eternity | df80fae5ea335a49df56a862dfc87ef1c444f1a9c23d13cc55930b9c527838cf

General

Target

Worm.exe
Size

1.3MB
MD5

d16f7b6510caf611ce85f0488ae0a65d
SHA1

e7913e7dcdfc9be3a51bbd67a8e0e807b63bc33d
SHA256

df80fae5ea335a49df56a862dfc87ef1c444f1a9c23d13cc55930b9c527838cf
SHA512

7d623007a1b80a2ec205d579104eca0ce7866501c7773c9298d4bed8790c7acc88a1eaabe5dbfe5b9d78d6934e58a6d88f5262a26316b47a6da74f09dcb79d53
SSDEEP

24576:fgEdnkH+O5MMsj/8oJ0HOgwzMIdEyaXC772Q9NXw2/wPOjdGxY:fgEuHZ5MMpoJOp+MIVai7Tq24GjdGS

Score

10^/10

eternity

Malware Config

Extracted

Family

eternity

C2

http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion

Attributes

payload_urls
http://140.82.34.147/Client.exe
http://140.82.34.147/Client.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

Worm.exeWorm.exeWorm.exe

pid process

916 Worm.exe
1504 Worm.exe
568 Worm.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1472 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1472 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1232 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

940 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Worm.exe

description pid process

Token: SeDebugPrivilege 916 Worm.exe

pid	process
916	Worm.exe
1504	Worm.exe
568	Worm.exe

pid	process
1472	cmd.exe

pid	process
1472	cmd.exe

pid	process
1232	schtasks.exe

pid	process
940	PING.EXE

description	pid	process
Token: SeDebugPrivilege	916	Worm.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

Worm.execmd.exetaskeng.exe

description	pid	process	target process
PID 1944 wrote to memory of 1472	1944	Worm.exe	cmd.exe
PID 1944 wrote to memory of 1472	1944	Worm.exe	cmd.exe
PID 1944 wrote to memory of 1472	1944	Worm.exe	cmd.exe
PID 1944 wrote to memory of 1472	1944	Worm.exe	cmd.exe
PID 1472 wrote to memory of 1064	1472	cmd.exe	chcp.com
PID 1472 wrote to memory of 1064	1472	cmd.exe	chcp.com
PID 1472 wrote to memory of 1064	1472	cmd.exe	chcp.com
PID 1472 wrote to memory of 1064	1472	cmd.exe	chcp.com
PID 1472 wrote to memory of 940	1472	cmd.exe	PING.EXE
PID 1472 wrote to memory of 940	1472	cmd.exe	PING.EXE
PID 1472 wrote to memory of 940	1472	cmd.exe	PING.EXE
PID 1472 wrote to memory of 940	1472	cmd.exe	PING.EXE
PID 1472 wrote to memory of 1232	1472	cmd.exe	schtasks.exe
PID 1472 wrote to memory of 1232	1472	cmd.exe	schtasks.exe
PID 1472 wrote to memory of 1232	1472	cmd.exe	schtasks.exe
PID 1472 wrote to memory of 1232	1472	cmd.exe	schtasks.exe
PID 1472 wrote to memory of 916	1472	cmd.exe	Worm.exe
PID 1472 wrote to memory of 916	1472	cmd.exe	Worm.exe
PID 1472 wrote to memory of 916	1472	cmd.exe	Worm.exe
PID 1472 wrote to memory of 916	1472	cmd.exe	Worm.exe
PID 2004 wrote to memory of 1504	2004	taskeng.exe	Worm.exe
PID 2004 wrote to memory of 1504	2004	taskeng.exe	Worm.exe
PID 2004 wrote to memory of 1504	2004	taskeng.exe	Worm.exe
PID 2004 wrote to memory of 1504	2004	taskeng.exe	Worm.exe
PID 2004 wrote to memory of 568	2004	taskeng.exe	Worm.exe
PID 2004 wrote to memory of 568	2004	taskeng.exe	Worm.exe
PID 2004 wrote to memory of 568	2004	taskeng.exe	Worm.exe
PID 2004 wrote to memory of 568	2004	taskeng.exe	Worm.exe

C:\Users\Admin\AppData\Local\Temp\Worm.exe
"C:\Users\Admin\AppData\Local\Temp\Worm.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Worm" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Worm.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe"
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:1064

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:940

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Worm" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1232

C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe
"C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\system32\taskeng.exe
taskeng.exe {A5709E92-DE72-41C2-948F-53A06096F875} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe
C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe
2⤵
- Executes dropped EXE
PID:1504

C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe
C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe
2⤵
- Executes dropped EXE
PID:568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe
Filesize
1.3MB

MD5
d16f7b6510caf611ce85f0488ae0a65d

SHA1
e7913e7dcdfc9be3a51bbd67a8e0e807b63bc33d

SHA256
df80fae5ea335a49df56a862dfc87ef1c444f1a9c23d13cc55930b9c527838cf

SHA512
7d623007a1b80a2ec205d579104eca0ce7866501c7773c9298d4bed8790c7acc88a1eaabe5dbfe5b9d78d6934e58a6d88f5262a26316b47a6da74f09dcb79d53

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe
Filesize
1.3MB

MD5
d16f7b6510caf611ce85f0488ae0a65d

SHA1
e7913e7dcdfc9be3a51bbd67a8e0e807b63bc33d

SHA256
df80fae5ea335a49df56a862dfc87ef1c444f1a9c23d13cc55930b9c527838cf

SHA512
7d623007a1b80a2ec205d579104eca0ce7866501c7773c9298d4bed8790c7acc88a1eaabe5dbfe5b9d78d6934e58a6d88f5262a26316b47a6da74f09dcb79d53

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe
Filesize
1.3MB

MD5
d16f7b6510caf611ce85f0488ae0a65d

SHA1
e7913e7dcdfc9be3a51bbd67a8e0e807b63bc33d

SHA256
df80fae5ea335a49df56a862dfc87ef1c444f1a9c23d13cc55930b9c527838cf

SHA512
7d623007a1b80a2ec205d579104eca0ce7866501c7773c9298d4bed8790c7acc88a1eaabe5dbfe5b9d78d6934e58a6d88f5262a26316b47a6da74f09dcb79d53

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe
Filesize
1.3MB

MD5
d16f7b6510caf611ce85f0488ae0a65d

SHA1
e7913e7dcdfc9be3a51bbd67a8e0e807b63bc33d

SHA256
df80fae5ea335a49df56a862dfc87ef1c444f1a9c23d13cc55930b9c527838cf

SHA512
7d623007a1b80a2ec205d579104eca0ce7866501c7773c9298d4bed8790c7acc88a1eaabe5dbfe5b9d78d6934e58a6d88f5262a26316b47a6da74f09dcb79d53

Download Submit
\Users\Admin\AppData\Local\ServiceHub\Worm.exe
Filesize
1.3MB

MD5
d16f7b6510caf611ce85f0488ae0a65d

SHA1
e7913e7dcdfc9be3a51bbd67a8e0e807b63bc33d

SHA256
df80fae5ea335a49df56a862dfc87ef1c444f1a9c23d13cc55930b9c527838cf

SHA512
7d623007a1b80a2ec205d579104eca0ce7866501c7773c9298d4bed8790c7acc88a1eaabe5dbfe5b9d78d6934e58a6d88f5262a26316b47a6da74f09dcb79d53

Download Submit
memory/568-76-0x00000000012F0000-0x0000000001442000-memory.dmp

Filesize
1.3MB

Download
memory/568-74-0x0000000000000000-mapping.dmp

Download
memory/916-64-0x0000000000B40000-0x0000000000C92000-memory.dmp

Filesize
1.3MB

Download
memory/916-69-0x0000000005940000-0x00000000059BA000-memory.dmp

Filesize
488KB

Download
memory/916-62-0x0000000000000000-mapping.dmp

Download
memory/916-68-0x00000000002F0000-0x000000000030A000-memory.dmp

Filesize
104KB

Download
memory/916-66-0x0000000005D20000-0x0000000005E6A000-memory.dmp

Filesize
1.3MB

Download
memory/916-67-0x0000000005E70000-0x0000000005F92000-memory.dmp

Filesize
1.1MB

Download
memory/940-58-0x0000000000000000-mapping.dmp

Download
memory/1064-57-0x0000000000000000-mapping.dmp

Download
memory/1232-59-0x0000000000000000-mapping.dmp

Download
memory/1472-56-0x0000000000000000-mapping.dmp

Download
memory/1504-70-0x0000000000000000-mapping.dmp

Download
memory/1504-72-0x00000000012F0000-0x0000000001442000-memory.dmp

Filesize
1.3MB

Download
memory/1944-54-0x0000000001250000-0x00000000013A2000-memory.dmp

Filesize
1.3MB

Download
memory/1944-55-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads