eternity | 6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7

General

Target

2f8df206ba700503dbebf59e937af0ec.exe
Size

1.1MB
MD5

2f8df206ba700503dbebf59e937af0ec
SHA1

7c36d57af94f2dd16a62c09356b4ef2c63e456fd
SHA256

6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7
SHA512

6fbb58b3e3046498c64ad659db07ecd28357c54d65d2f1cf00220ce1bbd4fa4693dbe2c0df607a801f5cf6757bd5327735448c3babecb997ec85e88049275a59
SSDEEP

24576:+JqzI2HEUvWMJsbHsoO0YTyllU3OWuA5aRn:+JrbG70Y4WFZ8Rn

Score

10^/10

eternity

Malware Config

Extracted

Family

eternity

Wallets

4BCCzZcSyS7L1229mxLRArhp2HPKwpBmHGDnZKnWFds856vvQcRiDSsLZWH2CjW6xigC3NSGE5Qq2gfixNyMMVc723mjiPs

Attributes

payload_urls
http://193.218.201.246/xmrig.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Executes dropped EXE 3 IoCs

Processes:

ngentask.exengentask.exengentask.exe

pid process

4008 ngentask.exe
4544 ngentask.exe
4664 ngentask.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

2f8df206ba700503dbebf59e937af0ec.exe

description pid process target process

PID 4844 set thread context of 1900 4844 2f8df206ba700503dbebf59e937af0ec.exe ngentask.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3136 schtasks.exe

pid	process
4008	ngentask.exe
4544	ngentask.exe
4664	ngentask.exe

description	pid	process	target process
PID 4844 set thread context of 1900	4844	2f8df206ba700503dbebf59e937af0ec.exe	ngentask.exe

pid	process
3136	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

2f8df206ba700503dbebf59e937af0ec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB	2f8df206ba700503dbebf59e937af0ec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB\Blob = 5c0000000100000004000000001000000b0000000100000052000000530053004c002e0063006f006d00200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079002000520053004100000009000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b0601050507030862000000010000002000000085666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69140000000100000014000000dd040907a2f57a7d5253129295ee3880250da6591d00000001000000100000000d48ee33d7f1af8f4b002527f82a344a030000000100000014000000b7ab3308d1ea4477ba1480125a6fbda936490cbb2000000001000000e1050000308205dd308203c5a00302010202087b2c9bd316803299300d06092a864886f70d01010b0500307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f7269747920525341301e170d3136303231323137333933395a170d3431303231323137333933395a307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f726974792052534130820222300d06092a864886f70d01010105000382020f003082020a0282020100f90fdda32b7dcbd02afeec6785a6e72e1bba77e1e3f5afa4ecfa4a5d91c457476b18776b76f2fd93e43d0fc2169e0b66c356949e178385ce56eff216fd0062f5220954e865174e41b9e04f4697aa1bc8b86e625e69b15fdb2a027efc6ccaf341d8edd0e8fc3f6148edb003141d100e4b19e0bb4eec8665ff36f35e67020b9d865561fd7a38edfee21900b76fa1506275743ca0fac82592b46e7a22c7f81ea1e3b2dd9131ab2b1d04ffa54a0437e985a4332bfde2d655347c19a44a68c7b2a8d3b7caa19388ebc197bc8cf91dd922842474c7043d6aa92993ccebb85be1fe5f25aa3458c8c123549d1b9811c3389c7e3d866ca50f40867c02f45c024f28cbae719f0f3ac833fe112535eafcbac5603dd97c18d5b2a9d37578037222ca3ac31fef2ce52ea9fa9e2cb65146fdaf03d6ea6068ea8516366b85e91ec0b3ddc424dc802a81416d943ec8e0c98141009e5ebf7fc50898a2182c4240b3f96f38274b4e80f43d8147e0887cea1cceb5755c512e1c2b7f1a7228e700b5d174c6d7e49fad0793b6533535fc37e4c3f65d16be2173de920af8a0636abc96926a3ef8bc65559bdef50d892604fc251aa62569cbc26dca7ce2595f97acebef2ec8bcd71b593c2bccf219c8936b276319cffce926f8ca719b7f93fe3467844e99ebfcb378093370ba66a676ed1b73eb1aa50dc422132094560a4e2c6c4eb1fdcf9c09baa233ed870203010001a3633061301d0603551d0e04160414dd040907a2f57a7d5253129295ee3880250da659300f0603551d130101ff040530030101ff301f0603551d23041830168014dd040907a2f57a7d5253129295ee3880250da659300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201002018119429fb269d1c1e1e7061f19572937124ad6893588e32af1bb37003fc252b7485903d786af4b98ba5973bb51891bb1ea7f9405b91f95599af1e11d05c1da766e3b194070c3239a6ea1bb079d81d9c7044e38addc4f9951f8a38433f0185a547a73d46b2bce52268f77b9cd82c3e0a21c82d33acbfc581993174c17571c5beb1f02345f49d6bfc19639da3bc04c6180b25bb53890fb38050de45ee447fab94786498d3f628dd87d8706574fb0eb913eba70f61a93296ccdebbed634c18bba940f7a0546e2088717518ea7ab43472e02327775cb690ea862540abef330fcb9f82bea220fbf6b52d1ae6c285b1740ffbc86502a4520147dd4922c1bfd8eb6bac7edeec633315b723088fc60f8d415add8ec5b98fe5453f78dbbad21b40b1fe714d3fe081a2ba5eb4ec15e093dd081f7ee155990b21de939e0afbe6a349bd3630fee777b2a07597b52d8188176520f7da90009fc952cc32ca357cf53d0fd82bd7f5266cc906349616ea70591a3279790bb6887f0f52483dbf6cd8a2442ed14eb77258d3891395fe44abf8d78b1b6e9cbc2ca05bd56a00af5f37e1d5fa100b989c86e7268fcef0ec6e8a570b80e34eb2c0a0636190ba556837746ab692db9fa18622b665270eecb69f4260e467c2b5da410bc4d38b611bbcfa1f912bd744075eba29acd9c5e9ef53485aeb80f1285821cdb00655fb273f539070a9041e5727b9	2f8df206ba700503dbebf59e937af0ec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4308 PING.EXE

pid	process
4308	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

2f8df206ba700503dbebf59e937af0ec.exe

pid	process
4844	2f8df206ba700503dbebf59e937af0ec.exe
4844	2f8df206ba700503dbebf59e937af0ec.exe
4844	2f8df206ba700503dbebf59e937af0ec.exe
4844	2f8df206ba700503dbebf59e937af0ec.exe
4844	2f8df206ba700503dbebf59e937af0ec.exe
4844	2f8df206ba700503dbebf59e937af0ec.exe
4844	2f8df206ba700503dbebf59e937af0ec.exe
4844	2f8df206ba700503dbebf59e937af0ec.exe
4844	2f8df206ba700503dbebf59e937af0ec.exe
4844	2f8df206ba700503dbebf59e937af0ec.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

2f8df206ba700503dbebf59e937af0ec.exengentask.execmd.exe

description	pid	process	target process
PID 4844 wrote to memory of 1900	4844	2f8df206ba700503dbebf59e937af0ec.exe	ngentask.exe
PID 4844 wrote to memory of 1900	4844	2f8df206ba700503dbebf59e937af0ec.exe	ngentask.exe
PID 4844 wrote to memory of 1900	4844	2f8df206ba700503dbebf59e937af0ec.exe	ngentask.exe
PID 4844 wrote to memory of 1900	4844	2f8df206ba700503dbebf59e937af0ec.exe	ngentask.exe
PID 4844 wrote to memory of 1900	4844	2f8df206ba700503dbebf59e937af0ec.exe	ngentask.exe
PID 1900 wrote to memory of 3644	1900	ngentask.exe	cmd.exe
PID 1900 wrote to memory of 3644	1900	ngentask.exe	cmd.exe
PID 1900 wrote to memory of 3644	1900	ngentask.exe	cmd.exe
PID 3644 wrote to memory of 4488	3644	cmd.exe	chcp.com
PID 3644 wrote to memory of 4488	3644	cmd.exe	chcp.com
PID 3644 wrote to memory of 4488	3644	cmd.exe	chcp.com
PID 3644 wrote to memory of 4308	3644	cmd.exe	PING.EXE
PID 3644 wrote to memory of 4308	3644	cmd.exe	PING.EXE
PID 3644 wrote to memory of 4308	3644	cmd.exe	PING.EXE
PID 3644 wrote to memory of 3136	3644	cmd.exe	schtasks.exe
PID 3644 wrote to memory of 3136	3644	cmd.exe	schtasks.exe
PID 3644 wrote to memory of 3136	3644	cmd.exe	schtasks.exe
PID 3644 wrote to memory of 4008	3644	cmd.exe	ngentask.exe
PID 3644 wrote to memory of 4008	3644	cmd.exe	ngentask.exe
PID 3644 wrote to memory of 4008	3644	cmd.exe	ngentask.exe

C:\Users\Admin\AppData\Local\Temp\2f8df206ba700503dbebf59e937af0ec.exe
"C:\Users\Admin\AppData\Local\Temp\2f8df206ba700503dbebf59e937af0ec.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4488

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:4308

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:3136

C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe
"C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe"
4⤵
- Executes dropped EXE
PID:4008

C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe
1⤵
- Executes dropped EXE
PID:4544

C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe
1⤵
- Executes dropped EXE
PID:4664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ngentask.exe.log
Filesize
321B

MD5
baf5d1398fdb79e947b60fe51e45397f

SHA1
49e7b8389f47b93509d621b8030b75e96bb577af

SHA256
10c8c7b5fa58f8c6b69f44e92a4e2af111b59fcf4f21a07e04b19e14876ccdf8

SHA512
b2c9ef5581d5eae7c17ae260fe9f52344ed737fa851cb44d1cea58a32359d0ac5d0ca3099c970209bd30a0d4af6e504101f21b7054cf5eca91c0831cf12fb413

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe
Filesize
85KB

MD5
c6ce045ca7809169a017f73d45c21462

SHA1
7d2504133d8235e91c2e98355c4f223cdf500d4d

SHA256
41019bd2dff58eca53a25ffce26e487af0b693c3d305e67a0d4e8f8cd60c6ef6

SHA512
cb42d614f4e543be090e2d09f0f6c28ecd346b8ea2ca06ba10389a735a23792bd4d4ec189f94c8dcdc0b35707b36ba0df811c18b7608f8a2cc2b8d429242b205

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe
Filesize
85KB

MD5
c6ce045ca7809169a017f73d45c21462

SHA1
7d2504133d8235e91c2e98355c4f223cdf500d4d

SHA256
41019bd2dff58eca53a25ffce26e487af0b693c3d305e67a0d4e8f8cd60c6ef6

SHA512
cb42d614f4e543be090e2d09f0f6c28ecd346b8ea2ca06ba10389a735a23792bd4d4ec189f94c8dcdc0b35707b36ba0df811c18b7608f8a2cc2b8d429242b205

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe
Filesize
85KB

MD5
c6ce045ca7809169a017f73d45c21462

SHA1
7d2504133d8235e91c2e98355c4f223cdf500d4d

SHA256
41019bd2dff58eca53a25ffce26e487af0b693c3d305e67a0d4e8f8cd60c6ef6

SHA512
cb42d614f4e543be090e2d09f0f6c28ecd346b8ea2ca06ba10389a735a23792bd4d4ec189f94c8dcdc0b35707b36ba0df811c18b7608f8a2cc2b8d429242b205

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\ngentask.exe
Filesize
85KB

MD5
c6ce045ca7809169a017f73d45c21462

SHA1
7d2504133d8235e91c2e98355c4f223cdf500d4d

SHA256
41019bd2dff58eca53a25ffce26e487af0b693c3d305e67a0d4e8f8cd60c6ef6

SHA512
cb42d614f4e543be090e2d09f0f6c28ecd346b8ea2ca06ba10389a735a23792bd4d4ec189f94c8dcdc0b35707b36ba0df811c18b7608f8a2cc2b8d429242b205

Download Submit
memory/1900-135-0x0000000000000000-mapping.dmp

Download
memory/1900-136-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1900-138-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1900-139-0x00000000057E0000-0x0000000005D84000-memory.dmp

Filesize
5.6MB

Download
memory/3136-144-0x0000000000000000-mapping.dmp

Download
memory/3644-140-0x0000000000000000-mapping.dmp

Download
memory/4008-145-0x0000000000000000-mapping.dmp

Download
memory/4008-149-0x0000000000820000-0x0000000000838000-memory.dmp

Filesize
96KB

Download
memory/4308-142-0x0000000000000000-mapping.dmp

Download
memory/4488-141-0x0000000000000000-mapping.dmp

Download
memory/4844-132-0x0000000002456000-0x00000000028C2000-memory.dmp

Filesize
4.4MB

Download
memory/4844-143-0x0000000002283000-0x0000000002361000-memory.dmp

Filesize
888KB

Download
memory/4844-134-0x000000000FBF0000-0x000000000FC59000-memory.dmp

Filesize
420KB

Download
memory/4844-133-0x0000000002283000-0x0000000002361000-memory.dmp

Filesize
888KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads