eternity | 08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350

Analysis

max time kernel
110s
max time network
107s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
18-11-2022 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350.exe
Size

2.9MB
MD5

a7a196d624419f968ec6d42380a87305
SHA1

3fd10817472a083f311357dec8da57c2faebdaaa
SHA256

08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350
SHA512

50e8e420672288875b84d681b966deda777157636948a21c111d2041de66e768f2e6fdcbd88077a45d47b299c9f4e1c61b40e29e2bbda4fc911b945a2cb5c57b
SSDEEP

49152:wKr5kr23HrjKjF6eKWubuKjiH3bVgGIR50nlUnd0MSw4ZmUtn3YFs:r02bGjF6vb9jqbdI3EUdPMh3Y

Score

10^/10

eternity

Malware Config

Extracted

Family

eternity

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Attributes

payload_urls
http://193.218.201.246/web1.msi,http://193.218.201.246/web2.exe,http://193.218.201.246/web3.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Executes dropped EXE 2 IoCs

Processes:

ngentask.exengentask.exe

pid process

4732 ngentask.exe
1200 ngentask.exe

pid	process
4732	ngentask.exe
1200	ngentask.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350.exe

description	pid	process	target process
PID 2760 set thread context of 4900	2760	08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350.exe	ngentask.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4204 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4296 PING.EXE

pid	process
4204	schtasks.exe

pid	process
4296	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350.exe

pid	process
2760	08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350.exe
2760	08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350.exe
2760	08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350.exe
2760	08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350.exe
2760	08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350.exe
2760	08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350.exe
2760	08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350.exe
2760	08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350.exe
2760	08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350.exe
2760	08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350.exengentask.execmd.exe

description	pid	process	target process
PID 2760 wrote to memory of 4900	2760	08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350.exe	ngentask.exe
PID 2760 wrote to memory of 4900	2760	08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350.exe	ngentask.exe
PID 2760 wrote to memory of 4900	2760	08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350.exe	ngentask.exe
PID 2760 wrote to memory of 4900	2760	08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350.exe	ngentask.exe
PID 2760 wrote to memory of 4900	2760	08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350.exe	ngentask.exe
PID 4900 wrote to memory of 3556	4900	ngentask.exe	cmd.exe
PID 4900 wrote to memory of 3556	4900	ngentask.exe	cmd.exe
PID 4900 wrote to memory of 3556	4900	ngentask.exe	cmd.exe
PID 3556 wrote to memory of 4200	3556	cmd.exe	chcp.com
PID 3556 wrote to memory of 4200	3556	cmd.exe	chcp.com
PID 3556 wrote to memory of 4200	3556	cmd.exe	chcp.com
PID 3556 wrote to memory of 4296	3556	cmd.exe	PING.EXE
PID 3556 wrote to memory of 4296	3556	cmd.exe	PING.EXE
PID 3556 wrote to memory of 4296	3556	cmd.exe	PING.EXE
PID 3556 wrote to memory of 4204	3556	cmd.exe	schtasks.exe
PID 3556 wrote to memory of 4204	3556	cmd.exe	schtasks.exe
PID 3556 wrote to memory of 4204	3556	cmd.exe	schtasks.exe
PID 3556 wrote to memory of 4732	3556	cmd.exe	ngentask.exe
PID 3556 wrote to memory of 4732	3556	cmd.exe	ngentask.exe
PID 3556 wrote to memory of 4732	3556	cmd.exe	ngentask.exe

C:\Users\Admin\AppData\Local\Temp\08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350.exe
"C:\Users\Admin\AppData\Local\Temp\08d8781a718df136b5383c168f764918af71852841fb807f82781cbdfea1e350.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4200

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:4296

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:4204

C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe
"C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe"
4⤵
- Executes dropped EXE
PID:4732

C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe
1⤵
- Executes dropped EXE
PID:1200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ngentask.exe.log
Filesize
321B

MD5
076d7c48064de4effadfe36d1857322d

SHA1
273f4d3f67c4ec0a637317ce2a536e52cc1c2090

SHA256
7cdcfb48cb249895caa7d3b5ce9ad53c7185d426f0f5669fe79bc5e047ff29ed

SHA512
e540c14a5093a1607dd47b0cdf96e21957d1b70aae24dcd99cdb3e3292451222760e8106b1e6e6091928b9998a6d307709e39081565a5e49d85c64e03bc55abf

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe
Filesize
83KB

MD5
2b1b8bfedc62990b2aaad45c69d3ac15

SHA1
a18680596b4cefacab15429a3ebe7c863b35621c

SHA256
b228e6b850401f800e47d99f1633f97f3918f8706465fd289f68f79bcb6055f8

SHA512
010336212ffd6d87e821b9f9297dcccf7bf8ab633988909e0177384ab54890b73ae29a207945668ee3c34df3f1d1b0341347cd02df00baf5e312766dbc75f45f

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe
Filesize
83KB

MD5
2b1b8bfedc62990b2aaad45c69d3ac15

SHA1
a18680596b4cefacab15429a3ebe7c863b35621c

SHA256
b228e6b850401f800e47d99f1633f97f3918f8706465fd289f68f79bcb6055f8

SHA512
010336212ffd6d87e821b9f9297dcccf7bf8ab633988909e0177384ab54890b73ae29a207945668ee3c34df3f1d1b0341347cd02df00baf5e312766dbc75f45f

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe
Filesize
83KB

MD5
2b1b8bfedc62990b2aaad45c69d3ac15

SHA1
a18680596b4cefacab15429a3ebe7c863b35621c

SHA256
b228e6b850401f800e47d99f1633f97f3918f8706465fd289f68f79bcb6055f8

SHA512
010336212ffd6d87e821b9f9297dcccf7bf8ab633988909e0177384ab54890b73ae29a207945668ee3c34df3f1d1b0341347cd02df00baf5e312766dbc75f45f

Download Submit
memory/2760-160-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-205-0x0000000003700000-0x00000000039BE000-memory.dmp

Filesize
2.7MB

Download
memory/2760-124-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-125-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-126-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-127-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-128-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-129-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-130-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-131-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-132-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-133-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-134-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-136-0x0000000002610000-0x00000000033BB000-memory.dmp

Filesize
13.7MB

Download
memory/2760-137-0x0000000002610000-0x00000000033BB000-memory.dmp

Filesize
13.7MB

Download
memory/2760-139-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-140-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-141-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-142-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-143-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-144-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-146-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-145-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-147-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-148-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-149-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-150-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-151-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-153-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-162-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-154-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-155-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-156-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-157-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-164-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-159-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-122-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-161-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-152-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-123-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-158-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-165-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-166-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-167-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-168-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-169-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-170-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-171-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-172-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-173-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-174-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-175-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-176-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-178-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-179-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-177-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-181-0x0000000003700000-0x00000000039BE000-memory.dmp

Filesize
2.7MB

Download
memory/2760-180-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-182-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-183-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-184-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-185-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-186-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-187-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-188-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-204-0x000000000F940000-0x0000000010C80000-memory.dmp

Filesize
19.2MB

Download
memory/2760-163-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-206-0x000000000F940000-0x0000000010C80000-memory.dmp

Filesize
19.2MB

Download
memory/2760-120-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-121-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3556-281-0x0000000000000000-mapping.dmp

Download
memory/4200-288-0x0000000000000000-mapping.dmp

Download
memory/4204-318-0x0000000000000000-mapping.dmp

Download
memory/4296-296-0x0000000000000000-mapping.dmp

Download
memory/4732-338-0x0000000000000000-mapping.dmp

Download
memory/4732-373-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/4900-255-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/4900-262-0x0000000005BE0000-0x00000000060DE000-memory.dmp

Filesize
5.0MB

Download