IoCs

Processes:

dead.exe

pid process

3536 dead.exe

pid	process
3536	dead.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3a07fecfc2d41835f93f3891ce90807895129d27487b40d00b28290753277cda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3a07fecfc2d41835f93f3891ce90807895129d27487b40d00b28290753277cda.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

dead.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dead.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dead.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dead.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
12	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dead.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	dead.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	dead.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

dead.exe

pid process

3536 dead.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dead.exe

description pid process

Token: SeDebugPrivilege 3536 dead.exe

pid	process
3536	dead.exe

description	pid	process
Token: SeDebugPrivilege	3536	dead.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

3a07fecfc2d41835f93f3891ce90807895129d27487b40d00b28290753277cda.exedead.execmd.execmd.exe

description	pid	process	target process
PID 2808 wrote to memory of 3536	2808	3a07fecfc2d41835f93f3891ce90807895129d27487b40d00b28290753277cda.exe	dead.exe
PID 2808 wrote to memory of 3536	2808	3a07fecfc2d41835f93f3891ce90807895129d27487b40d00b28290753277cda.exe	dead.exe
PID 3536 wrote to memory of 3500	3536	dead.exe	cmd.exe
PID 3536 wrote to memory of 3500	3536	dead.exe	cmd.exe
PID 3500 wrote to memory of 236	3500	cmd.exe	chcp.com
PID 3500 wrote to memory of 236	3500	cmd.exe	chcp.com
PID 3500 wrote to memory of 4008	3500	cmd.exe	netsh.exe
PID 3500 wrote to memory of 4008	3500	cmd.exe	netsh.exe
PID 3500 wrote to memory of 4492	3500	cmd.exe	findstr.exe
PID 3500 wrote to memory of 4492	3500	cmd.exe	findstr.exe
PID 3536 wrote to memory of 2100	3536	dead.exe	cmd.exe
PID 3536 wrote to memory of 2100	3536	dead.exe	cmd.exe
PID 2100 wrote to memory of 4352	2100	cmd.exe	chcp.com
PID 2100 wrote to memory of 4352	2100	cmd.exe	chcp.com
PID 2100 wrote to memory of 4196	2100	cmd.exe	netsh.exe
PID 2100 wrote to memory of 4196	2100	cmd.exe	netsh.exe
PID 2100 wrote to memory of 3588	2100	cmd.exe	findstr.exe
PID 2100 wrote to memory of 3588	2100	cmd.exe	findstr.exe

outlook_office_path 1 IoCs

Processes:

dead.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dead.exe

outlook_win_path 1 IoCs

Processes:

dead.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dead.exe

C:\Users\Admin\AppData\Local\Temp\3a07fecfc2d41835f93f3891ce90807895129d27487b40d00b28290753277cda.exe
"C:\Users\Admin\AppData\Local\Temp\3a07fecfc2d41835f93f3891ce90807895129d27487b40d00b28290753277cda.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2808

C:\Users\Admin\AppData\Local\Temp\dead.exe
"C:\Users\Admin\AppData\Local\Temp\dead.exe"
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3536

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
3⤵
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:236

C:\Windows\system32\netsh.exe
netsh wlan show profile
4⤵
PID:4008

C:\Windows\system32\findstr.exe
findstr All
4⤵
PID:4492

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
3⤵
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:4352

C:\Windows\system32\netsh.exe
netsh wlan show profile name="65001" key=clear
4⤵
PID:4196

C:\Windows\system32\findstr.exe
findstr Key
4⤵
PID:3588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dead.exe
Filesize
334KB

MD5
2d47c689ac25b293acccdb4334148d17

SHA1
8f5800cc1529be5cd153e3dd87a93e598dc9e081

SHA256
2a926306d0dc0f78f4eb24304be2e680f3af4a766f84c781354f29aa2adc70cd

SHA512
1a66302aacf06f62b8481ce729e507cc21cb966d24a351aa45740812f44d5fa5a9516df6b65102a3f597a267983fe8d38b43c641cf931b13189e4fb9ea274ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dead.exe
Filesize
334KB

MD5
2d47c689ac25b293acccdb4334148d17

SHA1
8f5800cc1529be5cd153e3dd87a93e598dc9e081

SHA256
2a926306d0dc0f78f4eb24304be2e680f3af4a766f84c781354f29aa2adc70cd

SHA512
1a66302aacf06f62b8481ce729e507cc21cb966d24a351aa45740812f44d5fa5a9516df6b65102a3f597a267983fe8d38b43c641cf931b13189e4fb9ea274ba3

Download Submit
memory/236-141-0x0000000000000000-mapping.dmp

Download
memory/2100-144-0x0000000000000000-mapping.dmp

Download
memory/2808-132-0x00000000007D0000-0x000000000082C000-memory.dmp

Filesize
368KB

Download
memory/2808-137-0x00007FFD33890000-0x00007FFD34351000-memory.dmp

Filesize
10.8MB

Download
memory/3500-139-0x0000000000000000-mapping.dmp

Download
memory/3536-136-0x000001FF1F500000-0x000001FF1F55A000-memory.dmp

Filesize
360KB

Download
memory/3536-140-0x000001FF3AC90000-0x000001FF3ACE0000-memory.dmp

Filesize
320KB

Download
memory/3536-138-0x00007FFD33890000-0x00007FFD34351000-memory.dmp

Filesize
10.8MB

Download
memory/3536-133-0x0000000000000000-mapping.dmp

Download
memory/3536-148-0x00007FFD33890000-0x00007FFD34351000-memory.dmp

Filesize
10.8MB

Download
memory/3536-149-0x00007FFD33890000-0x00007FFD34351000-memory.dmp

Filesize
10.8MB

Download
memory/3588-147-0x0000000000000000-mapping.dmp

Download
memory/4008-142-0x0000000000000000-mapping.dmp

Download
memory/4196-146-0x0000000000000000-mapping.dmp

Download
memory/4352-145-0x0000000000000000-mapping.dmp

Download
memory/4492-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads