eternity | 8102f6139e928e1e844e7625f41bfa2b65f6ba05e95c43f1ecb329d72a91592b

General

Target

Worm (1).exe
Size

1.3MB
MD5

4a9ffb6962544b4dd55ce6ff568810b7
SHA1

a04a58215250d0bbe79fd946e6f5a73e8be27133
SHA256

8102f6139e928e1e844e7625f41bfa2b65f6ba05e95c43f1ecb329d72a91592b
SHA512

5b7e84b8a49200960a5312a373ef6245c2d997b5e3b9a761cb15a83ffe2edf9dc860c1bcd7ebb9eb7cd774c6f1364d505016446f713acfdfb682bb01c148053b
SSDEEP

24576:mckH+O5MMsj/8oJ0HOgwzMIdEyaXC772Q9NXw2/wPOjdGxY:mBHZ5MMpoJOp+MIVai7Tq24GjdGS

Score

10^/10

eternity

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Attributes

payload_urls
https://raroford3242.xyz/myupdate.exe
https://raroford3242.xyz/Sklmsstregens.vbs, https://raroford3242.xyz/remcexecrypt.exe, https://raroford3242.xyz/redlcryp.exe, https://raroford3242.xyz/racoocry.exe
https://raroford3242.xyz/myupdate.exe
https://raroford3242.xyz/myupdate.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

remcexecrypt.exe

pid process

5112 remcexecrypt.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Worm (1).exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Worm (1).exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

Worm (1).exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings Worm (1).exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Worm (1).exe

description pid process

Token: SeDebugPrivilege 3904 Worm (1).exe

pid	process
5112	remcexecrypt.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Worm (1).exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	Worm (1).exe

description	pid	process
Token: SeDebugPrivilege	3904	Worm (1).exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Worm (1).exe

description	pid	process	target process
PID 3904 wrote to memory of 4980	3904	Worm (1).exe	WScript.exe
PID 3904 wrote to memory of 4980	3904	Worm (1).exe	WScript.exe
PID 3904 wrote to memory of 4980	3904	Worm (1).exe	WScript.exe
PID 3904 wrote to memory of 5112	3904	Worm (1).exe	remcexecrypt.exe
PID 3904 wrote to memory of 5112	3904	Worm (1).exe	remcexecrypt.exe
PID 3904 wrote to memory of 5112	3904	Worm (1).exe	remcexecrypt.exe

C:\Users\Admin\AppData\Local\Temp\Worm (1).exe
"C:\Users\Admin\AppData\Local\Temp\Worm (1).exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Sklmsstregens.vbs"
2⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\remcexecrypt.exe
"C:\Users\Admin\AppData\Local\Temp\remcexecrypt.exe"
2⤵
- Executes dropped EXE
PID:5112

C:\Users\Admin\AppData\Local\Temp\redlcryp.exe
"C:\Users\Admin\AppData\Local\Temp\redlcryp.exe"
2⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\racoocry.exe
"C:\Users\Admin\AppData\Local\Temp\racoocry.exe"
2⤵
PID:4752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sklmsstregens.vbs
Filesize
939KB

MD5
162aacbbce61a373c09f874f5b093227

SHA1
341f33fb5dd79976b53a49dafc3cbcc3d509240d

SHA256
4d1c7c5b60c2dc51f6d7d3b57546e9862c42831c6c150256a5048a7597cb7d97

SHA512
755db0c2391990a74e6dc73429f96b17d6b8ffc2bd2e1ca903c843f03de77df788b21c87aed9ad932e1e65f705afea58fd14ddcf1e53b4b47d5d9b889a68c86e

Download Submit
C:\Users\Admin\AppData\Local\Temp\redlcryp.exe
Filesize
472KB

MD5
4f784fd650c865f8363b7f314c20f4be

SHA1
b1f016318068a4c59960254ca7560cfba550cd5c

SHA256
74ae0102c4050421d0c81c0e96627b39f2004e2456845a43cdf6280c06f4ee64

SHA512
c5abcd28932273def39c57210ef266b7a83898d9c02e3597c9d5a62e193acdafd0efce983c8ace838982110451276c63a3267d9569e08f6855da3d75b2acaec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\redlcryp.exe
Filesize
472KB

MD5
4f784fd650c865f8363b7f314c20f4be

SHA1
b1f016318068a4c59960254ca7560cfba550cd5c

SHA256
74ae0102c4050421d0c81c0e96627b39f2004e2456845a43cdf6280c06f4ee64

SHA512
c5abcd28932273def39c57210ef266b7a83898d9c02e3597c9d5a62e193acdafd0efce983c8ace838982110451276c63a3267d9569e08f6855da3d75b2acaec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\remcexecrypt.exe
Filesize
578KB

MD5
48262644cae3de40096fe55766e34c61

SHA1
e577f7353f432f90f79f21bbc1fc1530815d1533

SHA256
6f6eb43adad7c1719aa85c3970b26b3d58e103ea4a830e7461be68fe22ee467b

SHA512
ab3e8baa47e81a2ed18b7d4af72ee539cf708db588a0d6186c5790681caa783d8cf9d4a18d4208c575efd5fa8115bc9fbf3414efebb8df205b33cb10d3ca1a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\remcexecrypt.exe
Filesize
578KB

MD5
48262644cae3de40096fe55766e34c61

SHA1
e577f7353f432f90f79f21bbc1fc1530815d1533

SHA256
6f6eb43adad7c1719aa85c3970b26b3d58e103ea4a830e7461be68fe22ee467b

SHA512
ab3e8baa47e81a2ed18b7d4af72ee539cf708db588a0d6186c5790681caa783d8cf9d4a18d4208c575efd5fa8115bc9fbf3414efebb8df205b33cb10d3ca1a17

Download Submit
memory/636-139-0x0000000000000000-mapping.dmp

Download
memory/3904-132-0x0000000000580000-0x00000000006D2000-memory.dmp

Filesize
1.3MB

Download
memory/3904-133-0x0000000005590000-0x0000000005B34000-memory.dmp

Filesize
5.6MB

Download
memory/4980-134-0x0000000000000000-mapping.dmp

Download
memory/5112-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing